I've just imported an ORACLE database into an instance of Oracle 10 XE running on a Linux system.
The database has tables split across a number of tablespaces, and the sys user is able to access all the tables without problem.
I've created a new user (fred) and I'm unable to access any of the tables whilst logged on as this user. I've set the user's default tablespace in an attempt to be able to access the tables whilst logged on as fred.
alter user fred default tablespace t1;
When I then connect as fred and attempt to look at a table in tablespace t1, I receive the following error:
describe table1;
ERROR:
ORA-04043: object table1 does not exist
How can I configure the user fred, so that he can easily access all the tables in the various tablespaces (t1, t2, t3... t6), like the user sys currently can?
I've never really dabbled with oracle in the past, but have used MS SQL quite extensively.
In Oracle the concept of schemas and users is different than that of other DBMS. In order to get table access for user fred, you will need to create synonyms of those table and sys user needs to issue grants (eg select, update e.t.c) on those tables.
Some useful links.
Managing User Privileges and Roles
GRANT
Oracle/PLSQL: Grant/Revoke Privileges
Related
I am trying to automate creating databases and users in Postgres.
Currently, after I create the databases and users for each database, all users seem to have admin access and can do and see anything, including other databases.
Here is the SQL I'm running:
CREATE DATABASE MY_DB WITH ENCODING 'UTF8';
CREATE USER MY_DB_ADMIN WITH ENCRYPTED PASSWORD 'SUPER_SECRET_PASSWORD';
GRANT ALL PRIVILEGES ON DATABASE MY_DB TO MY_DB_ADMIN;
I'm relatively new to Postgres, so not sure if this is a Postgres nuance thing or SQL in general.
Thanks in advance
Update 1
By "do anything", I mean, I am able to perform selects, create tables etc in other databases.
I have now tried this:
REVOKE ALL ON DATABASE MY_DB FROM MY_DB_ADMIN;
GRANT CREATE, CONNECT, TEMPORARY ON DATABASE MY_DB TO MY_DB_ADMIN;
But this still doesn't work.
User DB_ONE_ADMIN is able to create tables in DB_TWO
GRANT ALL PRIVILEGES ON DATABASE MY_DB TO MY_DB_ADMIN;
The problem is with the last line here, you are granting all privileges on database MY_DB to MY_DB_ADMIN. You need to decide on the access levels for different users if this is something you don't want.
If restriction needs to be applied and current privilege needs to be revoked then use REVOKE command
I'm using the Oracle Database EX 11.2.0.2.0 and I hava a quite simple database created there.
Now the issue is i would like to have multiple users with different privileges set up. I have found that topic: How to create a user in Oracle 11g and grant permissions
but I cannot find anywhere the basic thing about users accounts:
what are the difference between creating system-leveled and particular database-leveled user?
I've logged in sqlplus as SYSTEM and executed the following commands:
CREATE USER TEST IDENTIFIED BY password;
GRANT CONNECT TO TEST;
and now the problem is that my databse is actually called let's say BASE with one table called PAYMENTS and to give any privileges to a newly created user I cannot execute:
GRANT SELECT ON PAYMENTS TO TEST;
but I have to type in:
GRANT SELECT ON BASE.PAYMENTS TO TEST;
so I suppose I missed something. Is it any way of connecting the created user to a particular database? So that the newly created user will be visible as a database user in Oracle APEX?
When referencing objects in other schemas, you must provide the schema name. An other user might have a table with the same name. Currently you are logged in with the system user, which is not advisable. When creating objects in the BASE schema (another name for user in de Oracle DB), why not give the user some extra rights (like granting privileges)?
The core of your problem is that you want to grant privileges to user A on object owned by B, logged in as user C. You have to be very specific in that case to Oracle what privileges are granted to whom ;)
Users and schemas are synonymous in Oracle - basically. A schema is the collection of objects owned by a user.
To get what you want, you would need to create users lacking the privs to create anything and only have the ability to select from the objects of others.
I'm moving from MySQL to PostgreSQL and have hit a wall with user privileges. I am used to assigning a user all privileges to all tables of a database with the following command:
# MySQL
grant all privileges on mydatabase.* to 'myuser'#'localhost' identified by 'mypassword';
It appears to me that the PostgreSQL 9.x solution involves assigning privileges to a "schema", but the effort required of me to figure out exactly what SQL to issue is proving excessive. I know that a few more hours of research will yield an answer, but I think everyone moving from MySQL to PostgreSQL could benefit from having at least one page on the web that provides a simple and complete recipe. This is the only command I have ever needed to issue for users. I'd rather not have to issue a command for every new table.
