Informix 中 table 的授予和撤销
Grant and Revoke on a table in Informix
如果我尝试执行
create table TEST(testColumn VARCHAR(255));
grant insert on TEST to test_user;
revoke insert on TEST from test_user;
我收到以下错误消息(由我自己翻译自德语):
1) [REVOKE - 0 row(s), 0.000 secs] [Error Code: -580, SQL State: IX000]
Could not detract access rights.
2) [Error Code: -111, SQL State: IX000] ISAM-Error: No data record was found.
(英文版错误-580:无法撤销权限)
你知道这里发生了什么吗?
所有报表都是同一个用户发出的?
通常在尝试撤销您的帐户名未授予的 table 级权限时会发生这种情况。
要找到正确的受让人,请使用:
SELECT a.grantee, a.grantor
FROM systabauth a, systables t
WHERE a.tabid = t.tabid
AND UPPER(t.tabname) = 'TEST';
那么可以发出:
REVOKE INSERT ON TEST FROM 'test_user' AS '<GRANTEE>';
我没有提到的另一种可能性,但@chris311 弄清楚了,是 you cannot revoke privileges from yourself.
“背后”发生了什么,举下一个例子,一个名为 chris311 的数据库,属于 chris,请记住我正在使用 informix 用户:
[infx1210@tardis ~]$ id
uid=501(informix) gid=501(informix) groups=501(informix)
[infx1210@tardis ~]$ dbaccess chris311 -
Database selected.
> SELECT name, owner
> FROM sysmaster:sysdatabases
> WHERE name = DBINFO('dbname') ;
name chris311
owner chris
1 row(s) retrieved.
>
chris 和 informix 都具有 DBA 数据库级权限,并且 ricardo 被授予 CONNECT 权限:
> SELECT username, usertype
> FROM sysusers;
username usertype
chris D
informix D
ricardo C
3 row(s) retrieved.
>
chris 拥有 table、tab1,ricardo 被 chris 授予 ALL table 级特权:
> SELECT t.tabname, t.owner, a.grantee, a.tabauth, a.grantor
> FROM systabauth a, systables t
> WHERE a.tabid = t.tabid
> AND t.tabname= 'tab1';
tabname tab1
owner chris
grantee ricardo
tabauth su-idxar-
grantor chris
1 row(s) retrieved.
>
然后如果 informix 要撤销 INSERT 权限,它必须使用 AS 子句将 chris 指定为撤销者:
> REVOKE INSERT ON tab1 FROM ricardo;
580: Cannot revoke permission.
111: ISAM error: no record found.
Error in line 1
Near character position 33
> REVOKE INSERT ON tab1 FROM ricardo AS chris;
Permission revoked.
> SELECT t.tabname, t.owner, a.grantee, a.tabauth, a.grantor
> FROM systabauth a, systables t
> WHERE a.tabid = t.tabid
> AND t.tabname = 'tab1';
tabname tab1
owner chris
grantee ricardo
tabauth su--dxar-
grantor chris
1 row(s) retrieved.
>
如果他试图撤销他自己的 INSERT 权限,则会出现错误 return 还:
> REVOKE INSERT ON tab1 FROM informix;
580: Cannot revoke permission.
111: ISAM error: no record found.
Error in line 1
Near character position 34
>
现在,如果我们了解 580 错误的含义,我们会得到:
[infx1210@tardis ~]$ finderr 580
-580 Cannot revoke permission.
This REVOKE statement cannot be carried out. Either it revokes a
database-level privilege, but you are not a Database Administrator in
this database, or it revokes a table-level privilege that your account
name did not grant. Review the privilege and the user names in the
statement to ensure that they are correct. To summarize the table-level
privileges you have granted, query systabauth as follows:
SELECT A.grantee, T.tabname FROM systabauth A, systables T
WHERE A.grantor = USER AND A.tabid = T.tabid
[infx1210@tardis ~]$
它没有说任何关于撤销他自己的特权,但文档提到了它。此外,如果我们考虑 111: ISAM error: no record found. 并将其与 DBA 没有出现在 systabauth 上的事实联系起来,这就有点道理了。
授予不 return 和 error/warning 因为 DBA 已经拥有特权,撤销 return 是因为操作没有生效。
现在让我们从 chris 那里获得 DBA 角色,让我们做两次:
> REVOKE DBA FROM chris;
Permission revoked.
> REVOKE DBA FROM chris;
Permission revoked.
> SELECT username, usertype
> FROM sysusers;
username usertype
chris C
informix D
ricardo C
3 row(s) retrieved.
> SELECT t.tabname, t.owner, a.grantee, a.tabauth, a.grantor
> FROM systabauth a, systables t
> WHERE a.tabid = t.tabid
> AND t.tabname= 'tab1';
tabname tab1
owner chris
grantee ricardo
tabauth su--dxar-
grantor chris
1 row(s) retrieved.
>
同样,第二个 REVOKE 没有 return error/warning 因为它已经生效了。该用户仍然没有出现在 systabauth table.
但是它有什么 table 级别的权限?
[infx1210@tardis ~]$ dbaccess chris311 -
Database selected.
> INSERT INTO tab1 VALUES(1);
1 row(s) inserted.
> SELECT * FROM tab1;
col1
1
1 row(s) retrieved.
> DROP TABLE tab1;
Table dropped.
