-- Table level permissions
SELECT *
FROM
(
SELECT
schemaname
,objectname
,usename
,HAS_TABLE_PRIVILEGE(usrs.usename, fullobj, 'select') AND has_schema_privilege(usrs.usename, schemaname, 'usage') AS sel
,HAS_TABLE_PRIVILEGE(usrs.usename, fullobj, 'insert') AND has_schema_privilege(usrs.usename, schemaname, 'usage') AS ins
,HAS_TABLE_PRIVILEGE(usrs.usename, fullobj, 'update') AND has_schema_privilege(usrs.usename, schemaname, 'usage') AS upd
,HAS_TABLE_PRIVILEGE(usrs.usename, fullobj, 'delete') AND has_schema_privilege(usrs.usename, schemaname, 'usage') AS del
,HAS_TABLE_PRIVILEGE(usrs.usename, fullobj, 'references') AND has_schema_privilege(usrs.usename, schemaname, 'usage') AS ref
FROM
(
SELECT schemaname, 't' AS obj_type, tablename AS objectname, schemaname + '.' + tablename AS fullobj FROM pg_tables
WHERE schemaname NOT IN ('pg_internal')
UNION
SELECT schemaname, 'v' AS obj_type, viewname AS objectname, schemaname + '.' + viewname AS fullobj FROM pg_views
WHERE schemaname NOT IN ('pg_internal')
) AS objs
,(SELECT * FROM pg_user) AS usrs
ORDER BY fullobj
)
WHERE (sel = TRUE OR ins = TRUE OR upd = TRUE OR del = TRUE OR ref = TRUE)
AND schemaname='reporting'
AND usename = 'emilybrown';
-- check perms for a table
\dp units
-- show all privs for role
SELECT
u.usename,
s.schemaname,
has_schema_privilege(u.usename,s.schemaname,'create') AS user_has_select_permission,
has_schema_privilege(u.usename,s.schemaname,'usage') AS user_has_usage_permission
FROM
pg_user u
CROSS JOIN
(SELECT DISTINCT schemaname FROM pg_tables) s
WHERE
u.usename = 'job_analyst'
AND s.schemaname = 'marketo'
;
-- grants for a specific table
SELECT
u.usename,
t.schemaname||'.'||t.tablename,
has_table_privilege(u.usename,t.tablename,'select') AS user_has_select_permission,
has_table_privilege(u.usename,t.tablename,'insert') AS user_has_insert_permission,
has_table_privilege(u.usename,t.tablename,'update') AS user_has_update_permission,
has_table_privilege(u.usename,t.tablename,'delete') AS user_has_delete_permission,
has_table_privilege(u.usename,t.tablename,'references') AS user_has_references_permission
FROM
pg_user u
CROSS JOIN
pg_tables t
WHERE
u.usename = 'marcurbaitel'
AND t.tablename = 'trust_rev_payments'
;
-- Users and their groups
SELECT usename, groname
FROM pg_user, pg_group
WHERE pg_user.usesysid = ANY(pg_group.grolist)
AND pg_group.groname in (SELECT DISTINCT pg_group.groname from pg_group) order by usename;
-- Users in a particular group
select usename from pg_user , pg_group where
pg_user.usesysid = ANY(pg_group.grolist) and
pg_group.groname='grp_maxbi'
ORDER BY BY usename;
-- Grant and future objects
ALTER DEFAULT PRIVILEGES IN SCHEMA hubspot GRANT SELECT ON TABLES TO GROUP grp_fivetran_analyst;
GRANT SELECT ON ALL TABLES IN SCHEMA hubspot TO GROUP grp_fivetran_analyst;
GRANT USAGE ON SCHEMA hubspot TO GROUP grp_fivetran_analyst;
-- Same for single user
ALTER DEFAULT PRIVILEGES IN SCHEMA reporting GRANT SELECT ON TABLES TO looker;
GRANT SELECT ON ALL TABLES IN SCHEMA reporting TO looker;
GRANT USAGE ON SCHEMA reporting TO looker;
/*Check active permissions for a certain user*/
SELECT distinct a1.schemaname, a1.groupname,a2.usename, a1.sel, a1.upd, a1.ins, a1.del, a1.drp, a1."ref"
FROM "admin".v_get_tbl_priv_by_group a1
inner join "admin".v_get_users_in_group a2
on a2.groname = a1.groupname
and a2.usename = '<username>';
Author: Vinay
Dump redshift grants
cd /usr/local/cron/dump_rs_grants
PGPASSWORD=xxxxxxxxx psql -h redshiftFQDN -p 5439 -Uxxxxxx -dyyyyyy < dump_rs_grants.sql > current_rs_grants.txt
dump_rs_grants.sql:
WITH object_list(schema_name,object_name,permission_info)
AS (
SELECT N.nspname, C.relname, array_to_string(relacl,',')
FROM pg_class AS C
INNER JOIN pg_namespace AS N