I don't know what scenarios have to be handled differently in PostgreSQL, so I'll list some of the scenarios that I have typically had to handle in the past. Assume that we only mean to modify privileges to a single database that has already been created.
(1a) Not all of the tables have been created yet, or (1b) the tables have already been created.
(2a) The user has not yet been created, or (2b) the user has already been created.
(3a) Privileges have not yet been assigned to the user, or (3b) privileges were previously assigned to the user.
(4a) The user only needs to insert, update, select, and delete rows, or (4b) the user also needs to be able to create and delete tables.
I have seen answers that grant all privileges to all databases, but that's not what I want here. Please, I am looking for a simple recipe, although I wouldn't mind an explanation as well.
I don't want to grant rights to all users and all databases, as seems to be the conventional shortcut, because that approach compromises all databases when any one user is compromised. I host multiple database clients and assign each client a different login.
It looks like I also need the USAGE privilege to get the increasing values of a serial column, but I have to grant it on some sort of sequence. My problem got more complex.
Basic concept in Postgres
Roles are global objects that can access all databases in a db cluster - given the required privileges.
A cluster holds many databases, which hold many schemas. Schemas (even with the same name) in different DBs are unrelated. Granting privileges for a schema only applies to this particular schema in the current DB (the current DB at the time of granting).
Every database starts with a schema public by default. That's a convention, and many settings start with it. Other than that, the schema public is just a schema like any other.
Coming from MySQL, you may want to start with a single schema public, effectively ignoring the schema layer completely. I am using dozens of schema per database regularly.
Schemas are a bit (but not completely) like directories in the file system.
Once you make use of multiple schemas, be sure to understand search_path setting:
How does the search_path influence identifier resolution and the "current schema"
Default privileges
Per documentation on GRANT:
PostgreSQL grants default privileges on some types of objects to
PUBLIC. No privileges are granted to PUBLIC by default on tables,
columns, schemas or tablespaces. For other types, the default
privileges granted to PUBLIC are as follows: CONNECT and CREATE TEMP TABLE
for databases; EXECUTE privilege for functions; and USAGE privilege for languages.
All of these defaults can be changed with ALTER DEFAULT PRIVILEGES:
Grant all on a specific schema in the db to a group role in PostgreSQL
Group role
Like #Craig commented, it's best to GRANT privileges to a group role and then make a specific user member of that role (GRANT the group role to the user role). This way it is simpler to deal out and revoke bundles of privileges needed for certain tasks.
A group role is just another role without login. Add a login to transform it into a user role. More:
Why did PostgreSQL merge users and groups into roles?
Predefined roles
Update: Postgres 14 or later adds the new predefined roles (formally "default roles") pg_read_all_data and pg_write_all_data to simplify some of the below. See:
Grant access to all tables of a database
Recipe
Say, we have a new database mydb, a group mygrp, and a user myusr ...
While connected to the database in question as superuser (postgres for instance):
REVOKE ALL ON DATABASE mydb FROM public; -- shut out the general public
GRANT CONNECT ON DATABASE mydb TO mygrp; -- since we revoked from public
GRANT USAGE ON SCHEMA public TO mygrp;
To assign "a user all privileges to all tables" like you wrote (I might be more restrictive):
GRANT ALL ON ALL TABLES IN SCHEMA public TO mygrp;
GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO mygrp; -- don't forget those
To set default privileges for future objects, run for every role that creates objects in this schema:
ALTER DEFAULT PRIVILEGES FOR ROLE myusr IN SCHEMA public
GRANT ALL ON TABLES TO mygrp;
ALTER DEFAULT PRIVILEGES FOR ROLE myusr IN SCHEMA public
GRANT ALL ON SEQUENCES TO mygrp;
-- more roles?
Now, grant the group to the user:
GRANT mygrp TO myusr;
Related answer:
PostgreSQL - DB user should only be allowed to call functions
Alternative (non-standard) setting
Coming from MySQL, and since you want to keep privileges on databases separated, you might like this non-standard setting db_user_namespace. Per documentation:
This parameter enables per-database user names. It is off by default.
Read the manual carefully. I don't use this setting. It does not void the above.
Maybe you could give me an example that grants a specific user
select/insert/update/delete on all tables -- those existing and not
yet created -- of a specific database?
What you call a database in MySQL more closely resembles a PostgreSQL schema than a PostgreSQL database.
Connect to database "test" as a superuser. Here that's
$ psql -U postgres test
Change the default privileges for the existing user "tester".
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT INSERT, SELECT, UPDATE, DELETE ON TABLES
TO tester;
Changing default privileges has no effect on existing tables. That's by design. For existing tables, use standard GRANT and REVOKE syntax.
