I'm configuring an Oracle VM taken from here and want to tweak the default schema generated there as an example of the Flyway integration.
The Flyway is used there to create a new Oracle schema called MYSCHEMA. So the Flyway user is system (default Oracle dba) and the password is system's password, that is:
<flyway.user>system</flyway.user>
<flyway.password>manager</flyway.password>
<flyway.schemas>MYSCHEMA</flyway.schemas>
Now I have two tasks:
I need to set a specific password for MYSCHEMA or at least to know what password has the Flyway set for it.
I need to set specific user permissions (GRANTs) for the MYSCHEMA user.
Both tasks should be executed by system user. Besides, there is no point to run them on every migration. Once is enough.
Can I do it inside the Flyway using callbacks or migrations?
Update: default password seem to be "flyway", but the MYSCHEMA lacks CREATE SESSION privilege.
Related
Iam creating an app to change the password of selected Db user account.When an user select a particular db name and user of the db then click submit button i should call procedures that changes the password of the db user.So guide me how to connect to selected db from oracle Apex and do it.
As far as I can tell, there are two ways to change someone's password:
connect as that user
connect as a privileged user (such a SYS)
and run such a command:
alter user scott identified by tiger;
As you'd want to do that for any database you have a access to, as well as every user in those databases, I doubt that you know their passwords so I guess that you'll connect as a privileged user to all those databases. Of course, you have to know their passwords.
One option would be to
create the same stored procedure (which will modify someone's password) in every database
it'll accept username and its new password
as alter table is DDL, you'll have to use dynamic SQL (execute immediate)
create database links to those databases in a schema you use to connect to your Apex application
depending on database you choose, call appropriate procedure via database link and pass chosen username and its new password. This might also require some kind of dynamic SQL, if you want to use different DB link name
I don't know which database version you use, but - have a look at 11g's Accessing and Modifying Information in Multiple Databases, especially "Running a Stored Procedure in a Remote Oracle Database" chapter for more info.
I granted the CREATE SESSION privilege to a recently created database user, and I granted him the SELECT privilege on some objects for different database schemas.
I find an apps schema (SCHEMA#) in v$session that is different from the database USERNAME recently created, and I would like to understand the phenomenon.
I think that he executes alter session set current schema and I would like to know if is it possible to revoke alter session privilege in Oracle 11g.
The documentation for the alter session statement says:
To enable and disable the SQL trace facility, you must have ALTER SESSION system privilege.
To enable or disable resumable space allocation, you must have the RESUMABLE system privilege.
You do not need any privileges to perform the other operations of this statement unless otherwise indicated.
As you don't need any privileges to perform alter session set current_schema, there is nothing you can revoke to prevent that being done. If you had actually granted alter session - which you haven't, from what you said - then you could of course still revoke that, but it would make no difference to the ability to change the current schema.
But this isn't really a problem, and is mentioned in the security guide as a good thing:
For example, a given schema might own the schema objects for a specific application. If application users have the privileges to do so, then they can connect to the database using typical database user names and use the application and the corresponding objects. However, no user can connect to the database using the schema set up for the application. This configuration prevents access to the associated objects through the schema, and provides another layer of protection for schema objects. In this case, the application could issue an ALTER SESSION SET CURRENT_SCHEMA statement to connect the user to the correct application schema.
Your recently-created user does not have any additional privileges or abilities simply by changing their current schema. They have not 'become' that schema; they can still only do the things you specified by granting select privileges on objects. They can't see anything else, and can't do any more to the objects they can see. They haven't inherited any of the privileges that schema has - so they can't create or drop objects under that schema, for instance. (You would have to explicitly grant them additional any privileges, which presumably you have no intention of doing.)
What they can do is reference those objects without having to prefix them with the schema name, and without having to create synonyms. But they can still only select from them (if that is the only privilege you granted).
I've downloaded the official oracle docker image for Oracle Database EE. I've got a flyway configuration and often run flyway:clean against the locally installed XE version of the database. However flyway tells me it is not allowed to clean the database in the docker image, but it can migrate it.
Is there a way to force flyway to clean the oracle db?
To answer the questions from the comments:
Here's the error message when running flyway through maven:
org.flywaydb.core.api.FlywayException: Clean not supported on Oracle for system schema "SCHEMA_OWNER"! It must not be changed in any way except by running an Oracle-supplied script! -> [Help 1]
The user I connect with was created with alter session set "_ORACLE_SCRIPT"=true;
Flyway will throw this exception if the current schema is considered a system schema:
#Override
protected void doClean() throws SQLException {
if (isSystem()) {
throw new FlywayException("Clean not supported on Oracle for system schema " + database.quote(name) + "! " +
"It must not be changed in any way except by running an Oracle-supplied script!");
}
A schema is considered to be a system schema if it in a list of known default schemas or has ORACLE_MAINTAINED = 'Y'.
Creating the user with alter session set "_ORACLE_SCRIPT"=true; sets ORACLE_MAINTAINED = 'Y' for the user / schema.
There are two kinds of database in Oracle 12c: a Container Database (CDB) and a Pluggable Database (PDB). This is to support Multitenancy.
You are currently creating the user in the CDB, which would be a common user across all PDBs. In that case, you must either prefix the user name with c##:
create user c##scott identified by tiger;
or use the alter session set "_ORACLE_SCRIPT"=true;, otherwise you will get the error:
ORA-65096: invalid common user or role name in oracle
The alternative is to connect to a PDB and create a local user there (no prefix required and the user will only exists in that PDB), e.g.:
sqlplus sys/Oradoc_db1#ORCLPDB1 as sysdba
create user scott identified by tiger;
The update the Flyway url to connect to that PDB as that user:
-url=jdbc:oracle:thin:#oracle-ee:1521/orclpdb1.localdomain -user="scott" -password=tiger
I have a Java webapp (WAR) that is to be run in JBOSS.
That webapp is to create connections to an Oracle database using a username/password for a user that is given read-only permissions.
The webapp queries tables belonging to a different schema. I do this by qualifying each table name in my SQL queries.
However, I would like to parameterise this in my datasource, since the schema names can be different in different environments.
Is there a way to define a JBOSS data source which logs in as User A for each connection, but uses Schema B for all queries?
One way to do it is to use the new-connection-sql or check-valid-connection-sql datasource properties to execute ALTER SESSION SET CURRENT_SCHEMA=yourschema, which will change the default schema for each connection.
Recommended way is to create synonyms in Oracle for your User A to access tables in schema owned by User B. This way you can even grant specific privileges to user A to select, update, insert on tables owned by the other UserB.
I'm looking to get Flyway migrations setup with Oracle 12C, however running the 'flyway baseline' I received the following error on schema_table creation.
Message : ORA-01950: no privileges on tablespace 'USERS'
The end-goal here with this setup is to get a CI and CD process that can create an Oracle Database (with DBCA) then run flyway migrate to migrate the database to the latest version.
With that in mind, how can I get passed this issue? Do i need to create the scheme and Tablespace configuration outside of Flyway before I do anything?.
Edit: Moudiz has suggested ALTER USER quota 100M on USERS, whilst that does get me passed the issue. I'd be more interested in a solution in the area of dbca/flyway configuration. Any extra 'tweak' script i need to run for deployment is not ideal.
this statement should help you.
ALTER USER <user> quota 100M on USERS