Separate credentials for querying and updates


We have a very specific, security bounded, setup overhere.

  • A database user is only granted for inserts, selects and updates.

  • A second database user can do all, but is only activated when deploying a new application

  • Database used is Oracle

We could setup Liquibase to use the second database user and the rest of the application the first one. Problem with this approach is when the application restart liquibase is unable to verify the changelog and will continue to start the application.

What is the approach to be compliant with the above setup? The ideal situation would be that we can specify 2 credential set to liquibase, 1 to verify the change log and 1 to actually execute the changelog when required.

Thank you


There is nothing built into liquibase currently, but there may be some options with the extension system if you do a little coding. In particular, you could create a Database implementation that overrides the default getRanChangeSetList() method. How you do that would probably depend quite a bit on your particular environment. Let me know if you need pointers to getting something like that going.