- You have done a huge amount of good work with Liquibase.
- So far, I miss only one feature.
-
-
-
Background (terms and examples are Oracle centric):
- Most of "logical databases" (that I have been dealing
with) do not consist of 1 schema only.
- There are many schemas and usually there are cross dependencies
between schemas.
- More precisely, there are 2 types of schemas:
- Schemas (include tables, views, procedures etc) with cross-dependencies
- Users for application servers and for batch processes (include
received object grants and optionally synonyms)
Bottom line: cross dependencies mean that there is no way to install
schemas using schema based "changelog.xml" files and fixed
sequential order of installation.
-
-
-
Expectation for database installation procedure:
- first, DBA will create everything that is not application
specific: schemas, users, tablespaces, system grants etc
- Liquibase installs "changelog.xml" (which contains all
schemas of "logical database") with one run.
- for each next release Liquibase installs
"changelog.xml" (which contains all schemas of
"logical database") with one run.
-
-
-
Current situation / Issues with alternatives:
- Recommendation: use DBA rights for installation.
Unfortunately, there exist SQL commands that can only be
executed by schema owner. For example: CREATE DATABASE LINK ... You
may have DBA rights but you still can not create database link into
another schema.
There is (smaller) issue with grants as well.
If DBA executes "grant select on schema1.table to schema2"
then grantor is registered as DBA. From application point of view
DBA is nobody.
- Security issue. DBA right means that you can do everything in that
physical database
Today, many "logical databases" are
consolidated into one "physical database".
It means,
each "logical database" developer/deployer/installer have
DBA rights in physical database.
They can see and change
everything in all "logical databases"
This is totally
NOT acceptable for Security Officers / IT Risks and for DBA.
-
-
-
Need:
- For multi-schema "changelog.xml" installation, each
schema needs its own connection to database to have/get proper
permissions and proper context for SQL execution.
- "Proper permission" means here as well that permissions
are strictly limited to schema owner permissions. DBA rights must
not be available unless it is intentionally granted.
-
-
-
Proposal:
- I would like to have optional possibility to specify schema name
for each "changeSet".
-
- For example this way:
- <changeSet id="1" author="Marek"
runAs="DB_USER_1"> ...
- <changeSet id="2" author="Marek"
runAs="DB_USER_2"> ...
- <changeSet id="3" author="Marek"
runAs="DB_USER_3"> ...
- <changeSet id="4" author="Marek"
runAs="DB_USER_1"> ...
- <changeSet id="5" author="Marek"
runAs="DB_USER_3"> ...
-
- In configuration there is need for one entry for each referred
schema name to set password.
- "DB_USER_1" can also be alias and in configuration
there will be matching database username and password.
-
- I still expect that there is single central DATABASECHANGELOG
table for one "logical database" as it is already today.
-
-
-
PS:
- We would like to use Liquibase for all database deployments on
Oracle databases.
- Today, we can do it for single-schema deployments only.
Unfortunately, this cover ~20% of cases.
- .
- I think this proposed (in my opinion small) improvement would
remove last big barrier to start using Liquibase for the rest 80% of
cases as well.
-
-
- Thank you in advance,
- Marek Läll