Suppose I'm logged in as USERA, I want to access all the user_* views of the USERB schema, such as user_tables, user_tab_columns. How can I do this? Thanks
All the USER_* tables have analogues with the ALL_* and DBA_* prefix. USER_TABLES has information about all the tables you own. ALL_TABLES has information about all the tables you have access to. DBA_TABLES has information about all the tables in your database.
If you want to see information about UserB's tables
SELECT *
FROM all_tables
WHERE owner = 'USERB';
or
SELECT *
FROM dba_tables
WHERE owner = 'USERB';
The former will work if you have SELECT access on User B's tables. The latter will work if your DBA has given you access to the DBA_TABLES view. That is normally done by granting the SELECT ANY DICTIONARY privilege (or the SELECT_CATALOG_ROLE in prior version) though the DBA can grant access to individual DBA_* views.
USER_% views give what you own, that is what's inside your schema.
ALL_% views give what you have access to.
So what you really should use is ALL_TABLES/etc, and grant appropriate access to USERB objects.
Assuming you have permissions, you could try:
ALTER SESSION SET CURRENT_SCHEMA=USERB;
Related
I was using node.js to work on snowflake datawarehouse as a destination for users. I wanted to check if a user has the required permission level on the schema to create a table and write into it before adding the user to the database otherwise it should give an error saying that the user does not have the appropriate permission level. How can I achieve that programatically?
Thanks,
one way you could do is check if the role has SEELCT privilege on the table by looking into the view TABLE_PRIVILEGES in information_schema schema.
select * from information_schema.TABLE_PRIVILEGES where table_name = 'SALES_RAW'
Due to how permissions can be inherited through the role hierarchy, this isn't easy to do. Permissions aren't assigned to users in Snowflake, they are assigned to roles. You could use the table_privileges in the information schema (as Himanshu said). You'll need to ask your admin for privileges to the information_schema schema in the databsae:
You could probably use some combination of these too:
show grants to user [username]
with
show grants on schema [schema name]
The easiest way would be to have your app / script / service assume the same role as the user and see if you can select from a table in the schema or try to create a temporary table in the schema. If you receive an error code, the user doesn't have permissions!
Is there any way for me to see which DDL privileges I have in my own schema? I'm looking for a SELECT-type sentence.
I mean, how do I know if I can create, drop, alter, &c.?
Modification - 2019/Oct/24th - I think it would be simpler to understand "How can I know if I have the CREATE ANY TRIGGER privilege?".
Thanks in advance.
You should automagically have select privileges on tables in your own schema - they belong to you. You can figure out if you can create, drop, or alter objects based on the roles that have been granted to you. You can use a query like SELECT * FROM USER_ROLE_PRIVS; or select dbms_metadata.get_granted_ddl('ROLE_GRANT', user) from dual; to get a list of the roles that have been granted to you, and based on that, you'll know what kind of privileges you have within the database.
For example, if you see that you've been granted the "Resource" role, you will be able to do things like create tables, procedures, triggers, etc.
You can use a query like select * from session_privs; to see EVERY privilege that you have, but that will include privileges for the entire database, including privileges that are associated with a role. To see privileges that aren't associated with a role, you could use a query like SELECT * FROM USER_SYS_PRIVS;
you can get it with query on DBA_SYS_PRIVS, DBA_TAB_PRIVS, and DBA_ROLE_PRIVS to get information about user privileges about system, tables, and roles.
for example SELECT * FROM DBA_SYS_PRIVS;
This query
select distinct owner from dba_objects
is throwing this error
ORA-00942: table or view does not exist
Does that make any sense at all?
You have to use an administrative user (such as sys or system). If you do not have access to such a user, you could use the all_objects view instead of dba_obejcts. Any user can query it, and will get results only for the objects it has privileges to.
It does if you don't have select privs on the DBA_OBJECTS view or if you don't have a local or global synonym to the SYS.DBA_OBJECTS view. You could try selecting from SYS.DBA_OBJECTS instead.
As others state, this is a privileges issue.
However, if a user needs access to the more privileged DBA data dictionary objects you should grant them the SELECT_CATALOG_ROLE role. Connecting with SYS or SYSTEM, or even as a DBA, should be discouraged for normal operations.
I am new in writing queries. I need a list of views that every user can write queries to.
SELECT *
FROM Information_Schema.Views;
I tried that, but I guess it is a list of all views, but I need only those views that all users could write queries to.
The information about views is stored in information_schema.tables:
SELECT *
FROM Information_Schema.Tables
WHERE table_type = 'VIEW';
This will list each each users visible views (without the superusers.)
SELECT
usename, schemaname||'.'|| viewname as view
FROM
pg_views
,pg_user
WHERE
has_table_privilege (
pg_user.usename,
schemaname||'.'|| viewname,
'select'
)
AND
schemaname NOT IN (
'pg_catalog',
'information_schema'
)
AND usesuper=false
As far as listing a view that is visible to all users ... Postgres has fine grained permissions so there is no easy flag to search for. You would have to match that each view would produce a row of every user. But you could create a group for your users and then query for that.
select * from pg_catalog.pg_views
where schemaname NOT IN ('pg_catalog', 'information_schema')
order by schemaname, viewname;
will show you the viewname and its owner
If you are going to use the information schema, you need to be aware how it works. Per documentation:
The view views contains all views defined in the current database.
Only those views are shown that the current user has access to (by way
of being the owner or having some privilege).
Bold emphasis mine. This also provides a handy way of solving your problem. Run your query with a plain, new, non-superuser role that that wasn't granted membership in any other roles nor any direct privileges on any views (yet).
If you want to exclude system views add the WHERE clause:
SELECT *
FROM information_schema.views
WHERE table_schema NOT LIKE ALL ('{pg_%,information_schema}'::text[]);
You get only those views (and all of them), that public can access.
SQL Fiddle.
(Yes, use the query on information_schema.views you already had, no point in using information_schema.tables, like has been suggested.)
For more specific needs, I suggest you use the system catalogs instead. Actual privileges are stored in the system table pg_class in the column relacl. And the view pg_views lists all views, not just the ones the current role has privileges for.
Resolving actual privileges is not trivial. Use the dedicated "Access Privilege Inquiry Functions" like has_table_privilege() that #user17130 already suggested. Related answer:
How to check if a table exists in a given schema
I want to create a read-only user in PostgreSQL.
The intention is to have a publicly accessible data explorer, where users can write custom SQL queries.
I do this to create the user:
CREATE USER MyReadOnlyUser WITH ENCRYPTED PASSWORD 'MY_WEAK_PASSWORD';
GRANT ALL PRIVILEGES ON DATABASE "MY_DB_NAME" to MyReadOnlyUser;
GRANT ALL ON SCHEMA public TO MyReadOnlyUser;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO MyReadOnlyUser;
The intention is to give the user SELECT access to all tables, then revoke select access on the sensitive tables, and then the user can run custom queries with that db user, without any need for me to sanitize input.
Especially, he may not:
insert, delete, truncate, drop table, drop database, create table, create function/procedure, see/execute/create/drop stored procedure / functions. etc.
Sooo - now my question:
Why does this user have access to information_schema ?
It wasn't granted access to any views, and not to the schema information_schema either...
Why does this user have access to information_schema
I think select privilege is granted to PUBLIC by default on information_schema.
You should be able to do:
revoke all on all tables in schema information_schema from public;
You probably also need to revoke the select privilege on views/tables in the pg_catalog schema. But I'm not sure what this will break if e.g. psql or other client tools cannot access that information.