I am using FireBird 2.1 and I have a user and a role. I granted execute permission on an stored procedure to role but not to user.
When I am trying to execute the stored procedure while logged in as a user with the role, I am getting following error:
Statement #1: no permission for execute access to PROCEDURE SPSELECTMANAGERS.
I checked the roles and users, the user is already added in the roles.
Is the SP recursive? In that case the procedure must have granted right to execute itself, ie add this to the DB creation script:
GRANT EXECUTE ON PROCEDURE SPSELECTMANAGERS TO PROCEDURE SPSELECTMANAGERS;
BTW this behaviour is considered to be a bug and will be fixed in future version (FB 3).
Related
I was given access to a database (turtwig) in Neo4j created by a colleage, who gave me the default role 'PUBLIC' and a custom one called 'modeller'. I am triying to create a new node label but I get this message:
Node label error
When I try to give myself the privilage to create node labels, an error occurs:GRANT ERROR. This same error occurs when I try to grant myself the privileges of assigning privileges with GRANT ASSIGN PRIVILEGE ON DBMS TO modeller
Run this command and you will see the privileges that user modeller has.
SHOW USER PRIVILEGES
Granting yourself (as modeller) access for that privilege should be done by admin. Then you should ask your database admin (or colleague) to grant you access to create new nodes.
GRANT CREATE ON GRAPH turtwig ELEMENTS * TO modeller
How to configure a PSQL v11.4 user that is not the superuser and does not own the database.
This user should have full access to create SQL objects and drop them, even
though they do not own the database, so they can not drop the database.
All sql/database objects exist on the PUBLIC schema.
So far I have tried:
CREATE USER app_user WITH ENCRYPTED PASSWORD 'foo_bar';
ALTER USER app_user NOCREATEDB NOCREATEROLE;
ALTER USER app_user VALID UNTIL 'infinity';
GRANT ALL PRIVILEGES ON DATABASE database TO app_user;
When running Rails migrations I get the following error:
remote: PG::InsufficientPrivilege: ERROR: permission denied for table schema_migrations
Seems like the psql best practices is to have a role with privileges
set, then assign the user to be a member of that role. However because everything
is on the public schema all users/roles should have full access right? However
this line in the docs is throwing me off:
"The right to drop an object, or to alter its definition in any way, is not treated as a grantable privilege; it is inherent in the owner, and cannot be granted or revoked. (However, a similar effect can be obtained by granting or revoking membership in the role that owns the object; see below.) The owner implicitly has all grant options for the object, too."
from: https://www.postgresql.org/docs/11/sql-grant.html
Also though because the database is being restored via the sudo user, objects
will be owned by the sudo user, however new objects could belong to the
app_user, is this an issue?
You need the CREATE privilege on the database, and you need to pg_dump (or pg_restore with the -x and -O options, so that the restoring user becomes the object owner and no additional privileges are granted.
Some things, like certain extensions, event triggers or functions in untrusted languages (to name a few examples) require superuser rights to create them. Either avoid such objects or create them ahead of time and ignore the errors.
Currently migrating to snowflake from another relational database. Below are the SQL commands that we used in attempt to grant the right permissions. When attempting to create the stored procedure in the DEVELOPER_ARCHIVE database and LANDING_ZONE schema using the DEVELOPER_ROLE, we get an error that we don't have the permissions.
CREATE ROLE IF NOT EXISTS DEVELOPER_ROLE;
CREATE ROLE IF NOT EXISTS DEVELOPER_CRUD_ROLE;
CREATE ROLE IF NOT EXISTS DEVELOPER_READONLY_ROLE;
GRANT ROLE DEVELOPER_READONLY_ROLE TO role DEVELOPER_CRUD_ROLE;
GRANT USAGE ON DATABASE DEVELOPER_ARCHIVE to DEVEVELOPER_CRUD_ROLE;
The role will also need usage on the LANDING_ZONE schema and an additional create procedure grant. Here is a link to the grants documentation (schemaPrivileges);
https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html
Datasnap authentication is pretty straightforward once you use the correct parameter names (explained in Delphi Datasnap Server User Authentication). The next problem is to be able to use those same credentials when using a FireDAC Database Connection. The answer seems to be implied in Most efficient way to pass SQL Login credentials to Delphi Datasnap servers? although "simply forwarded" doesn't really explain how to accomplish the code. Further, these credentials should be authenticated as the same credentials used to log on to the Datasnap server. This will prevent impersonation at the database level.