ON C.relnamespace = N.oid
WHERE C.relkind in ('v','r')
AND N.nspname NOT IN ('pg_catalog', 'pg_toast', 'information_schema')
AND C.relacl[1] IS NOT NULL
),
object_permissions(schema_name,object_name,permission_string)
AS (
SELECT schema_name,object_name, SPLIT_PART(permission_info,',',1) FROM object_list
UNION ALL
SELECT schema_name,object_name, SPLIT_PART(permission_info,',',2) FROM object_list
UNION ALL
SELECT schema_name,object_name, SPLIT_PART(permission_info,',',3) FROM object_list
UNION ALL
SELECT schema_name,object_name, SPLIT_PART(permission_info,',',4) FROM object_list
UNION ALL
SELECT schema_name,object_name, SPLIT_PART(permission_info,',',5) FROM object_list
UNION ALL
SELECT schema_name,object_name, SPLIT_PART(permission_info,',',6) FROM object_list
UNION ALL
SELECT schema_name,object_name, SPLIT_PART(permission_info,',',7) FROM object_list
UNION ALL
SELECT schema_name,object_name, SPLIT_PART(permission_info,',',8) FROM object_list
UNION ALL
SELECT schema_name,object_name, SPLIT_PART(permission_info,',',9) FROM object_list
UNION ALL
SELECT schema_name,object_name, SPLIT_PART(permission_info,',',10) FROM object_list
),
permission_parts(schema_name, object_name,security_principal, permission_pattern)
AS (
SELECT
schema_name,
object_name,
LEFT(permission_string ,CHARINDEX('=',permission_string)-1),
SPLIT_PART(SPLIT_PART(permission_string,'=',2),'/',1)
FROM object_permissions
WHERE permission_string >''
)
SELECT
schema_name,
object_name,
'GRANT ' ||
SUBSTRING(
case when charindex('r',permission_pattern) > 0 then ',SELECT ' else '' end
||case when charindex('w',permission_pattern) > 0 then ',UPDATE ' else '' end
||case when charindex('a',permission_pattern) > 0 then ',INSERT ' else '' end
||case when charindex('d',permission_pattern) > 0 then ',DELETE ' else '' end
||case when charindex('R',permission_pattern) > 0 then ',RULE ' else '' end
||case when charindex('x',permission_pattern) > 0 then ',REFERENCES ' else '' end
||case when charindex('t',permission_pattern) > 0 then ',TRIGGER ' else '' end
||case when charindex('X',permission_pattern) > 0 then ',EXECUTE ' else '' end
||case when charindex('U',permission_pattern) > 0 then ',USAGE ' else '' end
||case when charindex('C',permission_pattern) > 0 then ',CREATE ' else '' end
||case when charindex('T',permission_pattern) > 0 then ',TEMPORARY ' else '' end
,2,10000
)
|| ' ON ' || schema_name||'.'||object_name
|| ' TO ' || security_principal
|| ';' as grantsql
FROM permission_parts
;
Show Most Used Tables In Redshift
SELECT
*
FROM
stl_scan ss
JOIN pg_user pu
ON ss.userid = pu.usesysid
JOIN svl_query_metrics_summary sqms
ON ss.query = sqms.query
JOIN temp_mone_tables tmt
ON tmt.table_id = ss.tbl
AND tmt.table = ss.perm_table_name;
SELECT
perm_table_name,
SUM(ROWS),
SUM(bytes) SUM(fetches)
FROM
stl_scan
WHERE starttime >= '2018-09-01 00:00:00'
GROUP BY perm_table_name
ORDER BY SUM(bytes) DESC
LIMIT 40;
Writing queries that are optimized
When writing a query there are basic parts:
1) the result set
2) the tables to get the data from
3) the where clause – provides filtering
4) group by for grouping data to be aggregated.
This article will discuss areas 2 and 3 since that’s where most query optimizations occur.
Joining Tables efficiently:
Mysql has a practical limit to the number of tables you should join. It is 10 (some opinions differ).
While Mysql can join more than that but statement performance may suffer due to the calculation of the statement execution plan. The more tables Mysql has to deal with, the greater number of plans it has to explore when deciding
on how to execute the statement.
When you join 2 tables you want to make sure the columns you join on are indexed in at least of of the tables.
