The scenario
CREATE SCHEMA testschema;
CREATE ROLE testrole LOGIN;
GRANT ALL ON SCHEMA testschema TO testrole;
ALTER ROLE testrole SET search_path = testschema;
Now if I initiate the connection (log in) as testrole then:
SHOW search_path;
Gives the desired result:
search_path
-------------
testschema
(1 row)
However, if I initiate connection (log in) as a superuser and do:
SET SESSION AUTHORIZATION testrole;
SHOW search_path;
Results in:
search_path
----------------
"$user",public
(1 row)
(or whatever the search path of the superuser is)
My question is, why does SET SESSION AUTHORIZATION not affect the current search_path?
Is it a bug, by design or am I simply doinitwrong?
From the little I've found, the workaround of SET SEARCH path = schemaname after SET SESSION... seems to be the only solution, but that kind of defeats the purpose of having persistent search paths assigned to roles.
This is by design. I quote the manual on ALTER ROLE
This only happens at login time; executing SET ROLE or SET SESSION
AUTHORIZATION does not cause new configuration values to be set.
Related
I have an application schema U32_C5 and another schema MIG_SRC which has some tables and then we have a ROLE RO_ROLE on which we have some grants of tables from Schema U32_C5.
The RO_ROLE is assigned to another Schema MRGO_RO which is Read Only.
Here I need to grant select on tables from MIG_SRC to MRGO_RO catch here is that the process which and from where I can include these grants is run from application schema U32_C5 in production so when I tried to to something like below it says table or view does not exists (which seems to be obvious)
execute Grant from U32_C5
grant select on MIG_SRC.MOBILE_CELLPHONE_PAIRINGS to MRGO_RO;
Another way which I think of is creating DB link on MRGO_RO for MIG_SRC Schema but it enables read/write operation as well on MIG_SRC tables which is not allowed on production.
DB Links is present on U32_C5 Schema for MIG_SRC Schema
So looking for a way to accomplish above task without creating DB Link any suggestion is welcome.
Sample Script of requirement what I want to achieve Please Remember I cannot and do not want Login to MIG_SRC and only way I am looking for is to do it by using U32_C5 and without DBA HELP
A RO ROLE Created by DBA's
Create role RO_ROLE;
/* Create application schema, table inside it and grant select on it to RO_ROLE*/
CREATE USER U32_C5 IDENTIFIED BY U32_C5 DEFAULT TABLESPACE;
GRANT ALTER SESSION TO U32_C5;
GRANT CREATE SESSION TO U32_C5;
GRANT CREATE database link TO U32_C5;
GRANT CREATE table TO U32_C5;
create table U32_C5_test_tab (id number);
grant select on U32_c5.U32_C5_Test_tab to RO_ROLE;
/* Create Read Only schema, grant RO_ROLE to it */
CREATE USER mrgo_ro IDENTIFIED BY mrgo_ro DEFAULT TABLESPACE;
GRANT ALTER SESSION TO mrgo_ro;
GRANT CREATE SESSION TO mrgo_ro;
grant ro_role to mrgo_ro;
/* Create SRC schema, table inside it */
CREATE USER MIG_SRC IDENTIFIED BY MIG_SRC DEFAULT TABLESPACE;
GRANT ALTER SESSION TO MIG_SRC;
GRANT CREATE SESSION TO MIG_SRC;
GRANT CREATE database link TO MIG_SRC;
GRANT CREATE table TO MIG_SRC;
create table mig_src_test_tab (id number);
/* login to Apllication Schema U32_C5 */
sqlplus U32_C5/U32_C5#SID
grant select on mig_src.mig_src_test_tab to mrgo_ro; -- for me it gives error here at this step table or does not exist
/* login to Read Only Schema mrgo_ro */
sqlplus mrgo_ro/mrgo_ro#SID
select * from mig_src.mig_src_test_tab;
or
select * from mig_src_test_tab;
If I understood you correctly, then WITH GRANT OPTION is what you're missing.
Once someone (A) grants privileges on their own objects to someone else (B), and that (B) has to "forward" those privileges to (C), then it is the WITH GRANT OPTION that helps.
Documentation says:
Specify WITH GRANT OPTION to enable the grantee to grant the object privileges to other users and roles.
Restriction on Granting WITH GRANT OPTION You can specify WITH GRANT OPTION only when granting to a user or to PUBLIC, not when granting to a role.
It means that you should grant privileges directly, not via role. That fact doesn't have to be a drawback because of named PL/SQL procedures, where privileges acquired via roles won't work anyway, so you might end up in direct grants anyway.
