New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
grant create database to ROLE doesn`t work: "no permission for CREATE access to DATABASE ..." [CORE4821] #5118
Comments
Modified by: @pavel-zotovdescription: Prepare:set bail on; set term ^; create or alter user bill_scott password '123'; revoke all on all from bill_scott; grant create database to role db_creator; commit; show grants; EXIT; Output:/* Grant permissions for this database */ Run:set bail on; set list on; select current_user, current_role, m.*, a.* from mon$database m join mon$attachments a on a.mon$attachment_id = current_connection; create database 'localhost/3333:c:\temp\e30_bill_scott.fdb' user 'bill_scott' password '123' role 'DB_CREATOR'; set list on; select current_user, current_role, m.*, a.* from mon$database m join mon$attachments a on a.mon$attachment_id = current_connection; STDOUT:connect 'localhost/3333:e30' user 'bill_scott' password '123' role 'DB_CREATOR'; set list on; select current_user, current_role, m.*, a.* from mon$database m join mon$attachments a on a.mon$attachment_id = current_connection; USER BILL_SCOTT commit; create database 'localhost/3333:c:\temp\e30_bill_scott.fdb' user 'bill_scott' password '123' role 'DB_CREATOR';STDERR:Statement failed, SQLSTATE = 28000 (on attempt to perform statement: "create database 'localhost/3333:c:\temp\e30_bill_scott.fdb' user 'bill_scott' password '123' role 'DB_CREATOR';"). PS. firebird.conf:RemoteServicePort = 3330 AuthClient = Srp,Legacy_Auth,Win_Sspi ExternalFileAccess = Restrict C:\1INSTALL\FIREBIRD\FB30SNAP FileSystemCacheThreshold = 65536K UserManager = Srp
|
Commented by: @dyemanov How is this supposed to work? Roles exist inside the database, but it's not created yet. |
Commented by: @pavel-zotov doc\sql.extensions\README.ddl_access.txt says:... GRANT CREATE DATABASE TO [USER | ROLE] <user/role name>;
|
Commented by: @dyemanov BTW, shouldn't the ROLE clause be prohibited for a CREATE DATABASE statement, as it can never be enforced? Well, it can be for RDB$ADMIN, but the database creator is already DBO which means the same level of privileges. Or maybe we should silently create the given role while creating the database, grant it to the database creator and activate for the CREATE DATABASE connection? As for granting CREATE DATABASE to some role, I don't see how it could work at all. But maybe I'm missing something. Let's wait for Alex's explanations. |
Commented by: @romansimakov In RedDatabase we have "global role" which is a role living in security2.fdb (any system catalog). It's natural to keep not only users and their privileges in some system catalog but roles as well. No? I hope we can find some general solution for FB 3 to implement something like "global roles". |
Modified by: @AlexPeshkoffassignee: Alexander Peshkov [ alexpeshkoff ] |
Commented by: @AlexPeshkoff Role can be granted in security database, it's checked and used when CREATE DATABASE is executed. After it you can execute target statement. I.e. (use embedded access to security db): # ./isql security.db /* Grant permissions for this database */ localhost bin # ./isql |
Commented by: @AlexPeshkoff What should be fixed on my mind - prevent issuing GRANT CREATE DATABASE TO ROLE when there is no such role in security database. |
Commented by: @AlexPeshkoff Ensure CREATE DATABASE right is granted only to roles that do exist in security database |
Modified by: @AlexPeshkoffstatus: Open [ 1 ] => Resolved [ 5 ] resolution: Fixed [ 1 ] Fix Version: 3.0 Beta 2 [ 10586 ] |
Commented by: @pavel-zotov > Role can be granted in security database, it's checked and used when CREATE DATABASE is executed. After it you can execute target statement. Alex, I can`t understand what I'm doing wrong but the following script has no effect: user who is granted role DB_CREATOR still can`t create database. -- First, make embedded connect to sec3.fdb, create role and user there and make grants: C:\1INSTALL\FIREBIRD\fb30sC>C:\1INSTALL\FIREBIRD\fb30sC\isql.exe security3.fdb Output: SQL> show role; So, the role DOES exists in sec3.fdb and was granted to CREATE DATABASE privilege. -- Then I reconnect using remote protocol and do: SQL> connect 'localhost/3330:e30' user 'almost_dba' password '123' role 'DB_CREATOR'; USER ALMOST_DBA SQL> commit; connect 'localhost/3330:e30' user 'almost_dba' password '123' role 'db_creator'; USER ALMOST_DBA SQL> show grants; /* Grant permissions for this database */ Output says that we can`t connect with role 'DB_CREATOR' -- AFAIU, just becase this role does not exist in the database with alias = 'e30'. SQL> commit; connect 'localhost/3330:e30' user 'sysdba' password 'masterke'; USER ALMOST_DBA Actual role is still "NONE". Why ? What should be changed in this script in order to give user 'almost_dba' ability to create new database WITHOUT direct privilege but instead - through the role. |
