Updated on 2024-05-07 GMT+08:00

Data Export By a User Without Required Permissions

gs_dump and gs_dumpall use -U to specify the user that performs the export. If the specified user does not have the required permission, data cannot be exported. In this case, you can set --role in the export command to the role that has the permission. Then, gs_dump or gs_dumpall uses the specified role to export data.

Procedure

  1. Preparing an ECS as the gsql Client Host.
  2. Download the gsql client and use an SSH transfer tool (such as WinSCP) to upload it to the Linux server where gsql is to be installed. For details, see Downloading the Client.

    The user who uploads the client must have the full control permission on the target directory on the host to which the client is uploaded.

    Alternatively, you can remotely log in to the Linux host where the gsql is to be installed in SSH mode and run the following command in the Linux command window to download the gsql client:

    wget https://obs.myhuaweicloud.com/dws/download/dws_client_8.x.x_redhat_x64.zip --no-check-certificate

  3. Run the following commands to decompress the client:

    cd <Path_for_storing_the_client>
    unzip dws_client_8.x.x_redhat_x64.zip

    Where,

    • <Path_for_storing_the_client>: Replace it with the actual path.
    • dws_client_8.1.x_redhat_x86.zip: This is the client tool package of RedHat x86. Replace it with the actual one.

  4. Run the following command to configure the GaussDB(DWS) client:

    source gsql_env.sh

    If the following information is displayed, the GaussDB(DWS) client is successfully configured:

    All things done.

  5. Use gs_dump to export data of the human_resource database.

    User jack does not have the permission for exporting data of the human_resource database and the role role1 has this permission. To export data of the human_resource database, you can set --role to role1 in the export command. The exported files are in .tar format.
    gs_dump -U jack -W password -f /home//backup/MPPDB_backup.tar -p 8000 -h 10.10.10.100 human_resource --role role1 --rolepassword password -F t
    Table 1 Common parameters

    Parameter

    Description

    Example Value (dbadmin)

    -U

    Username for database connection.

    -U jack

    -W

    User password for database connection.

    • This parameter is not required for database administrators if the trust policy is used for authentication.
    • If you connect to the database without specifying this parameter and you are not a database administrator, you will be prompted to enter the password.

    -W Password

    -f

    Folder to store exported files. If this parameter is not specified, the exported files are stored in the standard output.

    -f /home//backup/MPPDB_backup.tar

    -p

    Name extension of the TCP port on which the server is listening or the local Unix domain socket. This parameter is configured to ensure connections.

    -p 8000

    -h

    Cluster address: If a public network address is used for connection, set this parameter to Public Network Address or Public Network Domain Name. If a private network address is used for connection, set this parameter to Private Network Address or Private Network Domain Name.

    -h 10.10.10.100

    dbname

    Name of the database to be exported.

    human_resource

    --role

    Role name for the export operation. After this parameter is set and gs_dump or gs_dumpall connects to the database, the SET ROLE command will be issued. When the user specified by -U does not have the permissions required by gs_dump or gs_dumpall, this parameter allows the user to switch to a role with the required permissions.

    -r role1

    --rolepassword

    Role password.

    --rolepassword password

    -F

    Format of exported files. The values of -F are as follows:

    • p: plain text
    • c: custom
    • d: directory
    • t: .tar

    -F t

    For details about other parameters, see "gs_dump" or "gs_dumpall" in the Tool Guide.

Examples

Example 1: User jack does not have the permission for exporting data of the human_resource database and the role role1 has this permission. To export data of the human_resource database, you can set --role to role1 in the export command. The exported files are in .tar format.

human_resource=# CREATE USER jack IDENTIFIED BY "password";

gs_dump -U jack -W password -f /home//backup/MPPDB_backup11.tar -p 8000 -h 10.10.10.100 human_resource --role role1 --rolepassword password -F t
gs_dump[port='8000'][human_resource][2017-07-21 16:21:10]: dump database human_resource successfully
gs_dump[port='8000'][human_resource][2017-07-21 16:21:10]: total time: 4239  ms

Example 2: User jack does not have the permission for exporting the public schema and the role role1 has this permission. To export the public schema, you can set --role to role1 in the export command. The exported files are in .tar format.

human_resource=# CREATE USER jack IDENTIFIED BY "1234@abc";

gs_dump -U jack -W password -f /home//backup/MPPDB_backup12.tar -p 8000 -h 10.10.10.100 human_resource -n public --role role1 --rolepassword password -F t
gs_dump[port='8000'][human_resource][2017-07-21 16:21:10]: dump database human_resource successfully
gs_dump[port='8000'][human_resource][2017-07-21 16:21:10]: total time: 3278  ms

Example 3: User jack does not have the permission for exporting all databases in a cluster and the role role1 has this permission. To export all databases, you can set --role to role1 in the export command. The exported files are in text format.

human_resource=# CREATE USER jack IDENTIFIED BY "password";

gs_dumpall -U jack -W password -f /home//backup/MPPDB_backup.sql -p 8000 -h 10.10.10.100 --role role1 --rolepassword password
gs_dumpall[port='8000'][human_resource][2018-11-14 17:26:18]: dumpall operation successful
gs_dumpall[port='8000'][human_resource][2018-11-14 17:26:18]: total time: 6437  ms