How to revoke access to system.* table for db user? - clickhouse

I'm creating a user with the following permissions:
CREATE USER IF NOT EXISTS U371bqJkJ6sGJ IDENTIFIED WITH sha256_password BY '...O4CqSR1' SETTINGS PROFILE 'default' DEFAULT ROLE user GRANTEES NONE
REVOKE ALL ON *.* FROM U371bqJkJ6sGJ
GRANT SHOW DATABASES ON U371bqJkJ6sGJ.* TO U371bqJkJ6sGJ
GRANT SELECT ON U371bqJkJ6sGJ.* TO U371bqJkJ6sGJ
But for some reason, he can read system.* tables, e.g.
SELECT * FROM system.errors
How to revoke access to the system tables?
Thanks!

here is the only way https://github.com/ClickHouse/ClickHouse/issues/24887
create user foo identified by '123';
revoke all on *.* from foo;
create role RO;
CREATE ROW POLICY ro_query_log_filter ON system.query_log USING 1 AS RESTRICTIVE TO RO;
CREATE ROW POLICY ro_part_log_filter ON system.part_log USING 1 AS RESTRICTIVE TO RO;
CREATE ROW POLICY ro_trace_log_filter ON system.trace_log USING 1 AS RESTRICTIVE TO RO;
CREATE ROW POLICY ro_processes_filter ON system.processes USING 1 AS RESTRICTIVE TO RO;
grant RO to foo;
ALTER USER foo DEFAULT ROLE RO SETTINGS NONE;
clickhouse-client -u foo --password=123
select count() from system.trace_log;
0 rows in set.
select count() from system.query_log;
0 rows in set.
select count() from system.tables;
0 rows in set.
select query from system.processes;
0 rows in set

Related

How to select all DML statement done to a table

With this query, I can see which table where modified last hour.
select * from ALL_TAB_MODIFICATIONS where timestamp> sysdate-1/24
Now I want to know what has been insert, updates, deletes in a table. And if possible with the user id.
How do I do that?
I've tried to use audit.
https://www.ibm.com/docs/en/svgaa?topic=c-enabling-auditing-oracle-resource
in sqlplus
SHOW PARAMETER AUDIT_TRAIL
DB --OK
AUDIT ALL BY SEV BY ACCESS
audit succeeded
I've tried to see the content of all the audit table (SELECT view_name FROM dba_views WHERE view_name LIKE 'DBA%AUDIT%';)
for instance :
select * from dba_audit_exists;
but they are empty

How to find missing grant on all tables for one role

i have some problem on my student Database schema. I want to find with query which Tables don't have: for example 'SELECT' grant to role XXX. Second example is that in Tables i have like Grants for delete,alter but now i want to check all Tables with one query to find which Tables don't have Select grant to role 'STUDENT_DBA' or where this role don't have grant for Select...
Please help 😅😅😅
SELECT table_name
FROM dba_tables
WHERE owner = 'STUDENT'
AND table_name NOT IN
(SELECT table_name
FROM dba_tab_privs
WHERE owner = 'STUDENT'
AND privilege = 'SELECT'
AND grantee = 'STUDENT_DBA');
This will return all tables in the STUDENT schema that do not have select permissions directly granted to the STUDENT_DBA role.

oracle grant select right to a user with where clause

I should give username “Username1” read access to the “Product_id”, “Price” columns for all entries in the “Sales” table that have a “Price”> 10. Assume that the user exists and has the "Connect" role. The table exists in its schema.
I tried this code but it does not work:
Grant select(product_id, price) on sales where price > 10 to ‘Username1’;
You can create a view:
CREATE VIEW TEST AS
SELECT s.PRODUCT_ID, s.PRICE
FROM SALES s
WHERE s.PRICE > 10
/
then use:
GRANT SELECT ON TEST TO USERNAME1
/
As far as I know You cannot add grant on strict column with where condition, but view can.

grant select column privileges to user on condition that users can only access column related to their id column - Oracle pl/sql

I got some tables:
Book(bookId, libraryId, bookName, bookType);
BookType(bookType, typeName);
Library(LibrayId);
User(UserId);
BookBorrowed(BorrowId, LibraryId, UserId);
BorrowDetail(BorrowId, bookId)
and a user created in sqlDeveloper, C##DG.
How to GRANT privileges(select) ON BookBorrowed and User with UserId = 1(C##DG can only see and use SELECT the data on the 2 table whose UserId column is 1)?.
Can you guys show me some examples?
Thanks you very much.
The proper Oracle solution to this is Virtual Private Database.
if that isn't an option, another way is to define views such as:
create view userBookBorrowed
as select * from bookBorrowed bb
join users u on (u.userid = bb.userid)
where u.username = USER;
Then only grant the users access to the view, not the table.
There's no such thing as column-level privileges that you can grant or revoke. You need to implement Virtual Private Database policies for those kinds of filters or restrictions. See here: https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/using-oracle-vpd-to-control-data-access.html#GUID-06022729-9210-4895-BF04-6177713C65A7

Oracle SQL Query for listing all Schemas in a DB

I wanted to delete some unused schemas on our oracle DB.
How can I query for all schema names ?
Using sqlplus
sqlplus / as sysdba
run:
SELECT *
FROM dba_users
Should you only want the usernames do the following:
SELECT username
FROM dba_users
Most likely, you want
SELECT username
FROM dba_users
That will show you all the users in the system (and thus all the potential schemas). If your definition of "schema" allows for a schema to be empty, that's what you want. However, there can be a semantic distinction where people only want to call something a schema if it actually owns at least one object so that the hundreds of user accounts that will never own any objects are excluded. In that case
SELECT username
FROM dba_users u
WHERE EXISTS (
SELECT 1
FROM dba_objects o
WHERE o.owner = u.username )
Assuming that whoever created the schemas was sensible about assigning default tablespaces and assuming that you are not interested in schemas that Oracle has delivered, you can filter out those schemas by adding predicates on the default_tablespace, i.e.
SELECT username
FROM dba_users
WHERE default_tablespace not in ('SYSTEM','SYSAUX')
or
SELECT username
FROM dba_users u
WHERE EXISTS (
SELECT 1
FROM dba_objects o
WHERE o.owner = u.username )
AND default_tablespace not in ('SYSTEM','SYSAUX')
It is not terribly uncommon to come across a system where someone has incorrectly given a non-system user a default_tablespace of SYSTEM, though, so be certain that the assumptions hold before trying to filter out the Oracle-delivered schemas this way.
SELECT username FROM all_users ORDER BY username;
select distinct owner
from dba_segments
where owner in (select username from dba_users where default_tablespace not in ('SYSTEM','SYSAUX'));
Below sql lists all the schema in oracle that are created after installation
ORACLE_MAINTAINED='N' is the filter. This column is new in 12c.
select distinct username,ORACLE_MAINTAINED from dba_users where ORACLE_MAINTAINED='N';
How about :
SQL> select * from all_users;
it will return list of all users/schemas, their ID's and date created in DB :
USERNAME USER_ID CREATED
------------------------------ ---------- ---------
SCHEMA1 120 09-SEP-15
SCHEMA2 119 09-SEP-15
SCHEMA3 118 09-SEP-15
Either of the following SQL will return all schema in Oracle DB.
select owner FROM all_tables group by owner;
select distinct owner FROM all_tables;

Resources