Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement - Export grants and received grants #37

Open
arno82 opened this issue Jul 2, 2015 · 12 comments
Open

Enhancement - Export grants and received grants #37

arno82 opened this issue Jul 2, 2015 · 12 comments

Comments

@arno82
Copy link
Collaborator

arno82 commented Jul 2, 2015

I added a functionality that allows us to export all grants into a separate directory. The old behaviour of putting the grants to the parent DDL object is not affected by my change.
Additionally I added a function that exports all grants I receive from other schemes!

So I get every grant that my scheme/application needs and everything i grant to others as well.
I named the new objects/folders "GRANTS" and "RECEIVED_GRANTS".

If someone is interested I could commit my changes, or simply provide a patch file here.

Let me know.
@arno82 arno82 mentioned this issue Nov 13, 2015
Open
@arno82 arno82 mentioned this issue Feb 17, 2016
Closed
@andyluu85
Copy link

That would be a useful function.

Will you be able to execute the RECEIVED_GRANTS? I assume not?

@qwazer
Copy link
Owner

qwazer commented Feb 17, 2016

Arno, can you provide patch or pull request?
Does this functionality need additional user privilege like sys_dba?
It can be disabled by default?

@arno82
Copy link
Collaborator Author

arno82 commented Feb 17, 2016

Not without the appropriate permissions, which you normally don't have in your schema.

But the filename has the foreign schemaname as prefix so you see clearly where to execute those received grants.

E.g. the file:
SCOTT_emp.sql
contains
GRANT SELECT ON "SCOTT"."EMP" TO MY_SCHEMA_NAME

@arno82
Copy link
Collaborator Author

arno82 commented Feb 17, 2016

Answering qwazer question:
It can be disabled by the
-tfm exclude 'RECEIVED_GRANT'
mechanism, but that would not be default.

Is this a hard requirement for you?

@qwazer
Copy link
Owner

qwazer commented Feb 17, 2016

Yes. I think it must be optional behavior, because

  1. It's confusing
  2. it's really expert option
  3. as i understand, it need some special rights in oracle db.

@arno82
Copy link
Collaborator Author

arno82 commented Feb 17, 2016

Anyway, I attach the patch here for you to see if it's ok.
I could then commit it directly to the project if you want.
Sadly it is mixed with issue 39 which is a bugfix for a different problem.
patch_issue37_issue39.txt

@arno82
Copy link
Collaborator Author

arno82 commented Feb 17, 2016

No you don't need special rights.
Only if you want to execute those received grant file to gain the grants, you have to do it in the schema that granted it to you.
You understand what I mean and what the features does? Otherwise we could go into detail per email if you want. I think it's very useful.

@arno82
Copy link
Collaborator Author

arno82 commented Feb 17, 2016

I'll try to give an simple explanation of the feature:

My schema is SCHEMA_ARNO with a table TABLE_ARNO inside.
If I give SELECT grants to SCOTT schema I will now receive a file in the GRANTS folder which contains the grant.

If SCOTT grants me SELECT to EMP table, I receive a file in the RECEIVED_GRANTS folder which contains the grant that he provided me to this table.

At the end I see what I grant to others and what others grant to me, and I can recreate those grants if needed.
This could be the case if the SCOTT schema gets dropped and restored from backup. Then all my grants to SCOTT are gone and needs to be recreated by me.

@qwazer
Copy link
Owner

qwazer commented Feb 17, 2016

I agree, that it is useful feature. But I want to keep backward compatibility. So replacing old grants in parent DDL with new file it's not a good idea from this point of view.
Adding new files with RECEIVED_GRANTS is allowed.
I quickly looked at your patch. it need some polishing.

  1. For example, following java naming conventions in public String findReceivedGrantDDL(String name, String **G**rantSchema) {
  2. Changing of DDLFormatter is not desirable for backward compatibility reasons.

@qwazer
Copy link
Owner

qwazer commented Feb 17, 2016

Just for your info. I rarely work with Oracle now.
My main database now is IBM DB2. And it has different permission mechanism without schemes-as-user based grants
I need some time to switch back to Oracle-based thinking.

@arno82
Copy link
Collaborator Author

arno82 commented Feb 18, 2016

Regarding backward compat:
I'm not replacing the grants from the parentDDL with the ones from this new GRANTS dir!
The new dir is additionally. The old behaviour is untouched!

Naming:
You're right. This is possibly not following your conventions. Please change it as needed.

DDLFormatter:
It's not necessary to take this change. I added it because it's better when importing the files to have the SET DEFINE OFF clause at the beginning.

And don't worry about the Oracle part of scheme2ddl. I'm having an eye on it because it is my main focus.
I try to stay in sync between my own scheme2ddl development (outside of GIT) and this GIT, but it is not absolutely necessary of course.

@xorader
Copy link

xorader commented Apr 26, 2017

I was do it (export all USER and SYSTEM grants) in my fork here https://github.com/xorader/scheme2ddl/tree/3.x_patches_from_xorader

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@xorader @qwazer @andyluu85 @arno82