I am new in clickhouse so it might be obvious but I haven't found a solution after an hour of searching.
I tried to do show views to get list of all available views in my DB, but got an error:
Syntax error: failed at position 6 ('views'):
show views;
Expected one of: TABLES, CLUSTER, CHANGED, GRANTS, CREATE, ACCESS, QUOTA, SETTINGS, CURRENT ROLES, PRIVILEGES, PROCESSLIST, CLUSTERS, DATABASES, CURRENT QUOTA, ENABLED ROLES, CREATE, DICTIONARIES, USERS, ROLES, SETTINGS PROFILES, PROFILES, ROW POLICIES, POLICIES, QUOTAS
I checked the official doc on how to list your views but found nothing.
Please, point me out how to get the list of views in clickhouse.
select database, name from system.tables where engine = 'View'
Related
I want to grant users a permission to save their own queries.
Granted "All" to Discover and Dashboard.
For now users see "save query" as "read-only". I've tried and turning on/off "Advanced Settings", "Saved Objects Management" - nothing works. Is there a way to turn this feature on easily without installing OSQuery ? (installed on another cluster, setting it to "All" did a thing)
For now Management in user settings looks like this. Should I change to "All" some of those?
Using ElasticSearch 7.13.1
In order to allow users to save their own queries in Elasticsearch, you will need to grant them the "save" and "save_object" cluster privileges. You can do this by navigating to the "Cluster Privileges" section in the Elasticsearch Management interface, and editing the relevant user or role to include those privileges.
You may need to set the "All" permissions in the Discover and Dashboard, and also check if the user has the save and save_object index privilege on the index they are trying to save queries on.
Additionally, you should check if the user has the manage_saved_objects role. If the user does not have this role, you can assign it to them in the "Roles" section of the Elasticsearch Management interface.
Also, you can check the index-level permissions in index management, if the user has the necessary permissions to create, update and delete saved objects in the index.
I want to give permission to entire schema in Hasura graphql (all tables). Is this possible to give permission to entire table instead of giving permission to one by one table.
No access control rules in the table.
Please help me..
You can't do it from the web console. If you have a large amount of tables, perhaps it's worth to script it. You can introspect the tables from PG and then use Hasura's metadata API to setup the permissions.
Metadata API
Taking a course on Oracle database security, I have learned profiles are being created to restrict access of some users to some resources.On the other hand, we have functions and policies, which can restrict users too, but I cannot clear the difference between these two. Why we use profiles while we can create policies for users?
A Profile restricts how much system resource a user is allowed: how many concurrent sessions they can have, how much CPU they can use, etc. We can also use Profiles for password management: how many failed logins they're allowed, how long a password lasts, etc.
So a Profile defines the broad bounds of system usage. It governs hardware and database access.
By "policy" I assume you mean Fine-Grained Access Control. These policies set limits to what a user can see of an individual table: what rows they can see and what columns. So we could.use FGAC policy to allow a manager to see all the details for their direct reports but only certain information for all other employees.
So a Policy applies further restrictions to a table which a user already has access to. Which highlights the missing P from your question.
A Privilege grants a user permission to do a specific thing. By default a user cannot do anything in a database. They can't even connect to it without the CREATE SESSION privilege. There are two levels of Privilege. A System Privilege allows a user to do general activities like create a table, execute any procedure, query the data dictionary, etc. A Table Privilege allows a user to do something with a specific object owned by a different user, such as select from my.employee_table, execute her.string_function, etc.
So you can see how Privileges and FGAC Policies interact. I might grant you select and update on my.employee_table but enforce a policy that only allows you to update records for department 40.
To summarise. There are four levels of user restrictions.
In descending order of breadth:
Profile
System Privilege
Table (i.e. Object) Privilege
FGAC Policy
Note: 12c introduced some called an Audit Policy. Clearly that is relevant to the general topic of Oracle database security but I don't think it's pertinent here.
I have created multiple Databases in Clickhouse and a new User, and now can I restrict that newly created user to be able to access a particular database.
In users.xml in 'user' (near profile, quota...) you could specify optional section
<allow_databases>
<database>default</database>
<database>test</database>
</allow_databases>
If there is no 'allow_databases' section - it means that access to all databases is allowed.
Access to database 'system' is always allowed (because system database is used to process queries).
User could list all databases and tables (using SHOW queries or system tables), even if there is no access.
Database access limits are completely unrelated to 'readonly' settings. There is no possibility to provide full access to one database and readonly access to another.
My question is kind of straightforward and so should be the answer.
Talking about ORACLE databases in SQL Developer, we can create connections to users' schemes.
The connection needs to specify the username and the password, and that allows to access the schema of that user. Below the connection, I usually see all the elements of the schema shown within folders like Tables, Views, Indexes, Packages and so on.
But then I also see the folder Other Users just next to those from above. This folder contains a list of other usernames (different from the one you are currently connecting to). Exploring each of these, you see in turn a schema (like a set of elements as from above).
What is this design about? Are they different users sharing the same schema (tables, views, packages, indexes etc..) but with different grants? When we do that?
Your connection details determines which SCHEMA you will be browsing when you expand the connection tree.
The other users node allows you to browse additional schemas. Your connection user's privileges will determine what you can or can't see in other schemas.
A database object is owned by a single user, or exists in a single schema (which is really the collection of objects owned by a user.) There are no shared objects.