| Insufficient Privileges to Create a User Inside a Function [message #171643] |
Wed, 10 May 2006 17:05  |
rare
Messages: 6
Registered: May 2006
Location: Minneapolis, MN
|
Junior Member |
|
|
Did some searches and reviewed the FAQs but I'm still having a problem. I wrote a Function that accepts a user name and password. I build a CREATE USER string then attempt to do an EXECUTE IMMEDIATE on the string. I am getting: ORA-01031: insufficient privileges.
In my research, I've found that ROLES are not active when a script is running. So I explicitly granted the CREATE USER system privilege to a user then tried calling my Function from within SQL*Plus and I get the same results. I even get the 01031 trying to execute the function as a DBA user.
Here's a sample of the string that my code builds:
CREATE USER monkey PROFILE "DEFAULT"
IDENTIFIED BY "d3ath!!!"
DEFAULT TABLESPACE "TBLSPACE_USER"
TEMPORARY TABLESPACE "TBLSPACE_USR_TEMP"
ACCOUNT UNLOCK;
It executes flawlessly from SQL*Plus, so I know it's something about how it's being executed within a PL/SQL Function. Does anyone know what rights are required to grant and where they should be granted? Or if I can call the Function in some clever way that lets it see the appropriate rights?
TIA!!
|
|
|
|
|
|
| Re: Insufficient Privileges to Create a User Inside a Function [message #171650 is a reply to message #171644] |
Wed, 10 May 2006 18:37  |
Todd Barry
Messages: 4819
Registered: August 2001
|
Senior Member |
|
|
Hmmm, granting a privilege to a function. Not a concept that anyone has seen until this unfortunate moment.
Even though you say you have granted 'create user' to the owner of the function, I suspect you have not really done that, even though you think you have.
system>create user myuser identified by myuser;
User created.
system>grant create session, create procedure to myuser;
Grant succeeded.
myuser>create or replace function my_function
2 return number
3 is
4 begin
5 execute immediate 'create user newuser identified by newuser';
6 return 0;
7 end;
8 /
Function created.
-- As MYUSER, let's try executing the function.
myuser>var rtn number
myuser>exec :rtn := my_function()
BEGIN :rtn := my_function(); END;
*
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "MYUSER.MY_FUNCTION", line 5
ORA-06512: at line 1
-- Nope, doesn't work. Need the grant
system>grant create user to myuser;
Grant succeeded.
-- OK, now I have the grant. Let's try again.
myuser>exec :rtn := my_function()
PL/SQL procedure successfully completed.
-- Now it works |
|
|
|
| Re: Insufficient Privileges to Create a User Inside a Function [message #171788 is a reply to message #171650] |
Thu, 11 May 2006 08:16 |
joy_division
Messages: 4963
Registered: February 2005
Location: East Coast USA
|
Senior Member |
|
|
Rats!
I don't remember the exact circumstances, but this rings a bell with something I did a while back. I remember I had to do this:
grant create user to myuser with admin option;
I don't recall why and looking at Todd's example, I now wonder why I had to do that. It might have had something to do with a public synonym being created for the function and then some other user execting it.
[Updated on: Thu, 11 May 2006 08:32] Report message to a moderator |
|
|
|
 Thanks Guys! [message #171804 is a reply to message #171643] |
Thu, 11 May 2006 09:34 |
rare
Messages: 6
Registered: May 2006
Location: Minneapolis, MN
|
Junior Member |
|
|
Thanks for the feedback guys!
| Quote: |
anacedent
grant create user to my_function;
|
That would have been really easy but unfortunately, it gave me "ORA-01917: user or role 'USER_CREATE' does not exist." I'm working on a 9i server. Maybe in 10g you can grant to objects?
| Quote: |
joy_division
grant create user to myuser with admin option;
|
Interesting idea, too! Unfortunately it gave me the same ORA-01031 when I tried to execute it.
Todd Barry: Thank a bunch for that walk-thru!! I'm late for a meeting and need to do a trace like that when I get back. But I'm not sure I agree with you. Consider the SQL my code builds in the fourth paragraph. If the user can paste that into SQL*Plus but not execute it in a function, something is going on.
I'll update again once I've tried a few more things. Frustrating though... this shouldn't be this hard!! 
[Updated on: Thu, 11 May 2006 11:19] Report message to a moderator |
|
|
|
| Re: Thanks Guys! [message #171830 is a reply to message #171804] |
Thu, 11 May 2006 12:26 |
Todd Barry
Messages: 4819
Registered: August 2001
|
Senior Member |
|
|
No, you cannot grant privileges to stored code. I made a slightly, um, sarcastic reference to this in my first reply.
| Quote: |
But I'm not sure I agree with you. Consider the SQL my code builds in the fourth paragraph. If the user can paste that into SQL*Plus but not execute it in a function, something is going on.
|
When run as the owner of the function, what does this show?
select * from user_sys_privs
where privilege = 'CREATE USER';
You didn't create the function with invoker's rights by any chance, did you? And execute it as someone else?
Also, if still a problem, please post the source of your function.
|
|
|
|
|
|
| Re: The Saga Ends [message #171865 is a reply to message #171851] |
Thu, 11 May 2006 18:33 |
Todd Barry
Messages: 4819
Registered: August 2001
|
Senior Member |
|
|
Well, there are many semantic issues at play here. There is no such this as "DBA privileges" - there is only the DBA role which has certain privileges.
As you noted, privileges obtained through roles are meaningless in stored procedures/functions (except in the special case of invoker's rights).
| Quote: |
I created the function with another user in the DBA's schema and can now execute it with other users.
|
I do not understand this statement. A function is created in/owned by a single schema. "Creating the function with another user in the DBA's schema" does not compute.
If you are creating a normal definer's rights function, the function will be executable by the owner (and anyone else, assuming they have the execute privilege on the function) as long as the owner has the CREATE USER privilege granted directly and not just through a role (the DBA role or otherwise).
|
|
|
|
|
|
| Re: Refinement [message #171974 is a reply to message #171881] |
Fri, 12 May 2006 11:51 |
Todd Barry
Messages: 4819
Registered: August 2001
|
Senior Member |
|
|
I sense that you aren't real interested in pursuing this much longer, but there is still something strange here.
Assuming the default of definer's rights, the users executing the function do NOT need the CREATE USER privilege - only the owner of the function. The users executing the function would only need EXECUTE privilege on that function.
| Quote: |
At that point, RARE couldn't execute the function and got ORA-01031.
|
I still believe that was because EXPERION did not really have the CREATE USER privilege granted directly at that time.
| Quote: |
What I did to get around this was have RARE create the function in the EXPERION schema. RARE could then execute the function as could EXPERION.
|
That is still a function owned by EXPERION. I suspect that the CREATE USER privilege was granted to EXPERION prior to this test which is why the function call by EXPERION or RARE or anyone else would then work.
In any case, glad it's working for you.
|
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
