Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

no permission for CREATE access to DATABASE (for RDB$ADMIN) [CORE4648] #4962

Closed
firebird-automations opened this issue Dec 23, 2014 · 11 comments

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: Volker Rehn (vr2_s18)

Jira_subtask_outward CORE4651
Jira_subtask_outward CORE4652
Jira_subtask_outward CORE4662
Jira_subtask_outward CORE5360

RDB$ADMIN can't restore a database, which worked in Firebird 3 alpha build 31152.

Used isql of Firebird3 beta as sysdba to setup a new user xy, made xy admin by doing grant RDB$ADMIN to xy; alter user xy grant admin role.
This new user, although admin, is not allowed to restore a database. Verified in isql that xy is RDB$ADMIN by doing select * from sec$users.

This user does not have privilege to perform this operation on this http://object.no permission for CREATE access to DATABASE C:\WEB\DATA\DATA4.FDB.

sysdba *can* restore this database. xy *can* restore using gbak -C ... -role RDB$ADMIN ...

firebird.conf is modified, since I use legacy applications (php, Flamerobin, SQLHammer)

AuthServer = Legacy_Auth
AuthClient = Legacy_Auth
UserManager = Legacy_UserManager
CryptPlugin =
WireCrypt = Disabled

Perhaps something with the service mgr? This worked in Build 31152

====== Test Details ======

NB! Needs to be re-implemented because `grant create database to u4648;` cant be run on current FB version:

Statement failed, SQLSTATE = 0A000
unsuccessful metadata update
-GRANT failed
-feature is not supported
-Only grants to USER or ROLE are supported for CREATE DATABASE

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Volker, if "xy *can* restore using gbak -C ... -role RDB$ADMIN" what is a problem?

BTW, using legacy applications you still can use new security model. They should work wih fresh fbclient. If not - it's a bug.

@firebird-automations
Copy link
Collaborator Author

Commented by: Volker Rehn (vr2_s18)

> if "xy *can* restore using gbak -C ... -role RDB$ADMIN" what is a problem?

applications do not always have access to the command line, it should not be necessary for restore.
But the point is, it seems that the RDB$ADMIN role is not properly conveyed from an application to the server, or for some other reason the server does not apply the admin role.

Please try this in Flamerobin: connect as a user who is rdb$admin, use this role, and
create user abc password 'xxx'

I get

Engine Code : 336723987
Engine Message :
add record error
no permission for INSERT access to TABLE PLG$VIEW_USERS
unknown ISC error 0

related: admin xy only sees his own record when doing select sec$user_name from sec$users in Flamerobin. Running the same query in isql as admin xy shows all users.

> using legacy applications you still can use new security model. They should work wih fresh fbclient. If not - it's a bug.

this is the complete error msg trying to restore using Flamerobin
Engine Code : 335544352
Engine Message :
no permission for CREATE access to DATABASE data5
failed to create database data5
unknown ISC error 336330835

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Please avoid placing information about more than one bug in single issue.

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 3.0 Beta 2 [ 10586 ]

@firebird-automations
Copy link
Collaborator Author

Commented by: Volker Rehn (vr2_s18)

The issue with restoring a database as rdb$admin is not resolved, tested with snapshot 31529, please reopen subtask CORE4651

I still get the same error msg as in my last comment. Are there additional requirements (configuration, placement of files) for this to work?

The other two bugs are resolved:
Running "create user abc ..." and "select * from sec$users" as rdb$admin from applications other than isql now work as expected.

Sorry for reporting several bugs in one ticket, I thought they were all symptoms of the same root cause.

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

I've made required fixes to firebird but that DOES NOT mean that it will be AT ONCE possible to restore database using flamerobin as you want. Some fixes are needed in flamerobin to make it learn to pass role name when restoring database (and to other services).

@firebird-automations
Copy link
Collaborator Author

Commented by: Volker Rehn (vr2_s18)

Great, thanks, I understand. Any application using the services_mgr for restore needs to call the API differently for this to work.

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: Done successfully

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Closed [ 6 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Closed [ 6 ] => Closed [ 6 ]

QA Status: Done successfully => Done with caveats

Test Details: NB! Needs to be re-implemented because `grant create database to u4648;` cant be run on current FB version:

Statement failed, SQLSTATE = 0A000
unsuccessful metadata update
-GRANT failed
-feature is not supported
-Only grants to USER or ROLE are supported for CREATE DATABASE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants