PLSQL: Package stored procedure cannot call exe imediate statement
-
04-10-2020 - |
Question
I'm working with oracle 11g R2.
Issue:
I am unable to preform dynamic SQL in SchemaB package against SchemaA tables. SchemaB is being called by the owner of SchemaB.
Background:
I have a package/procedure that has the rights to preform a selection statement on another schema's table.
So I can call the below with no issues.
select * from SchemaA.TableA where blah
I need to be able to run this call from dynamic SQL, because the table from SchemaA could be any of 10. I created the below SQL. I get an error
ORA-01031: insufficient privileges
when I run the same statement but with
execute immediate
Code:
v_query varchar2(2000);
v_query := 'select id, value1, value2 from SchemaA. ' || TableName || ' where id = ' || id;
execute immediate v_query ;
I know that the package does not get the user roles, so I even put the following code into the signature of my package AUTHID CURRENT_USER ; which changed nothing.
What other permissions do I need to set in order to do this?
OR if you have another solution for dynamic table selection, that would be great too.
Solution
You're doing something wrong. Test case follows...
Create schemaa
and schemab
:
SQL*Plus: Release 11.2.0.2.0 Production on Fri Oct 21 14:28:47 2016
Copyright (c) 1982, 2014, Oracle. All rights reserved.
SQL> create user schemaa identified by "schemaa";
SP2-0640: Not connected
SQL> conn / as sysdba
Connected.
SQL> create user schemaa identified by "schemaa";
User created.
SQL> grant connect, resource to schemaa;
Grant succeeded.
SQL> create user schemab identified by schemab;
User created.
SQL> grant connect, resource to schemab;
Grant succeeded.
Login as schemaa
, create two tables & grant select
on the first to schemab
, but don't grant anything on the 2nd table:
SQL> conn schemaa/schemaa;
Connected.
SQL> create table satable ( aaa integer ) ;
Table created.
SQL> insert into satable values ( 1 );
1 row created.
SQL> grant select on satable to schemab;
Grant succeeded.
SQL> create table satablenograntsforb( aaa integer ) ;
Table created.
Login as schemab
, create the stored procedure & then test it with the table we have permission to select
from:
SQL> conn schemab/schemab;
Connected.
SQL> CREATE OR REPLACE PROCEDURE schemabproc(TableName IN VARCHAR2)
2 IS
3 v_query varchar2(2000);
4 BEGIN
5
6 v_query := 'select aaa from schemaa. ' || TableName ;
7 execute immediate v_query ;
8
9 END;
10 /
Procedure created.
SQL> exec schemabproc('satable');
PL/SQL procedure successfully completed.
SQL>
As you can see, it executed ok.
Let's try on the table we don't have permission on:
SQL> exec schemabproc('satablenograntsforb');
BEGIN schemabproc('satablenograntsforb'); END;
*
ERROR at line 1:
ORA-00942: table or view does not exist
ORA-06512: at "SCHEMAB.SCHEMABPROC", line 7
ORA-06512: at line 1
Let's grant
and re-test:
SQL> conn schemaa/schemaa
Connected.
SQL> grant select on satablenograntsforb to schemab;
Grant succeeded.
Now we should be able to select
from the 2nd table without error:
SQL> conn schemab/schemab
SQL> exec schemabproc('satablenograntsforb');
PL/SQL procedure successfully completed.
SQL>
Conclusion: There's something else happening. Note that the procedure above runs with AUTHID DEFINER
, which is the default.