In ClickHouse, is it possible to GRANT a user for changing his own password but without allowing him to alter his privileges nor the privileges/password of other users?
If I set GRANT ALTER USER TO myuser, I will allow myuser to change the password and the privileges of all the users. And that I don't want.
As I understood the final goal is to avoid compromising/sharing a 'fresh' client password.
I would suggest storing hashed passwords instead of plain text - see for details user settings - user_name/password.
In this case,
user should send to the admin the hashed password
and admin set it up by yourself by using ALTER USER.
Related
I have to create a rol with the only privilege of CREATE SESSION, i have already created but when i give the role to the user I can not connnect to de DB because the user lacks of CREATE SESSION privilege.
This is what I tried:
But at the end when I try to connect with the user alvaro_rol I recive this message: and it was supossed to connect to the DB because I create de role, I grant the CONNECT privilege to the role, i give the role to the user alvaro_rol and finaly I activate the role with the comand set role and I don know what to do next.
Thanks in advance!
You will need to give the user the session privilege, either directly or through a non-password-protected role. The security guide says (emphasis added):
You can protect a role authorized by the database by assigning the role a password. If a user is granted a role protected by a password, then you can enable or disable the role by supplying the proper password for the role in the SET ROLE statement. You cannot authenticate a password-authenticated role on logon, even if you add it to the list of default roles. You must explicitly enable it with the SET ROLE statement using the required password.
Since you can't supply the role password during login/connect, you will have to connect first - which requires the session privilege - and then use
set role rol_conexion identified by conexion;
Currently setting that role would be a bit pointless, but in reality you would have a role providing other privileges that need to sit behind the role authorisation - and not create session.
Inquiring if the statement after identified by is the password 'pw12334' to be applied to the account
example
Alter user username identified by pw1234 account unlock.
also inquiring if "identfied by" command alone can replace password without the "replace" command
kinda confused here, since I need to apply the password to apex.xml to make the ords 503 error go away.
the syntax to unlock the user is, the IDENTIFIED BY password is needed becuase if you unlock an account without resetting the password then the password remains expired.
ALTER USER james IDENTIFIED BY Jim123 ACCOUNT UNLOCK;
I have the following business problem to solve in a big legacy application written in PL/SQL and Oracle Forms 6i:
Not allow users to log in using their database accounts.
The whole application has around 50 users who use their database accounts. The audit department doesn’t allow that users know their database accounts passwords.
Rewriting the application to use a new user rights logic (using a table like USERS, only 1 database user, etc.) is out of the question as it’s too much work.
I thought about the following solution to use the existing database users:
Create a table USERS with usernames and new passwords, and somehow use a proxy user. In a package the application will check if the provided password is in line with the table USERS, and then connect as 1 of the 50 database users – so all application logic and user rights can stay the same.
But there is one problem with this workaround – you can’t use „connect” in a package. So I can’t use it.
begin
IF
p_in_user == USER2 AND p_in_pass == XXX
THEN
EXECUTE IMMEDIATE 'conn USER2/Password123'; -- doesn't work, using a proxy neither
END IF;
END;
Does anyone has any ideas?
The audit department doesn’t allow that users know their database accounts passwords
You can use encripted passwords.
Oracle allow to use encripted passwords through profile settings.
You can use a function to encript a clear password:
the clear password is given to end user
and on oracle database the user account is created/changed with the encripted password.
The user use his/her clear password to login and during login Oracle conver this to a encripted password for authentication.
Please confirm is this solution is ok, so I can post an example.
In my database 15 users are have their login and password. If any user change their password then we don't know the users current password. I want to save the password of each users that admin have the only permission to view.If any user changed their password, then admin can know their password, because if we want to login with particular user then it results wrong password.
or
when I login to odoo there is no option to save the password, the username is restore but I want to keep the password automatically fill in the field, does anybody know how to do it?
Thanks........
It's not a good idea to save a password unencrypted in your database.
I'd suggest to take a look at the auth_admin_passkey module.
This would give you the possibility to login at all useraccounts with the admin password.
If you really want to save the new password you could override the write method from res.users and check for the field "password". this way you could save the password to your desired field before it gets encrypted.
Is there a way to make to password invisible in ALTER USER statement ? This statement will run in cmd.
You can force the user to change the password in the next user login by expiring the existing password using sysdba.
ALTER USER username password expire;
Oracle will ask for new password when the username tries to log-in, hence the new password set will be invisible.
But you cannot make the password field invisible in the Alter statement as oracle wont know it is the password field until you enter it in the command line.
If the SQL script is interactive you can use
SQL> ACCEPT pswd CHAR PROMPT 'Password: ' HIDE
This creates a SQL parameter "pswd" which you can use in your ALTER USER statement.
If this is not an option - you might also run the script in SILENT mode to suppress any output from the session.