Created a user called DEV_USER belong to role DEV_ROLE.
GRANT USAGE ON WAREHOUSE MYWH TO ROLE DEV_ROLE;
CREATE USER DEV_USER PASSWORD = 'secrets' COMMENT = 'Dev User' LOGIN_NAME = 'DEV_USER' DISPLAY_NAME = 'Development Only User' DEFAULT_ROLE = 'DEV_ROLE' DEFAULT_WAREHOUSE = 'MYWH' MUST_CHANGE_PASSWORD = FALSE;
ALTER USER DEV_USER SET DEFAULT_NAMESPACE = 'PUBLIC';
GRANT ROLE DEV_ROLE TO USER DEV_USER;
GRANT ROLE DEV_ROLE TO USER MYUSERACCT;
GRANT ALL ON DATABASE DEV_DB TO ROLE DEV_ROLE WITH GRANT OPTION;
GRANT ALL ON DATABASE "DEV_DB" TO ROLE "DEV_ROLE" WITH GRANT OPTION;
GRANT ALL ON SCHEMA "DEV_DB"."PUBLIC" TO ROLE "DEV_ROLE" WITH GRANT OPTION;
I log in with MYUSERACCT. I default to the DEV_ROLE. I go to DATABASES and try to clone the DEV_DB to DEV_DB_CLONE but get the following error:
Unable to create database DEV_DB_CLONE.
SQL access control error: Insufficient privileges to operate on account 'XX12345'
Obviously it will work if I set my user to SYSADMIN or ACCOUNTADMIN. But I need it to CLONE when I'm set to DEV_ROLE.
What am I missing?
security access control privileges says for clone you need the global privileges of CREATE DATABASE via a role
CREATE USER DEV_USER1 PASSWORD = 'secrets' COMMENT = 'Dev User' LOGIN_NAME = 'DEV_USER' DISPLAY_NAME = 'Development Only User';
CREATE ROLE CLONE_ROLE;
GRANT CREATE DATABASE ON ACCOUNT TO ROLE CLONE_ROLE;
GRANT ROLE CLONE_ROLE TO USER DEV_USER1;
DROP USER DEV_USER1;
DROP ROLE CLONE_ROLE;
Related
Does Oracle 12 support having the old password required when changing a password to a specific user?
What I would like:
ALTER USER user_a IDENTIFIED BY secret123;
-- ERROR, missing old password
ALTER USER user_a IDENTIFIED BY secret456 REPLACE secret123;
-- OK
ALTER USER user_b IDENTIFIED BY secret789;
-- OK, since user_b does not require old password when changing it
Thanks!
Yes, this is supported since Oracle 9i, when a function was introduced that checks a new password for complexity and optionally for difference to the old password. As Oracle stores only hashes, not the passwords, it cannot compare old and new passwords unless the user supplies it during the change.
So, all users with a PROFILE where the PASSWORD_VERIFY_FUNCTION is set are required to have the old password, even if this function doesn't check any passwords:
CREATE OR REPLACE FUNCTION always_true (
username VARCHAR2,
password VARCHAR2,
old_password VARCHAR2) RETURN boolean IS
BEGIN
RETURN TRUE;
END always_true;
/
CREATE PROFILE always_true
LIMIT PASSWORD_VERIFY_FUNCTION always_true;
CREATE USER user_a IDENTIFIED BY secret123 PROFILE always_true;
GRANT CREATE SESSION to user_a;
Now user_a has to specify the old password:
ALTER USER user_a IDENTIFIED BY secret123;
ORA-28221: REPLACE not specified
ALTER USER user_a IDENTIFIED BY secret456 REPLACE secret123;
User altered.
A user with a profile without PASSWORD_VERIFY_FUNCTION or this parameter set to NULL doesn't have to specify the old password:
CREATE PROFILE without_function
LIMIT PASSWORD_VERIFY_FUNCTION NULL;
CREATE USER user_b IDENTIFIED BY secret123 PROFILE without_function;
GRANT CREATE SESSION to user_b;
Now user_b can change his/her password without having the old password:
ALTER USER user_b IDENTIFIED BY secret789;
User altered.
