ORA-01031: insufficient privileges

mohsink · May 4, 2021, 2:19pm

Leveraging Oracle’s schema only user (18c+) and heres the LB properties file :

url=jdbc:oracle:thin:least_priv_user/@0.0.0.0:1521/XEPDB1
username: liquibase_admin
password: liquibase_admin123

Pre-Steps ( outside of the liquibase )
grant create session to liquibase_admin;
alter user least_priv_user grant connect through liquibase_admin;

Question : Upon doing an liquibase update

why does this work only if GRANT ALL PRIVILEGES to liquibase_admin;
db change logs tables gets created in both schemas - Not sure why

If a GRANT ALL PRIVILEGES to liquibase_admin privileges is not given :

The below error occurs :

Unexpected error running Liquibase: ORA-01031: insufficient privileges
[Failed SQL: (1031) CREATE TABLE LIQUIBASE_ADMIN.DATABASECHANGELOGLOCK (ID INTEGER NOT NULL, LOCKED NUMBER(1) NOT NULL, LOCKGRANTED TIMESTAMP, LOCKEDBY VARCHAR2(255), CONSTRAINT PK_DATABASECHANGELOGLOCK PRIMARY KEY (ID))]

If the lb_admin is only given create TABLE privileges then the below error occurs when processing changelog :
Reason: liquibase.exception.DatabaseException: ORA-01031: insufficient privileges
…

daryldoak · May 4, 2021, 2:23pm

The user that Liquibase is using to connect to the database is expected to have privileges to CREATE, ALTER, etc all object types. You need to expand your set of privileges.

mohsink · May 4, 2021, 2:25pm

Thanks , but even the below doesnt help either
grant create view …
grant create table …
grant alter session …
grant create cluster …
grant create session …
grant create synonym …
grant create trigger …
grant create sequence …
grant create procedure …
grant create database link …

daryldoak · May 4, 2021, 2:31pm

I see you are running Liquibase as “lb_admin”, but your schema in the sql is “LIQUIBASE_ADMIN”. In order to create a table in another schema lb_admin would need the “CREATE ANY TABLE” privilege.

mohsink · May 4, 2021, 2:58pm

Thanks , it is liquibase_admin, I had only updated it up on this forum post . I edited the original post. The errors still occurs.

mohsink · May 4, 2021, 3:17pm

Yes updated grants with “create any …” privileges but it does not seem to help.

daryldoak · May 4, 2021, 3:50pm

Why do you have “least_priv_user” in your jdbc string?

mohsink · May 4, 2021, 4:09pm

The least privileged user in that jdbc string is the user used to have proxy connection to the liquibase_admin.
Heres more info on that type of accounts :

daryldoak · May 4, 2021, 4:15pm

All of my Liquibase connections use proxy connections. I’m not familiar with the technique you are trying, I would recommend you try this:

remove least_priv_user from the jdbc string
change username to: least_priv_user[liquibase_admin]

That is how all of my proxy connections are done with Liquibase.

mohsink · May 4, 2021, 6:12pm

Hey , thanks it helped though it was more than adjustment to URL.

It was a combination of : alter grant connect statement , adjustment to the jdbc url & the additional grants that the DDL needed ( for constraints )

So it worked.

thanks

Topic		Replies	Views
Permissions Error with MSSQL General Discussion	2	927	November 23, 2021
Liquibase failing to create a table on redshift from ADO pipelines General Discussion	1	142	August 22, 2023
Problem: Oracle Case-Sensitive Columns Liquibase v3.0.7 General Discussion	6	1396	October 29, 2013
Liquibase createTable not creating primary Key General Discussion	1	356	November 14, 2023
Infomix create table primary key Liquibase Development	7	399	February 13, 2014

ORA-01031: insufficient privileges

Related Topics