If the columns are indexed, Mysql can find the row in the joined table quickly via an index lookup.
Ex:
Select xxx,yyy,xxx
from table_a
join table_b on table_b.indexed_column = table_a.indexed_column
In this example the column ‘indexed_column’ represents a column that has an index on it in
table_a and/or table_b.
So for each row in table_a, the select will quickly find the matching row in table_b due to the join condition which is on the ‘indexed_column’.
Now if we join the tables on columns that are not indexed in either table_a or table_b.
Select xxx,yyy,xxx
from table_a
join table_b on table_b.unindexed_column = table_a.unindexed_column
Mysql will have to perform a table scan of table_b for each row in table_a.
So if table_a has 100 rows in it and table_b has 1m rows that means that Mysql will have to scan table_b 100 times scanning a total of 100 million rows.
This is very inefficient.
Subselects as tables:
Mysql materializes subselects. What that means is the first time the subselect is run, Mysql creates a temporary table to store the result set so Mysql does not have to re-execute subselect. Note: if your result set is very large, say hundreds of thousands of rows, that can create a very large temp table.
Many times I have see queries that use a subselect as a table. That is fine.
However you must remember that if you join a subselect to another table, the column used for the join condition must be indexed in the joined table.
If the joined table does not have an index on the column used in the join condition then the joined table will be scanned for each row in the subselect result set.
That also means that you should not join one subselect to another subselect since the result sets of subselects are not indexed.
Another thing to keep in mind is that the columns used in join conditions must be the same datatype. If they are not the same datatype and there is an index on the columns, Mysql can not make use of the indexes and will end up performing table scans.
Something else you need to know is that Mysql is pretty smart. When it creates it’s join plan, it can detect which table should be the main table and which should be the joined table.
For example, if the join condition column is indexed in table_a but not in table_b, it will join table_a to table_b using table_b as the primary table. It also means that Mysql may not join the tables in the same order you think it should. I have seen situations where Mysql did not ‘guess’ correctly.
To override Mysql’s guess, you can specify ‘STRAIGHT_JOIN’ after the SELECT statement. This will cause your tables to be joined in the order you specify.
The primary table is where Mysql starts getting rows from first.
The ‘WHERE’ clause:
This is the most important part of an sql statement as it filters out rows.
If you don’t use or it is not used correctly, your select will be performing full tables scans.
This is very very bad.
Using a WHERE clause is easy. You simply specify a column = another_column AND/OR a column = a CONSTANT.
Anytime you filter on a column the column should be indexed.
Also never change the datatype of the column you are filtering on (as in using CAST). This prevents Mysql from using any associated index.
Mysql can only use an index when the column is used in it’s ‘native’ datatype.
The datatypes of the column you are filtering on and the constant/column you are comparing to must match. If you need to change the datatype, change the datatype of the constant/column and not that of the indexed column.
Using an ‘IN’ clause:
Limit the size of the items inside an ‘IN’ clause. If you have 50 items that’s fine. Don’t have 25 million.
There are better ways to filter.
Subselect in a WHERE clause:
Using a subselect in a WHERE clause is okay if the subselect returns a small result set.
If your subselect returns a very large result set, you may be better off simply joining the tables in the subselect like normal tables.
Get rid of subselects:
Due to the inability of subselects to be indexed you can get rid of them.
What you do is to create a temporary table. If you specify ‘ENGINE=innodb’, the table will be created as an innodb table and will exist in the innodb buffer pool. This avoids eating up the servers free RAM (reduces the chances of out of memory situation). When you create this temporary table, you can create indexes.
Then, in your query you can join this temporary table just like a normal table on the indexed columns.
Maintaining the indexes (upon insert into the table) will cause a minor performance hit but the performance gain from having the indexes will more than offset that.
The ‘Takeaway’:
The takeaway from this document is that INDEXES are one of the best performance boosters. Create them and use them.
You can not use any function (such as UPPER(), LOWER(), user_defined_function(), …..) on the indexed column or Mysql will not be able to use it.
Find and Drop a user across multiple database servers
If you ever wished to find a user and drop them from multiple servers. Here is a one-liner:
Get-DbaRegServer -SqlInstance SQLSERVER01 -Group 'Production' | Get-DbaDbUser -User User1 | Remove-DbaDbUser -Force
Get-DbaRegServer -SqlInstance SQLSERVER01 -Group 'Production' | Get-DbaLogin -Login User1 | Remove-DbaLogin
The first line of the code remove user from all the databases. The second line drops the login from each SQL instance.
This is especially useful when you need to drop a user when they leave the company.
Database Blog 