The second option is to have the privilege ALTER USER, but that is only for administrators, as they can change all the passwords of all account.
Oracle docu says
You can omit the REPLACE clause if you are setting your own password for the first time or you have the ALTER USER system privilege and you are changing another user's password. However, unless you have the ALTER USER system privilege, you must always specify the REPLACE clause if a password complexity verification function has been enabled ...
so the answer would be - add a password verification function to those users that should provide the old password (and revoke the password change system privilege from them).
I'm trying to learn Postgres and Ive made two basic tables and I can't join them together.
here is my list Of relations:
Schema | Name | Type | Owner
--------+--------------+----------+----------
public | login | table | postgres
public | login_id_seq | sequence | postgres
public | users | table | test
(3 rows)
When I use the command
SELECT * FROM users JOIN login ON users.name = login.name;
I get
ERROR: permission denied for relation login
I have no idea what to do or what I did wrong.
You should grant the SELECT permission to user test:
GRANT SELECT ON login TO test;
If if might allow test to modify login, you should grant other permissions as well:
GRANT SELECT, INSERT, UPDATE, DELETE ON login TO test;
You should execute these statements as database owner or as user postgres. In general, you can use
psql -Upostgres -dtest
if you're running this command on the same machine where the Postgres server is running.
You may also change the ownership of login to test:
ALTER TABLE login OWNER TO test;
ALTER SEQUENCE login_id_seq OWNER TO test;
But have to execute this as user postgres as well.
Edit: You can try to change the user with
SET ROLE 'postgres';
as suggested by #lat long.
So this is what I did to finally get it to work...I basically just went into the login properties on pgAdmin4, found the owner and switched it to test and ran:
SELECT * FROM users JOIN login ON users.name = login.name;
and finally got what I was looking for. Surprisingly a simple fix.
The "test" user doesn't have permission to login and use the related tables. Run the query with the "postgres" user:
SET ROLE 'postgres';
Then run your query.
Was wanting to add full access for a developer to a database.
I wanted them to be able to have full control over it...including deleting it if they wanted.
Somehow I stumbled upon two ways. Are these the right ways??
What's the difference of between access/permissions between the both commands?
What is the correct command to accomplish what I want?
Thanks.
Command 1
USE [testdb1]
GO
ALTER USER [john] WITH DEFAULT_SCHEMA=[dbo]
GO
Command 2
USE [testdb1]
GO
EXEC sp_addrolemember N'db_owner', N'john'
GO
According to the latest sp_addrolemember documentation, sp_addrolemember should be avoided and ALTER ROLE should be used instead.
This feature will be removed in a future version of Microsoft SQL Server. Avoid using this feature in new development work, and plan to modify applications that currently use this feature. Use ALTER ROLE instead.
There is no difference between the two as of SQL Server 2012.
alter role [RoleName] add member [MemberName];
is equivalent to
exec sp_addrolemember N'RoleName', N'MemberName';
References:
https://msdn.microsoft.com/en-us/library/ms189775.aspx
https://msdn.microsoft.com/en-us/library/ms187750.aspx
MSDN is a great source for answering that:
sp_addrolemember
Adds a database user, database role, Windows login, or Windows group
to a database role in the current database.
ALTER USER
Renames a database user or changes its default schema.
Note also the syntax:
sp_addrolemember [ #rolename = ] 'role',
[ #membername = ] 'security_account'
-- SQL Server Syntax
ALTER USER userName
WITH <set_item> [ ,...n ]
[;]
<set_item> ::=
NAME = newUserName
| DEFAULT_SCHEMA = { schemaName | NULL }
| LOGIN = loginName
| PASSWORD = 'password' [ OLD_PASSWORD = 'oldpassword' ]
| DEFAULT_LANGUAGE = { NONE | <lcid> | <language name> | <language alias> }
| ALLOW_ENCRYPTED_VALUE_MODIFICATIONS = [ ON | OFF ]
In other words, using sp_addrolemember, you could only add database user, database role, Windows login, or Windows group in the current database.
