Monday, April 26, 2010

read-only access

It's a well known fact that in Oracle RDBMS a granted SELECT privilege on a table would also give a grantee a possibility of doing SELECT FOR UPDATE against the same table. So, if a DBA grants the SELECT privilege directly some surprises are anticipated. There was a question posted to an internal mailing list about this problem. Here is what I proposed as a possible solution:

SQL> SELECT * FROM v$version WHERE ROWNUM = 1;

BANNER
----------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production

CONNECT / AS SYSDBA
-- DROP USER viewer CASCADE;
-- DROP USER owner CASCADE;
GRANT CREATE SESSION TO viewer IDENTIFIED BY viewer;
GRANT CREATE SESSION, CREATE VIEW, CREATE TABLE TO owner IDENTIFIED BY owner;
ALTER USER owner QUOTA 1M ON users;
ALTER SESSION SET CURRENT_SCHEMA = owner;
CREATE TABLE t (p NUMBER);
INSERT INTO t VALUES (1);
CREATE OR REPLACE VIEW t_v AS SELECT t.* FROM t WHERE ROWNUM > 0 WITH READ ONLY;
GRANT SELECT ON t_v TO viewer;
CREATE OR REPLACE SYNONYM viewer.t FOR owner.t_v;
CONNECT viewer/viewer
INSERT INTO t(p) VALUES(5);
DELETE t;
UPDATE t SET p = 5;
SELECT * FROM t FOR UPDATE;
SELECT p FROM t FOR UPDATE;
SELECT p FROM t FOR UPDATE OF p;
SELECT * FROM t;
According to the last reply of the original poster so far it's considered being the best possible workaround.

People who replied to the same thread also mentioned this: AskTom; MySQL/Oracle vs. PostgreSQL. Since it's a public information I'm taking a liberty of posting the links for the sake of referencing/comparison.

No comments: