所有的语句都是用同一个用户发出的?
这通常发生在尝试撤销您的帐户名未授予的表级权限时。
要找到正确的受让人使用:
SELECT a.grantee, a.grantor
FROM systabauth a, systables t
WHERE a.tabid = t.tabid
AND UPPER(t.tabname) = 'TEST';
那么就可以发出:
REVOKE INSERT ON TEST FROM 'test_user' AS '<GRANTEE>';
我没有提到但@chris311 想出来的另一种可能性是you cannot revoke privileges from yourself。
“背后”发生了什么,下一个例子,一个名为 chris311 的数据库,由 chris 拥有,记住我使用的是 informix 用户:
[infx1210@tardis ~]$ id
uid=501(informix) gid=501(informix) groups=501(informix)
[infx1210@tardis ~]$ dbaccess chris311 -
Database selected.
> SELECT name, owner
> FROM sysmaster:sysdatabases
> WHERE name = DBINFO('dbname') ;
name chris311
owner chris
1 row(s) retrieved.
>
chris 和 informix 都具有 DBA 数据库级权限,并且 ricardo 被授予 >CONNECT 权限:
> SELECT username, usertype
> FROM sysusers;
username usertype
chris D
informix D
ricardo C
3 row(s) retrieved.
>
chris 拥有一张桌子 tab1,ricardo 被 chris 授予, ALL 表级权限:
> SELECT t.tabname, t.owner, a.grantee, a.tabauth, a.grantor
> FROM systabauth a, systables t
> WHERE a.tabid = t.tabid
> AND t.tabname= 'tab1';
tabname tab1
owner chris
grantee ricardo
tabauth su-idxar-
grantor chris
1 row(s) retrieved.
>
如果 informix 想要撤销 INSERT 权限,它必须使用 AS 子句将 chris 指定为撤销者:
> REVOKE INSERT ON tab1 FROM ricardo;
580: Cannot revoke permission.
111: ISAM error: no record found.
Error in line 1
Near character position 33
> REVOKE INSERT ON tab1 FROM ricardo AS chris;
Permission revoked.
> SELECT t.tabname, t.owner, a.grantee, a.tabauth, a.grantor
> FROM systabauth a, systables t
> WHERE a.tabid = t.tabid
> AND t.tabname = 'tab1';
tabname tab1
owner chris
grantee ricardo
tabauth su--dxar-
grantor chris
1 row(s) retrieved.
>
如果他试图撤销自己的 INSERT 权限,也会返回一个错误:
> REVOKE INSERT ON tab1 FROM informix;
580: Cannot revoke permission.
111: ISAM error: no record found.
Error in line 1
Near character position 34
>
现在,如果我们看到 580 错误的含义:
[infx1210@tardis ~]$ finderr 580
-580 Cannot revoke permission.
This REVOKE statement cannot be carried out. Either it revokes a
database-level privilege, but you are not a Database Administrator in
this database, or it revokes a table-level privilege that your account
name did not grant. Review the privilege and the user names in the
statement to ensure that they are correct. To summarize the table-level
privileges you have granted, query systabauth as follows:
SELECT A.grantee, T.tabname FROM systabauth A, systables T
WHERE A.grantor = USER AND A.tabid = T.tabid
[infx1210@tardis ~]$
它没有说任何关于撤销他自己的特权,但文档中提到了它。此外,如果我们考虑 111: ISAM error: no record found. 并将其与 DBA 没有出现在 systabauth 上的事实联系起来,这有点道理。
授予不会返回错误/警告,因为 DBA 已经拥有权限,撤销返回它是因为操作没有生效。
现在让我们从 chris 那里担任 DBA 角色,让我们做两次:
> REVOKE DBA FROM chris;
Permission revoked.
> REVOKE DBA FROM chris;
Permission revoked.
> SELECT username, usertype
> FROM sysusers;
username usertype
chris C
informix D
ricardo C
3 row(s) retrieved.
> SELECT t.tabname, t.owner, a.grantee, a.tabauth, a.grantor
> FROM systabauth a, systables t
> WHERE a.tabid = t.tabid
> AND t.tabname= 'tab1';
tabname tab1
owner chris
grantee ricardo
tabauth su--dxar-
grantor chris
1 row(s) retrieved.
>
同样,第二个 REVOKE 没有返回错误/警告,因为它已经生效。用户仍然没有出现在systabauth 表中。
但是它有什么表级权限呢?
[infx1210@tardis ~]$ dbaccess chris311 -
Database selected.
> INSERT INTO tab1 VALUES(1);
1 row(s) inserted.
> SELECT * FROM tab1;
col1
1
1 row(s) retrieved.
> DROP TABLE tab1;
Table dropped.
>
他不是DBA,但他是所有者。