But using ALTER USER, you could alter its name, its default schema, its login name, its password, etc... which certain is unable to be done by using sp_addrolemember.
Check the two MSDN links. They are great source for info using SQL Server
As for your case, you probably want to use sp_addrolemember, provided that you already have a role which could give the user the access that they need (most probably db_owner).
USE [testdb1]
GO
EXEC sp_addrolemember N'db_owner', N'john'
GO
When you alter default schema of a user, it does not mean that they get new role - but they get new default schema, and the accessibility will depend on the security rules in the new schema for the existing user role. It could give you what you want, depends on the security rules for the user in the default schema it has.
I built a database with the entity user and permission
user (id, email, password, permission)
permission (id, create_user, delete_user, user_fk)
create_user and delete_user is BOOLEAN.
Relationship: One-One
Now every user can have it's own permissions.
My question is: How can I use shiro to read the permissions from the database?
If you really only wish to assign permissions on user level, you can "fake" the roles table to make Shiro happy.
As Wouter mentioned, use the JdbcRealm and specify the 3 queries for your table setup.
You should modify your permission table to have this structure:
permission (id, permissionname, user_fk)
Then you insert rows for the create_user/delete_user rights as needed.
This way it's very simple to add another permission (reset_password for example) to your setup, without the need to modify the db schema.
In the shiro.ini (or how you call the your shiro config file):
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
For the queries use then this:
jdbcRealm.authenticationQuery = select password from user where email=?
jdbcRealm.userRolesQuery = select id from user where email=?
jdbcRealm.authenticationQuery = select permissionname from permission where user_fk=?
The small trick in your setup is: you don't have roles at all, so we just return the id of the user as the role name.
When the lookup in the permission table is done, it then uses the role name (=user pk) and returns the associated permissions.
You should configure a JdbcReam in your .ini file:
jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
If you change your schema to adhere to the shiro queries, no extra config is needed. You need tables users, user_roles and roles_permissions.
See the source code how the exact column names should be:
https://svn.apache.org/repos/asf/shiro/trunk/core/src/main/java/org/apache/shiro/realm/jdbc/JdbcRealm.java
Alternatively you can configure your own queries to match your schema in the .ini file like so:
jdbcRealm.authenticationQuery=<your password select statement>
jdbcRealm.userRolesQuery=<your role names for username select statement>
jdbcRealm.authenticationQuery=<your permissions for role name select statement>
I create the database in Management Studio. Added a SQL authenticated user to the list of users for the DB.
I set up (granted) the permissions like so:
use DjangoDB;
grant select,insert,update,alter,delete,references to django;
select
a.*,
b.name
from sys.database_permissions a
inner join sys.database_principals b
on a.grantee_principal_id = b.principal_id
and b.name = 'django'
The output of this command is:
class class_desc major_id minor_id grantee_principal_id grantor_principal_id type permission_name state state_desc name
0 DATABASE 0 0 5 1 AL ALTER G GRANT django
0 DATABASE 0 0 5 1 CO CONNECT G GRANT django
0 DATABASE 0 0 5 1 DL DELETE G GRANT django
0 DATABASE 0 0 5 1 IN INSERT G GRANT django
0 DATABASE 0 0 5 1 RF REFERENCES G GRANT django
0 DATABASE 0 0 5 1 SL SELECT G GRANT django
0 DATABASE 0 0 5 1 UP UPDATE G GRANT django
So the user appears to have the permissions (especially select which it will later claim is not a permission this user has)
Then I run python manage.py syncdb
Syncing...
Creating tables ...
