The database created in Java DB (Derby) was set-up as follows to allow authentication and authorization:
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.connection.requireAuthentication','true');
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.user.normal', 'normal');
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.fullAccessUsers', 'sa');
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.readOnlyAccessUsers', 'normal');
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.defaultConnectionMode', 'readOnlyAccess');
The "sa" username was created during database creation so it is the owner of the database.
And this works as intended. I can log in as "sa" user and have full access. Or log in as "normal" users and be restricted to read only access.
Now, I want to use SQL authorization to grant specific permissions to specific users.
To do this I have to switch on SQL authorization first by executing following command:
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.sqlAuthorization', 'true');
Problem is, that after login in again under "sa" the system reports that I have no rights for SELECT and other statements. Moreover I loose complete ownership on the database.
Why Derby suddenly denies access to any user including the owner after executing the statement that switches on the SQL authorization?
P.S. I use Apache Derby Network Server - 10.9.1.0 which was a part of Java EE 7 installation for NetBeans 7.3
P.S 2. When after SQL authorization is set to true I try to use GRANT statement I receive following SQL error code:
SQL state 42506: User 'SA' is not the owner of Table/View 'SA'.'DOCTYPES'.
Even though the whole database was created using this username.
Related
I'm not a DB expert, my boss has retired and it's up to me now. He created a production database, and a test database on another server with same username/password and schema name test_SameAsOtherDB. I'm trying to pull the live data from the production table, into the test DB table, but there are no privileges for me to do so.
I tried by logging into my production DB and "grant select on mytable_name to testDB.mytable_name;" but it gives me the error "ORA-00933: SQL command not properly ended".
I've tried all the combinations of user/password/schema that I could think of, but none work.
Everything I've researched says use "GRANT select on tablename to USER" but the user is the same on each DB.
Hope I made sense, any help would be appreciated.
Thanks,
John
You access a database on another server through a DATABASE LINK, not with the syntax to access an object in another schema on the same server.
You must create the DBLINK using the "CONNECT TO user IDENTIFIED BY password" syntax. (And the user used to execute "CREATE DATABASE LINK" must have the privilege to do...)
Then you will be able to "SELECT ... FROM mytable_name#DBLINK_TESTDB" assuming you named the DBLINK "DBLINK_TESTDB" with the same rights the user used in the "CONNECT TO" statement has in the target DB.
(And change that policy having the same passwords in all environment...)
Iam creating an app to change the password of selected Db user account.When an user select a particular db name and user of the db then click submit button i should call procedures that changes the password of the db user.So guide me how to connect to selected db from oracle Apex and do it.
As far as I can tell, there are two ways to change someone's password:
connect as that user
connect as a privileged user (such a SYS)
and run such a command:
alter user scott identified by tiger;
As you'd want to do that for any database you have a access to, as well as every user in those databases, I doubt that you know their passwords so I guess that you'll connect as a privileged user to all those databases. Of course, you have to know their passwords.
One option would be to
create the same stored procedure (which will modify someone's password) in every database
it'll accept username and its new password
as alter table is DDL, you'll have to use dynamic SQL (execute immediate)
create database links to those databases in a schema you use to connect to your Apex application
depending on database you choose, call appropriate procedure via database link and pass chosen username and its new password. This might also require some kind of dynamic SQL, if you want to use different DB link name
I don't know which database version you use, but - have a look at 11g's Accessing and Modifying Information in Multiple Databases, especially "Running a Stored Procedure in a Remote Oracle Database" chapter for more info.
I just downloaded the Oracle Database 11g and I can't select,create,update or do anything. Every command that I entered and run only results to "ORA-01435: user does not exist"
What are the things that i need to do in order to enable creating and running some commands?
Here is a picture of ORA-01435: user does not exist
Please look at right upper corner SCHEMA:XS$NULL:
From Securing Oracle Database User Accounts
XS$NULL
An internal account that represents the absence of a user in a session. Because XS$NULL is not a user, this account can only be accessed by the Oracle Database instance. XS$NULL has no privileges and no one can authenticate as XS$NULL, nor can authentication credentials ever be assigned to XS$NULL.
Expired and locked
You need to change it to some specific schema.
I want to create a new database on an Oracle server via JDBC. I cannot seem to connect to the database without providing an SID: using a URL like jdbc:oracle:thin:#//[IP]:1521 results in an error of "ORA-12504, TNS:listener was not given the SID in CONNECT_DATA"
Alternatively, if I log into a specific SID, I can run most DDL commands except for CREATE DATABASE foo which fails with an error of "ORA-01100: database already mounted"
How am I supposed to create a database if I cannot connect to the server without specifying a specific database and cannot create a database if I am already logged into a specific database?
AFAIK creating a database needs an internal and direct connection which can only be done by logging in directly on the server (normally a user account called 'oracle').
One reason for that: users are stored in the database itself. No database = no user to connect to by an external client.
Please also note Justin's comment about oracles database schemas. This is probably what you are looking for
What you need are following commands:
CREATE TABLESPACE CREATE USER and few GRANT ... TO ... -- to have rights to connect and create objects, at least
We want to allow DB access (Oracle) to our users only through our own application - let's call it "ourTool.exe", installed locally on the users computers. Currently, the users must provide username/password whenever they start "ourTool". The provided password password gets decrypted and we use username/decrypted-password to finally log in to the Oracle DB. This approach prevents the users from directly accessing our DB using third party tools (SQLplus, Excel, Access, ...) and everything in the DB is guaranteed to have been entered/edited using "ourTool".
Now, one of our clients wants to allow its users "single sign-on" (with SmartCards/Oracle PKI). With this, the user will be able connect to our DB without providing any password every time they start "ourTool". But the same will be true for the potentially dangerous tools like SQLplus, Excel, Access, etc.
Is there a way to prevent this? How can we make sure that every record in our DB is only created/edited/deleted using "ourTool" in this scenario?
Since it's your application and you have control of the source, you can use either password protected database roles or Secure Application Roles that are enabled from ourTool.exe. (see http://www.oracle.com/technology/obe/obe10gdb/security/approles/approles.htm ).
For example, with a password-protected database role, the initial connection would be with only the CREATE SESSION privilege, and then ourTool.exe would issue the SET ROLE with password known only to you. Any other application doesn't have the information to set the role. Obviously, the privileges are granted only to the role and not directly to the user in this configuration.
By default, OCI transmits the calling application EXE name and you can access it by querying v$session:
SELECT program
FROM V$SESSION
, which you can do in an AFTER LOGON trigger.
But this can be easily overriden and should not be relied upon.
I renamed my sqlplus.exe to myTool.exe and after making a connection with myTool.exe
SELECT program
FROM V$SESSION
where username = 'SYSTEM';
Returns:
myTool.exe
So be aware, as Quassnoi said: although usable in some circumstances it's certainly not bullit proof.