我有一个表AAA,并在其上创建了一个安全视图BBB,并具有以下定义:create or replace secure view BBB as select * from AAA
我已授予BBB角色RRR的选择特权。
当我使用RRR执行select * from BBB时会抛出SQL compilation error: Failure during expansion of view 'BBB': SQL compilation error: Object 'AAA' does not exist or not authorized.
现在,当我授予AAA上的角色RRR的选择特权时,
同一查询工作正常。安全视图应该如何工作?因为在这种情况下,仍然可以访问该表,并且可以通过直接访问该表来丢弃任何强加于视图的限制。听起来一点也不安全。
我在这里想念什么?
除了对视图具有SELECT特权外,您还需要在包含该视图的数据库和模式上授予USAGE:
grant usage on database <yourdb> to role RRR;
grant usage on schema <yourschema> to role RRR;
正如您所指出的,如果您仍然必须授予对基础表的访问权限,那么安全视图将毫无意义。
USE ROLE SECURITYADMIN;
--CREATE ROLE ADMIN_ROLE
CREATE ROLE IF NOT EXISTS ADMIN_ROLE;
GRANT USAGE ON WAREHOUSE ADMIN_WH TO ROLE ADMIN_ROLE;
GRANT ROLE ADMIN_ROLE TO ROLE SYSADMIN;
GRANT USAGE ON DATABASE EXISTING_DB TO ADMIN_ROLE;
GRANT USAGE ON SCHEMA EXISTING_DB.EXISTING_SCHEMA TO ADMIN_ROLE;
GRANT SELECT ON TABLE EXISTING_DB.EXISTING_SCHEMA.MYTABLE TO ADMIN_ROLE;
--CREATE DATA ROLES
CREATE ROLE IF NOT EXISTS USER_ROLE;
GRANT USAGE ON WAREHOUSE USER_WH TO ROLE USER_ROLE;
--USE NEW_DB DATABASE
USE DATABASE NEW_DB;
USE ROLE ADMIN_ROLE;
CREATE SCHEMA IF NOT EXISTS NEW_SCHEMA
GRANT USAGE ON DATABASE NEW_DB TO USER_ROLE;
GRANT USAGE ON SCHEMA NEW_DB.NEW_SCHEMA TO USER_ROLE;
GRANT SELECT ON FUTURE VIEWS IN SCHEMA NEW_DB.NEW_SCHEMA TO USER_ROLE;
CREATE OR REPLACE SECURE VIEW NEW_DB.NEW_SCHEMA.MY_SECURE_VIEW AS SELECT * FROM EXISTING_DB.EXISTING_SCHEMA.MYTABLE
USE ROLE SECURITYADMIN;
GRANT USAGE ON DATABASE EXISTING_DB TO USER_ROLE;
GRANT USAGE ON SCHEMA EXISTING_DB.EXISTING_SCHEMA TO USER_ROLE;
GRANT SELECT ON TABLE EXISTING_DB.EXISTING_SCHEMA.MYTABLE TO USER_ROLE;
REVOKE USAGE ON DATABASE EXISTING_DB FROM ADMIN_ROLE;
REVOKE USAGE ON SCHEMA EXISTING_DB.EXISTING_SCHEMA FROM ADMIN_ROLE;
REVOKE SELECT ON TABLE EXISTING_DB.EXISTING_SCHEMA.MYTABLE FROM ADMIN_ROLE;
CREATE ROLE IF NOT EXISTS TEAM_ROLE;
GRANT ROLE USER_ROLE TO TEAM_ROLE;
USE ROLE TEAM_ROLE;
SELECT * FROM NEW_DB.NEW_SCHEMA.MY_SECURE_VIEW
我的用例非常接近此片段
如果我删除
GRANT SELECT ON TABLE EXISTING_DB.EXISTING_SCHEMA.MYTABLE TO ADMIN_ROLE;
我无法创建视图如果我删除
GRANT SELECT ON TABLE EXISTING_DB.EXISTING_SCHEMA.MYTABLE TO USER_ROLE;
然后
SELECT * FROM NEW_DB.NEW_SCHEMA.MY_SECURE_VIEW
失败,例外
SQL compilation error: Failure during expansion of view 'NEW_DB.NEW_SCHEMA.MY_SECURE_VIEW': SQL compilation error: Object 'EXISTING_DB.EXISTING_SCHEMA.MYTABLE' does not exist or not authorized.
让我知道该方法是否存在一些基本缺陷。.>