Creating table auth_permission
Creating table auth_group_permissions
Creating table auth_group
Creating table auth_user_user_permissions
Creating table auth_user_groups
Creating table auth_user
...
and I (sometimes) get an error like:
File "E:\python\cloudbox\.cloudbox\lib\site-packages\sqlserver_ado\dbapi.py", line 99, in standardErrorHandler
raise errorclass(errorvalue)
DatabaseError: (-2147352567, 'Exception occurred.', (0, u'Microsoft OLE DB Provider for SQL Server', u"User 'django' does not have permission to run DBCC checkconstraints for database 'DjangoDB'.", None, 0, -2147217900), None)
Command:
DBCC CHECKCONSTRAINTS
Parameters:
[]
When I look up this error, it says:
Requires membership in the sysadmin fixed server role or the db_owner fixed database role.
I can find a whole list of roles to put this user into, but none of them are sysadmin. Where is this role hidden?
If I immediately rerun syncdb without changing anything, I get a different error though:
sqlserver_ado.dbapi.DatabaseError: (-2147352567, 'Exception occurred.', (0, u'Microsoft OLE DB Provider for SQL Server', u"The SELECT permission was denied on the object 'django_content_type', database 'DjangoDB', schema 'dbo'.", None, 0, -2147217911), None)
Command:
SELECT [django_content_type].[id], [django_content_type].[name], [django_content_type].[app_label], [django_content_type].[model] FROM [django_content_type] WHERE ([django_content_type].[model] = ? AND [django_content_type].[app_label] = ? )
Parameters:
[Name: p0, Dir.: Input, Type: adBSTR, Size: 10, Value: "permission", Precision: 0, NumericScale: 0, Name: p1, Dir.: Input, Type: adBSTR, Size: 4, Value: "auth", Precision: 0, NumericScale: 0]
Now it says the user doesn't have the SELECT privilege? But above it shows it DOES have the select privilege?
Is there some magic to granting the select privilege?
So, now the plot thickens. I make the sql user 'django' OWN the database. Now, everything will work, everything creates, no errors, south migration works.....
But I don't want my webserver user being the "owner" of the db. I want it to be able to do things like select,insert,update,alter,delete,references. But it seems like I can't just give it a limited set of permissions so it can fulfill that role. This seems a lot like running XP as administrator, something that does NOT make sense.
What am I doing wrong on permissions? Why does the webserver db user have to OWN this db?
Some Answers:
1) sysadmin is a Server Role, and not a database role like db_owner. It is much more powerful than making your user the database owner, so you definitely do not want to give it out.
2) For reasons that are something of a mystery, object-access permissions effectively must be granted to both the database (DjangoDB) and the schema (dbo). You already did the database, now you have to do the same for the schema. Here is what these commands might be in T-SQL:
GRANT DELETE ON SCHEMA::[dbo] TO [django]
GRANT EXECUTE ON SCHEMA::[dbo] TO [django]
GRANT INSERT ON SCHEMA::[dbo] TO [django]
GRANT REFERENCES ON SCHEMA::[dbo] TO [django]
GRANT SELECT ON SCHEMA::[dbo] TO [django]
GRANT UPDATE ON SCHEMA::[dbo] TO [django]
GRANT VIEW DEFINITION ON SCHEMA::[dbo] TO [django]
3) As for DBCC, it is a very powerful utility command, consequently, it requires powerful permissions. You may be able to grant your user the db_owner role instead of making them the owner of the database, but really that's not much better. Ideally, either your syncdb should only be executed by an admin instead of your app's users, or you should make a stored procedure to do the DBCC authorizing the proc with EXECUTE As OWNER, then authorize the user to that stored proc (already done if they are authorized to the schema, as above), and finally have syncdb changed to call that procedure instead of doing the DBCC directly.
sysadm is a server role.
The second error is occurring against a database called Amegy
You should not use the same user for both deployments and running the application code. They are different roles with different permission requirements.
Django's syncdb command requires the ability to enable/disable constraints and is part of its database API.