如果我尝试执行
create table TEST(testColumn VARCHAR(255));
grant insert on TEST to test_user;
revoke insert on TEST from test_user;
我收到以下错误消息(由我自己翻译):
1) [REVOKE - 0 row(s), 0.000 secs] [Error Code: -580, SQL State: IX000]
Could not detract access rights.
2) [Error Code: -111, SQL State: IX000] ISAM-Error: No data record was found.
(错误-580的英文版本:无法撤销权限。)
你知道这里发生了什么吗?
答案 0 :(得分:2)
所有声明都是由同一个用户发布的?
通常在尝试撤消您的帐户名未授予的表级权限时会发生这种情况。
要找到正确的受让人使用:
SELECT a.grantee, a.grantor
FROM systabauth a, systables t
WHERE a.tabid = t.tabid
AND UPPER(t.tabname) = 'TEST';
然后可以发出:
REVOKE INSERT ON TEST FROM 'test_user' AS '<GRANTEE>';
我没有提到的另一种可能性,但@ chris311弄明白,是you cannot revoke privileges from yourself。
正在发生什么“背后”,接下来的例子,一个名为 chris311 的数据库,由 chris 拥有,请记住我正在使用 informix 用户:
[infx1210@tardis ~]$ id
uid=501(informix) gid=501(informix) groups=501(informix)
[infx1210@tardis ~]$ dbaccess chris311 -
Database selected.
> SELECT name, owner
> FROM sysmaster:sysdatabases
> WHERE name = DBINFO('dbname') ;
name chris311
owner chris
1 row(s) retrieved.
>
chris 和 informix 都拥有 DBA 数据库级权限, ricardo 被授予 CONNECT 权限:
> SELECT username, usertype
> FROM sysusers;
username usertype
chris D
informix D
ricardo C
3 row(s) retrieved.
>
克里斯所拥有克里斯所拥有的表格 tab1 ,克里斯,克里斯, 所有表级权限:
> SELECT t.tabname, t.owner, a.grantee, a.tabauth, a.grantor
> FROM systabauth a, systables t
> WHERE a.tabid = t.tabid
> AND t.tabname= 'tab1';
tabname tab1
owner chris
grantee ricardo
tabauth su-idxar-
grantor chris
1 row(s) retrieved.
>
如果 informix 要撤消 INSERT 权限,则必须使用 AS 子句将 chris 指定为复说者:
> REVOKE INSERT ON tab1 FROM ricardo;
580: Cannot revoke permission.
111: ISAM error: no record found.
Error in line 1
Near character position 33
> REVOKE INSERT ON tab1 FROM ricardo AS chris;
Permission revoked.
> SELECT t.tabname, t.owner, a.grantee, a.tabauth, a.grantor
> FROM systabauth a, systables t
> WHERE a.tabid = t.tabid
> AND t.tabname = 'tab1';
tabname tab1
owner chris
grantee ricardo
tabauth su--dxar-
grantor chris
1 row(s) retrieved.
>
如果他试图撤消自己的 INSERT 权限,则错误也会返回:
> REVOKE INSERT ON tab1 FROM informix;
580: Cannot revoke permission.
111: ISAM error: no record found.
Error in line 1
Near character position 34
>
现在,如果我们看到580错误的含义,我们得到:
[infx1210@tardis ~]$ finderr 580
-580 Cannot revoke permission.
This REVOKE statement cannot be carried out. Either it revokes a
database-level privilege, but you are not a Database Administrator in
this database, or it revokes a table-level privilege that your account
name did not grant. Review the privilege and the user names in the
statement to ensure that they are correct. To summarize the table-level
privileges you have granted, query systabauth as follows:
SELECT A.grantee, T.tabname FROM systabauth A, systables T
WHERE A.grantor = USER AND A.tabid = T.tabid
[infx1210@tardis ~]$
它没有说撤销自己的特权,但文件提到了它。另外,如果我们考虑111: ISAM error: no record found.并将其与systabauth上没有出现 DBA 这一事实相关联,那就是它的种类。
授权不会返回错误/警告,因为 DBA 已经拥有权限,撤销会返回它,因为操作没有生效。
现在让我们从 chris 中获取 DBA 角色,让我们两次:
> REVOKE DBA FROM chris;
Permission revoked.
> REVOKE DBA FROM chris;
Permission revoked.
> SELECT username, usertype
> FROM sysusers;
username usertype
chris C
informix D
ricardo C
3 row(s) retrieved.
> SELECT t.tabname, t.owner, a.grantee, a.tabauth, a.grantor
> FROM systabauth a, systables t
> WHERE a.tabid = t.tabid
> AND t.tabname= 'tab1';
tabname tab1
owner chris
grantee ricardo
tabauth su--dxar-
grantor chris
1 row(s) retrieved.
>
同样,第二个 REVOKE 没有返回错误/警告,因为它已生效。用户仍然没有出现在systabauth表格上。
但是它有哪些表级特权?
[infx1210@tardis ~]$ dbaccess chris311 -
Database selected.
> INSERT INTO tab1 VALUES(1);
1 row(s) inserted.
> SELECT * FROM tab1;
col1
1
1 row(s) retrieved.
> DROP TABLE tab1;
Table dropped.
>
他不是 DBA ,但他是所有者。