Why do I get permission denied when querying a view in AWS Redshift but not when running the query used to make the view?
When I try to run:
SELECT * FROM "dev"."public"."stg_kfdb_answers_flattened";
I get the error:
ERROR: permission denied for relation answers [ErrorId: 1-63c08c6b-616566234b35efdf64d5f06c]
But stg_kfdb_answers_flattened is a view, with the definition being:
CREATE
OR
REPLACE
VIEW "public".stg_kfdb_answers_flattened AS
SELECT
json_extract_path_text(answers.document ::text, '_id' ::text) AS id,
<etc.>,
FROM
<source_schema>.<source_table>;
When I run the query by itself, it works just fine. But when I create the view, as you see above, it gives me a permission denied error.
I have already tried giving myself permissions with statements like from this previous question.
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public to jerry;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public to jerry;
GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public to jerry;
But none of these have seemed to help. What am I doing wrong?
Related
I am facing problem in redshift where certain user cannot change its password. But users created by it can change their own password.
e.g:
when logged in as 'or_user' (I dont know how this original user was created, but it cant change its password. I tried below:)
select md5('password123' || 'or_user');
ALTER USER or_user WITH PASSWORD 'md5<hash>';
getting 'ERROR:permission denied'
But when I create user 'demo_user' using 'or_user', 'demo_user' is able to change its password, below commands:
ALTER USER demo_user WITH PASSWORD 'md5<hash>'; its getting success.
Additionally when I tried to grant system privilege to or_user using admin I get below error:
GRANT ALTER USER TO or_user;
ERROR: Grant/Revoke system privilege on User is not supported.
I have read postgres/redshift by default user can change there own password.
Maybe or_user does not have ALTER USER permission please help me with GRANT ALTER USER statement and how to find what permission this or_user have in all like CREATE USER, ALTER USER, DROP USER, .... like mostly database permissions.
i've a problem to run a job in google dataprep.
I set up a connection through an external database on google sql. In big query I imported the database connection. In google data prep I selected the table to do some operations. I tried to create a very simple flow by joining two tables. After that, run job. By doing the first "tour" I ran a test job and it worked properly. I can't get it working, although the account is owner . I've tried with another account to which I gave owner permissions.
The error code I see in the job run logs is:
Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "Access Denied: Project nameproject: User does not have bigquery.jobs.create permission in project nameprogect.",
"reason" : "accessDenied"
} ],
"message" : "Access Denied: Project nameproject: User does not have bigquery.jobs.create permission in project nameproject.",
"status" : "PERMISSION_DENIED"
}
ps: I'm not working with the API but directly in the google data prep panel.
I checked the google documentation but I didn't find much, besides the fact that to run the jobs you have to be the owner of the project.
My user has User permission of big query "Access to run jobs"
Thank you for the help.
Matteo
bigquery.jobs.create is a role assigned to:
BigQuery Admin
BigQuery Job User
BigQuery User
You'll need to assign one of these roles to the account running the tasks to proceed past this error. You can go to IAM & Admin > Roles in the GCP panel to look at which roles are assigned to particular titles, a handy way to see which levels you may need to grant.
The bigquery.jobs.create permission has to be assigned to the compute service account PROJECT_NUMBER-compute#developer.gserviceaccount.com.
Try to add to that service account the permissions:
Storage/Storage Object Viewer
BigQuery/BigQuery User
You can do it by going to the Hamburger Menu in the Console->IAM & Admin->IAM and clicking on the pencil icon at the right side of the service account.
I'm following the tutorial from here: https://community.snowflake.com/s/article/Amplifying-Outcomes-with-Snowflake
In PowerBI Desktop, I'm trying to "Get Data" and receive the following error: Details: "ODBC: ERROR [28000] Role 'POWERBI_ROLE' specified in the connect string is not granted to this user. Contact your local system administrator, or attempt to login with another role, e.g. PUBLIC.
ERROR [28000] Role 'POWERBI_ROLE' specified in the connect string is not granted to this user. Contact your local system administrator, or attempt to login with another role, e.g. PUBLIC."
In snowflake I've added the role to the user by using the query:
ALTER USER POWERBI_USER_ACCOUNT SET DEFAULT_ROLE=POWERBI_ROLE;
I've done this multiple times in snowflake, and did not receive an
error.
I've tried editing the ODBC connection in the "ODBC Data Source
Administrator (64-bit)" WIndows OS pref pane, and used the role
PUBLIC as suggested, but still receive the same error.
Any suggestions?
Also, does snowflake provide technical support, or are users left to post in public forums for technical support? A bit confused.
You need to run the following to grant the role to the user
GRANT ROLE POWERBI_ROLE TO USER POWERBI_USER_ACCOUNT
Looks like the article is missing this step.
Snowflake does provide tech support, you need to work with your account rep to set it up.
Am trying to migrate my oracle database to a AWS Redshift cluster, and am following the steps as documented here in the AWS website.
When I try to create a project in AWS Schema Conversion Tool, configure for Oracle (running in my laptop), am unable to get successfull connection, and here is the error
Connection to 'jdbc:oracle:thin:#localhost:1521:orcl' wasn't
established. ERROR: code: 28009; message: ORA-28009: connection as SYS
should be as SYSDBA or SYSOPER
Please note that in Schema Conversion Tool project page, I don't see a section "Connect as SYSDBA" option? I tried with some other sample users such as SCOTT, and I get Insufficient privileges.
With the same configurations am able to connect from a sql client, SQLWorkbench.
Appreciate any help please. Thanks
To connect to Schema conversion tool you need a user having permissions as connect ,select_catalog_role and select any dictionary. Make sure these permissions are set correctly. Either create a new user with these permissions or modify rights of exiting user. SYS\SYSDBA will not be helpful.
As you are in localhost, with given permissions, you should be able to connect.
You can also connect using sys, in user name field provide the user name like this
sys as sysdba
As per the AWS documentation if Oracle is a source DB then user should be created like this.
CREATE USER oracle_sct_user IDENTIFIED BY password;
GRANT CONNECT TO oracle_sct_user;
GRANT SELECT_CATALOG_ROLE TO oracle_sct_user;
GRANT SELECT ANY DICTIONARY TO oracle_sct_user;
and AWS DMS requires oracle user to have some privileges, detail can be found here.
https://docs.aws.amazon.com/dms/latest/sbs/CHAP_Oracle2PostgreSQL.Steps.ConfigureOracle.html
I use mysql c++ wrapper in client side to connect to mysql server. When user establishes connection to mysql server I want to know whether the user have privileges like root (i.e. GRANT ALL PRIVILEGES ON *.* TO 'username'#'%' WITH GRANT OPTION).The SHOW GRANTS FOR CURRENT_USER query gives grants for current user, but i need to parse the string and compare to know whether the current user have privileges like root. I am looking for an alternative options.
You could query the various tables in mysql.* and compare the permissions fields between the accounts. Of course, you'd have to account for variances in the host/user fields, as MySQL considers root#localhost to be a completely different account than root#% and root#10.0.0.1 etc..
select * from mysql.TABLE where User in ('root', 'youraccount', 'someotheraccount');
where TABLE is 'user', 'db', 'func', etc...
Why not just perform a test action that would only be able to be accomplished by a 'root' superuser.. and if it fails you're out of luck, but if it works, you'd be in business?