You can't assign privileges for a user that doesn't exist.
You can forget about the schema if you only use PUBLIC.
Then you do something like this: (see doc here)
GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
[, ...] | ALL [ PRIVILEGES ] }
ON { [ TABLE ] table_name [, ...]
| ALL TABLES IN SCHEMA schema_name [, ...] }
TO { [ GROUP ] role_name | PUBLIC } [, ...] [ WITH GRANT OPTION ]
I don't want to grant rights to all users and all databases, as seems to be the conventional shortcut, because that approach compromises all databases when any one user is compromised. I host multiple database clients and assign each client a different login.
OK. When you assign tables to the correct role, the privileges granted will be role-specific and not to all users! Then you can decide who to give roles to.
Create a role for each database. A role can hold many users.
Then assign a client-username to the correct role.
Also assign your-username to each role if needed.
(1a) Not all of the tables have been created yet, or (1b) the tables have already been created.
OK. You can create tables later.
When you are ready, assign tables to the correct client role.
CREATE TABLE tablename();
CREATE ROLE rolename;
ALTER TABLE tablename OWNER TO rolename;
(2a) The user has not yet been created, or (2b) the user has already been created.
OK. Create usernames when you are ready. If your client needs more than one username simply create a second client-username.
CREATE USER username1;
CREATE USER username2;
(3a) Privileges have not yet been assigned to the user, or (3b) privileges were previously assigned to the user.
OK. When you are ready to give privileges, create the user and assign the correct role to her.
Use GRANT-TO command to assign roles to users.
GRANT rolename TO username1;
GRANT rolename TO username2;
(4a) The user only needs to insert, update, select, and delete rows, or (4b) the user also needs to be able to create and delete tables.
OK. You run these commands to add permissions to your users.
GRANT SELECT, UPDATE, INSERT, DELETE ON dbname TO role-or-user-name;
ALTER USER username1 CREATEDB;
Is it possible to hide the existence of and access to databases (incl. their schemas, tables etc) from certain users within Amazon Redshift.
By default, it seems like every user is able to see other DBs even though he doesnt have permission to select data nor any other (non-default) privileges.
I tried
REVOKE ALL PRIVILEGES ON DATABASE testdb FROM testdbuser;
and similar but still testdbuser can connect to the testdb DB and even see all other objects in his object browser in a SQL tool (here: Aginity Redshift Workbench).
Ideally, testdbuser would not be able to see anything else except what he got explicitly granted access to.
Note, testdbuser is not a superuser.
Thanks!
Try to revoke from the PUBLIC group vs the specific user
REVOKE USAGE ON SCHEMA information_schema FROM PUBLIC;
REVOKE USAGE ON SCHEMA pg_catalog FROM PUBLIC; -- This should suffice, but...
REVOKE SELECT ON TABLE pg_catalog.pg_database FROM PUBLIC; -- just to be sure.
Note that this could have an undesirable effect on all users within the selected database.
You will need to do this on all databases, since the user can guess another database name and see pg_catalog information there.
The user could still find all the databases via a brute force attack simply by trying to switch or connect to all possible strings.
Unfortunately it is not possible today. Redshift does not support the REVOKE CONNECT FROM DATABASE command, so users can connect to any database.
Because Redshift is built on PostgreSQL, once connected, users can read a list of all databases in the cluster from the system tables, and by connecting to each database can read the list of schemas, tables, and even table columns from the system tables, even if they are prevented from reading the data within those tables through the use of REVOKE ... FROM SCHEMA or REVOKE ... FROM TABLE.
Is it possible to restrict user access to a postgresql database by specifying a database, rather than a table?
I understand that the line:
GRANT ALL ON tableName TO joeuser
enables this user to access this table and do anything they want. However I want to allow a user access to the database databaseName that contains tableName (and all tables within databaseName), but not all databases on my postgresql server.
Not really, no. Granting privileges to a database:
GRANT ALL ON DATABASE databaseName TO joeuser;
does not automatically grant privileges on objects in the database; and granting privileges on every object that's currently in the database won't automatically grant privileges on any future objects that might be created.
It's not clear exactly what you want. It might be that you're trying to find a single SQL statement that handles all your privileges now and forever more. SQL privileges generally don't work that way.
Depending on the version, you can control connection to the database in two ways.
By editing pg_hba.conf. (Probably not suitable in your case.)
By a GRANT (or REVOKE) CONNECT ON DATABASE... statement. (Since version 8.2.)
You can change the default privileges for tables, views, sequences, and functions. (Version 9.0+)
ALTER DEFAULT PRIVILEGES is a PostgreSQL extension to SQL.