Other option - which you might consider - is related to what you said:
when I tried to to something like below it says table or view does not exists
If you created a synonym for those tables, then you wouldn't get such an error.
Database link isn't an option, as you said - by using it, you have full access (as you have to know username/password to create the DB link, and that isn't really read only access).
I've created what I think is a very standard user with access to a single role that can query a single table:
create user new_user;
alter user new_user set password = 'some_pw';
create role new_role;
alter user new_user set default_warehouse = 'compute_wh';
alter user new_user set default_role = 'new_role';
grant role new_role to user new_user;
grant usage on warehouse compute_wh to role new_role;
grant usage on schema my_schema to new_role;
grant usage on database my_db to role new_role;
grant select on my_db.my_schema.my_table to role new_role;
GRANT OPERATE ON WAREHOUSE COMPUTE_WH TO ROLE new_role;
However, when I set this user up in a SQL client (like DBeaver), I can't run any queries:
USE WAREHOUSE COMPUTE_WH; -- fails even here
USE DATABASE my_db;
SELECT * FROM my_db.my_schema.my_table;
SQL Error [2043] [02000]: SQL compilation error: Object does not
exist, or operation cannot be performed.
What extra permissions could I be missing?
USE WAREHOUSE COMPUTE_WH; -- fails even here
If user has access to warehouse but cannot use it, it may indicate it is suspended. I would add operate privilige:
GRANT OPERATE ON WAREHOUSE COMPUTE_WH TO ROLE NEW_ROLE;
and check if auto-resume is on or explicitly start warehouse:
ALTER WAREHOUSE IF EXISTS COMPUTE_WH RESUME IF SUSPENDED;
USE WAREHOUSE COMPUTE_WH;
EDIT:
To check current role the following code could be used:
SELECT CURRENT_ROLE();
If the role is different than anticiapted, it could be changed with:
USE ROLE COMPUTE_WH;
In Apache Hive, I set the owner of a database to a role.
Users have been assigned this role.
The users cannot create table in this database.
Error is:
Principal (name=xx, type=USER) does not have following privileges for
operation CREATETABLE on object type database
How can I allow more that one user to have create table (as well as all other privileges) on a database ?
A mistake was made during the definition of the owner.
The command should have been:
alter database mydb set owner role myrole
Instead of
alter database mydb set owner user myrole
create schema bla;
-- then create table table_name into this schema
Then I want change default schema for user (user is postgres)
I do: ALTER ROLE postgres SET search_path TO bla; (Query returned successfully with no result).
When I try SELECT * FROM table_name gives error relation "table_name" does not exist
Though SELECT * FROM bla.table_name works fine.
What is wrong in my attempt to change default schema for user?
I think you need to relogin for that. With ALTER USER ... SET you change
Session defaults for run-time configuration variables
Also from ALTER ROLE SET manual:
Role-specific variable settings take effect only at login;
But don't apply changes to current session. If you want immediate change use:
SET search_path TO bla;
It will change path on session level
In PostGres the exact command would be
ALTER USER 'your-user' set SEARCH_PATH = 'schema_name';
This question already has answers here:
How do I turn off Oracle password expiration?
(6 answers)
Closed 9 years ago.
There is some construction
ALTER USER scott PASSWORD EXPIRE
But how can I similair set password to unexpired state?
The following statement causes a user's password to expire:
ALTER USER user PASSWORD EXPIRE;
If you cause a database user's password to expire with PASSWORD EXPIRE, then the user (or the DBA) must change the password before attempting to log in to the database following the expiration. Tools such as SQL*Plus allow the user to change the password on the first attempted login following the expiration.
ALTER USER scott IDENTIFIED BY password;
Will set/reset the users password.
See the alter user doc for more info
If you create a user using a profile like this:
CREATE PROFILE my_profile LIMIT
PASSWORD_LIFE_TIME 30;
ALTER USER scott PROFILE my_profile;
then you can change the password lifetime like this:
ALTER PROFILE my_profile LIMIT
PASSWORD_LIFE_TIME UNLIMITED;
I hope that helps.
While applying the new profile to the user,you should also check for resource limits are "turned on" for the database as a whole i.e.RESOURCE_LIMIT = TRUE
Let check the parameter value.
If in Case it is :
SQL> show parameter resource_limit
NAME TYPE VALUE
------------------------------------ ----------- ---------
resource_limit boolean FALSE
Its mean resource limit is off,we ist have to enable it.
Use the ALTER SYSTEM statement to turn on resource limits.
SQL> ALTER SYSTEM SET RESOURCE_LIMIT = TRUE;
System altered.