>
他不是 DBA 但他是所有者。
如果我尝试执行
create table TEST(testColumn VARCHAR(255));
grant insert on TEST to test_user;
revoke insert on TEST from test_user;
我收到以下错误消息(由我自己翻译自德语):
1) [REVOKE - 0 row(s), 0.000 secs] [Error Code: -580, SQL State: IX000]
Could not detract access rights.
2) [Error Code: -111, SQL State: IX000] ISAM-Error: No data record was found.
(英文版错误-580:无法撤销权限)
你知道这里发生了什么吗?
所有报表都是同一个用户发出的?
通常在尝试撤销您的帐户名未授予的 table 级权限时会发生这种情况。
要找到正确的受让人,请使用:
SELECT a.grantee, a.grantor
FROM systabauth a, systables t
WHERE a.tabid = t.tabid
AND UPPER(t.tabname) = 'TEST';
那么可以发出:
REVOKE INSERT ON TEST FROM 'test_user' AS '<GRANTEE>';
我没有提到的另一种可能性,但@chris311 弄清楚了,是 you cannot revoke privileges from yourself.
“背后”发生了什么,举下一个例子,一个名为 chris311 的数据库,属于 chris,请记住我正在使用 informix 用户:
[infx1210@tardis ~]$ id
uid=501(informix) gid=501(informix) groups=501(informix)
[infx1210@tardis ~]$ dbaccess chris311 -
Database selected.
> SELECT name, owner
> FROM sysmaster:sysdatabases
> WHERE name = DBINFO('dbname') ;
name chris311
owner chris
1 row(s) retrieved.
>
chris 和 informix 都具有 DBA 数据库级权限,并且 ricardo 被授予 CONNECT 权限:
> SELECT username, usertype
> FROM sysusers;
username usertype
chris D
informix D
ricardo C
3 row(s) retrieved.
>
chris 拥有 table、tab1,ricardo 被 chris 授予 ALL table 级特权:
> SELECT t.tabname, t.owner, a.grantee, a.tabauth, a.grantor
> FROM systabauth a, systables t
> WHERE a.tabid = t.tabid
> AND t.tabname= 'tab1';
tabname tab1
owner chris
grantee ricardo
tabauth su-idxar-
grantor chris
1 row(s) retrieved.
>
然后如果 informix 要撤销 INSERT 权限,它必须使用 AS 子句将 chris 指定为撤销者:
> REVOKE INSERT ON tab1 FROM ricardo;
580: Cannot revoke permission.
111: ISAM error: no record found.
Error in line 1
Near character position 33
> REVOKE INSERT ON tab1 FROM ricardo AS chris;
Permission revoked.
> SELECT t.tabname, t.owner, a.grantee, a.tabauth, a.grantor
> FROM systabauth a, systables t
> WHERE a.tabid = t.tabid
> AND t.tabname = 'tab1';
tabname tab1
owner chris
grantee ricardo
tabauth su--dxar-
grantor chris
1 row(s) retrieved.
>
如果他试图撤销他自己的 INSERT 权限,则会出现错误 return 还:
> REVOKE INSERT ON tab1 FROM informix;
580: Cannot revoke permission.
111: ISAM error: no record found.
Error in line 1
Near character position 34
>
现在,如果我们了解 580 错误的含义,我们会得到:
[infx1210@tardis ~]$ finderr 580
-580 Cannot revoke permission.
This REVOKE statement cannot be carried out. Either it revokes a
database-level privilege, but you are not a Database Administrator in
this database, or it revokes a table-level privilege that your account
name did not grant. Review the privilege and the user names in the
statement to ensure that they are correct. To summarize the table-level
privileges you have granted, query systabauth as follows:
SELECT A.grantee, T.tabname FROM systabauth A, systables T
WHERE A.grantor = USER AND A.tabid = T.tabid
[infx1210@tardis ~]$
它没有说任何关于撤销他自己的特权,但文档提到了它。此外,如果我们考虑 111: ISAM error: no record found. 并将其与 DBA 没有出现在 systabauth 上的事实联系起来,这就有点道理了。
授予不 return 和 error/warning 因为 DBA 已经拥有特权,撤销 return 是因为操作没有生效。
现在让我们从 chris 那里获得 DBA 角色,让我们做两次:
> REVOKE DBA FROM chris;
Permission revoked.
> REVOKE DBA FROM chris;
Permission revoked.
> SELECT username, usertype
> FROM sysusers;
username usertype
chris C
informix D
ricardo C
3 row(s) retrieved.
> SELECT t.tabname, t.owner, a.grantee, a.tabauth, a.grantor
> FROM systabauth a, systables t
> WHERE a.tabid = t.tabid
> AND t.tabname= 'tab1';
tabname tab1
owner chris
grantee ricardo
tabauth su--dxar-
grantor chris
1 row(s) retrieved.
>
同样,第二个 REVOKE 没有 return error/warning 因为它已经生效了。该用户仍然没有出现在 systabauth table.
但是它有什么 table 级别的权限?
[infx1210@tardis ~]$ dbaccess chris311 -
Database selected.
> INSERT INTO tab1 VALUES(1);
1 row(s) inserted.
> SELECT * FROM tab1;
col1
1
1 row(s) retrieved.
> DROP TABLE tab1;
Table dropped.
>
他不是 DBA 但他是所有者。