So far I haven't been able to discover any way to obtain the current Datasnap user credentials programmatically from within the Server Methods unit. For example, in a BeforeConnect event. The code I'm working on is a standalone server built with Delphi XE7 using a Session lifecycle.
Here is a description of the events that take place when connecting to a Datasnap server and requesting data:
Let me explain further:
By using a few ShowMessage instructions I can trace the flow of Datasnap as I connect and make a data request. Running the server under Test allows me to display the contents of the various parameters that accompany the events. Once set up, running a client that connects to the server and requests data results in the following:
Client Login Button
Credential Dialogue presented (this is my code, not the property of
TSQLConnection that gets it wrong.)
Username and Password entered.
Paremeters Placed in TSQLConnection.Params [DSAuthenticationPassword, DSAuthenticationUser]
Set TSQLConnection.Connected := True
Server event OnUserAuthenticate
At this point, the connection is established although nothing else has
taken place on the server. Most importantly, neither the ServerClass
nor the ServerMethodsClass have been instantiated. There is no place
that I can see to store authentication credentials.
Client GetData Button
Client opens two client datasets consecutively.
Server DSServerClass1.Create. This apparently implies that the
ServerTransport recognizes the request as valid and proceeds to
create the necessary assets to handle the session.
ServerMethodsUnit3.Create. Somewhere buried in the DSServerClass
there is a GetClass invocation that returns the name of the
associated ServerMethodsClass. The named class is instantiated. Since
the ServerMethodsClass ultimately descends from a TDataModule this
implies property streaming as well.
OnUserAuthorize (Apparently first dataset)
OnUserAuthorize (Apparently second dataset)
Data is returned to client (At this time the database credentials are hard coded into the TFDConnection ConnectionDefinition just to get it to
work.)
OnUserAuthorize presents Sender parameter with a nil value; also presented is a TDSAuthorizeEventObject that doesn't contain any references that I have been able to use to find the ServerMethods instance, and, finally, a parameter named Valid, a boolean value used to authorize the user.
Note that TDSAuthorizeEventObject contains a reference to TDSServerMethodUserEventObject that DOES contain the Username along with Roles, Authorized Roles and Denied Roles. However, so what? This brings me back to my original question: How do I communicate this to code in the ServerMethodsUnit?
After some time I stumbled on the exact methodology to do this in a white paper by Bob Swart. There are several methods that will enable you to persist information during a Datasnap session. These belong to TDSSessionManager.GetThreadSession and are GetData, PutData, RemoveData, HasData, GetObject, PutObject, RemoveObject and HasObject. These methods actually manage two dictionaries that are part of the Session. So for example, in the UserAuthentication event you might store the username as follows:
TDSSessionManager.GetThreadSession.PutData('entrykey', UserName);
Later, in a OnBeforeConnect event for a database connection, you can retrieve these values for use in the connection:
DBUserName := TDSessionManager.GetThreadSession.GetData('entrykey');
In practice I find the "object" forms of greater value but either form offers a powerful way to persist your own data for the life of a session without resorting to external media.
In your linked question, the TServerContainer1.DSAuthenticationManager1UserAuthenticate method has User and Password parameters. Your server side code can retrieve the credentials from the request parameters, validate them, and re-use them for authentication with the database.
procedure TServerContainer1.DSAuthenticationManager1UserAuthenticate(
Sender: TObject; const Protocol, Context, User, Password: string;
var valid: Boolean; UserRoles: TStrings);
if UserService.isUserValid(User, Password) then
begin
// use User and Password ...
end;
I recently added a stored procedure to my SQL Azure database. I added that procedure logged in as username1. However, I need to allow username2 the ability to EXECUTE that stored procedure. From what I can tell, username2 cannot see/execute the stored procedure. However, username1 can.
What command do I need to run to allow username2 to execute my stored procedure? I'm confident that it's GRANT. However, I'm not sure of the syntax. Can someone please give me an example?
You have the same options as if you where using an SQL Server database. You need to GRANT the user proper privileges. Log in as username1 and execute the following:
GRANT EXECUTE ON Nameofyourprocedure TO username2;
For more help on Azure SQL syntax and limitations refer to the following link:
http://msdn.microsoft.com/en-us/library/windowsazure/ee336226