I want to execute a CREATE USER statement, but only when the user doesn't already exist.
What would be the best way of doing this?
If you're creating a user, you need to create a grant too. The grant implicitly creates a user if it doesn't exist (which is why you are encouraged to include the password when creating a grant, just in case they don't exist). see http://dev.mysql.com/doc/refman/5.1/en/grant.html
So an option is to just create the grant (with the password) and the user is implicitly created.
E.g:
GRANT ALL PRIVILEGES ON db_name.*
TO 'user'#'%' IDENTIFIED BY 'password'
WITH GRANT OPTION;
You can select from the "user" table on the default mysql database. Like this:
select *
from user
where User = 'username'
If no results are returned, create a new user.
Related
I created a user and granted him all permissions, i used: GRANT ALL PRIVILEGES TO user1;
but then i tried to select rows from a table that i created with the admin user like this:
select * from sys.table it gives me an error message table or view doesn't exist
then i did: Grant select on table to user1 and it worked.
so does all privileges not include select?
As is often the case, Oracle uses words "approximately".
In this case, ALL doesn't mean "all". From the documentation:
ALL PRIVILEGES
Specify ALL PRIVILEGES to grant all of the system privileges listed in
Table 18-1, except the SELECT ANY DICTIONARY, ALTER DATABASE LINK, and
ALTER PUBLIC DATABASE LINK privileges.
https://docs.oracle.com/en/database/oracle/oracle-database/12.2/sqlrf/GRANT.html#GUID-20B4E2C0-A7F8-4BC8-A5E8-BE61BDC41AC3
Notice the "except" part. "All" should mean "all", that is, "no exception"; yet........
Relevant to your question: ALL PRIVILEGES does not include SELECT ANY DICTIONARY. Most likely, whatever table or view you were trying to select from is a dictionary table (or view); which explains why granting ALL PRIVILEGES didn't work, but granting access directly on the table/view did.
If you want to grant access to all dictionary objects, you can grant SELECT ANY DICTIONARY to the user.
After you are done playing with these explicit grants, you may want to consider granting system roles to the users who need them (and only to those users), instead of hunting down all such exceptions.
Using PostgreSQL and would like to have only admins have the ability to create new users. While allowing some non-admin users read-write access to our tables.
I cannot find a way to get this done. I have a role called webuser to which I gave:
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO webuser;
But now webuser has access to call CREATE USER and GRANT ROLE also. How can I remove access from webuser to do user-management operations while allowing SELECT, INSERT, UPDATE, DELETE on our database tables?
A user can only create other users if it has the createrole property: this property is not assigned by default when creating a user.
Doc. says:
CREATEROLE NOCREATEROLE
These clauses determine whether a role will be permitted to create new roles (that is, execute CREATE ROLE). A role with CREATEROLE
privilege can also alter and drop other roles. If not specified,
NOCREATEROLE is the default.
Either the user has been created with createrole or a superuser has run: alter user webuser createrole.
To revoke that privilege run alter user webuser nocreaterole
NB:
CREATE USER is now an alias for CREATE ROLE. The only difference is
that when the command is spelled CREATE USER, LOGIN is assumed by
default, whereas NOLOGIN is assumed when the command is spelled CREATE
ROLE.
I am trying to create a read all user for my database, but it seems the most simplest of queries isn't working properly.
When I try running the query select * from public.reports limit 5; it works fine when using the postgres user (db owner), returning 5 lines of results. However, it returns no results when using this new user. It throws no errors, it says nothing. It simply returns no results, as if the table was empty.
I created the new user using the following queries:
CREATE USER "new_user" WITH PASSWORD 'strong_password';
GRANT CONNECT ON DATABASE my_database TO "new_user";
GRANT USAGE ON SCHEMA public TO "new_user";
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO "new_user";
GRANT SELECT ON ALL TABLES IN SCHEMA public to "new_user";
ALTER USER "new_user" WITH LOGIN;
What am I missing?
So you have row-level security enabled? The manual:
If row-level security is enabled for a table, but no applicable
policies exist, a “default deny” policy is assumed, so that no rows
will be visible or updatable.
This would explain that your user cannot see any rows.
The simplest way to bypass RLS generally for the new user is with BYPASSRLS.
CREATE USER new_user WITH BYPASSRLS PASSWORD 'strong_password';
Else, you need CREATE POLICY to allow things. To allow all read and write operations on table reports for our new role:
CREATE POLICY foo ON public.reports TO new_user USING (true) WITH CHECK (true);
Is there a way to restrict a particular user from making any modification on particular table.
I am thinking to create a Instead of trigger and some how get the login info and restrict the user from running delete/update statements.
But is there any better way to do this, like Sql server has some login permission setting to restrict this
I'd revoke all privileges first (assuming you already have the user)
REVOKE ALL
ON {object_name}
FROM {user_name}
Then grant only SELECT to that user.
GRANT SELECT, INSERT
ON {object_name}
TO {user_name}
I am trying to setup a new role for making the access rights granting easier. I was wondering if there is an easier way to give select on all tables (newly created tables should be accessible automatically) under a schema to selected users. I ran following queries for the same. But still my user is not able to access the specific table.
CREATE ROLE myrole;
GRANT SELECT ON myschema.mytable TO myrole;
GRANT usage ON schema myschema TO myrole;
CREATE USER mytest1 identified BY '***';
GRANT myrole TO mytest1;
After this, when I login with mytest1 user and trying to run select on myschema.mytable it is asking me to grant usage on schema to user. After I grant usage on schema to user directly it is failing with permission denied for that table.
Please help with the same. I am running on vertica 5.0
Update:
I find that u also have to make that role default or explicitely set that role as default for user session for making the role's effect take place.
ALTER USER mytest1 DEFAULT ROLE myrole;
But still, my another question of how to make all tables under a schema accessible to specific users remains.
As per the Vertica SQL Reference Manual.pdf (page 725) (doc version 5.0 - for page numbers)
GRANT (Schema)
...
USAGE
Allows the user access to the objects contained within the
schema. This allows the user to look up objects within the
schema. Note that the user must also be granted access to the
individual objects. See the GRANT TABLE (page 727) ... .
The the user must also be granted access to the individual objects means that you need to also GRANT table.
The two I use is GRANT SELECT and GRANT REFERENCES which allows the user to run queries and join (reference) tables in the query.
Example:
GRANT SELECT ON TABLE [schema].[Table1] TO myUser;
GRANT SELECT ON TABLE [schema].[Table2] TO myUser;
GRANT REFERENCES ON TABLE [schema].[Table1] TO myUser;
GRANT REFERENCES ON TABLE [schema].[Table2] TO myUser;
...
6.0 doc reference GRANT SCHEMA (page 808) and GRANT TABLE (page 813).