Commented by: @AlexPeshkoff > And what client do you use? With current FB3 you should not be able to connect this way. You will get: Statement failed, SQLSTATE = 28000 Correct ways are: SQL> connect 'localhost:employee' user almost_dba password '123' role 'DB_CREATOR'; or SQL> connect 'localhost:employee' user 'ALMOST_DBA' password '123' role 'DB_CREATOR'; BTW, the following works: # ./isql |
Commented by: @pavel-zotov > And what client do you use? With current FB3 you should not be able to connect this way. You will get: Statement failed, SQLSTATE = 28000 You're right: since build 31868 one need specify login in UPPER_CASE if this login was created without double quotes, i.e. like this: > create or alter user almost_dba password '123'; ------- [ 2 ] But please note: I just repeated step of creating user 'almost_dba' and role and granting role to him on empty new database: -- and than do following: SQL> exit; C:\MIX\firebird\QA\fbt-repo\tmp>C:\MIX\firebird\fb30sc\isql.exe // YES, it's that SHOULD be on current FB build. SQL> connect 'localhost/3330:e30' user 'ALMOST_DBA' password '123' role 'DB_CREATOR'; ----- login in U.P.P.E.R. case USER ALMOST_DBA SQL> show version; |
Commented by: @pavel-zotov ... and specifying ROLE in lowercase (as it was in CREATE ROLE statement, see above) - also doesn`t help: SQL> commit; USER ALMOST_DBA |
Commented by: @sim1984 In order that the user entered with a role, this role should be created in this database to be connected. Ie it is necessary to create a role not only in security3.fdb, but also in the database. The role was created in security3.fdb can only specify in the statement CREATE DATABASE. At this point in the CREATE DATABASE statement only makes sense to specify the role RDB$ADMIN. |
Commented by: @pavel-zotov If role is created in order to have ability of anyone who is granted with it to CREATE DATABASE than this role should be created like this: SQL> create role db_creator2 grant admin role; --- similar to create user ... password ... grant admin role But current syntax doesn`t allow it: Statement failed, SQLSTATE = 42000 |
Commented by: @pavel-zotov This isnot asignment, it is like boolean flag that indicates place where this role will be stored. # ./isql remote_host/3050:path/my_database.fdb -q -user SYSDBA -pas masterkey |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Resolved [ 5 ] QA Status: No test => Deferred Test Details: Wait untill Alex solution for some questions about possible implementation, see letter 11-jun-2015 12:57. |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Resolved [ 5 ] Test Details: Wait untill Alex solution for some questions about possible implementation, see letter 11-jun-2015 12:57. => Wait untill Alex solution for some questions about possible implementation, see letter 11-jun-2015 12:57. -- Following GRANT statement will fail with: grant db_maker to tmp$c4821; |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Resolved [ 5 ] QA Status: Deferred => Done successfully Test Details: Wait untill Alex solution for some questions about possible implementation, see letter 11-jun-2015 12:57. -- Following GRANT statement will fail with: grant db_maker to tmp$c4821; => |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Closed [ 6 ] |
Modified by: @pavel-zotovstatus: Closed [ 6 ] => Closed [ 6 ] Test Details: ::: NOTE ::: Test requires that databases.conf contains 'RemoteAccess = true' for security.db Test Specifics: [Custom configuration required] |
Submitted by: @pavel-zotov
Prepare:
set bail on;
shell del c:\temp\e30_bill_scott.fdb 2>nul;
set wng off;
set term ^;
execute block as
begin
begin execute statement 'drop role db_creator'; when any do begin end end
end^
set term ;^
commit;
create or alter user bill_scott password '123';
create role db_creator;
commit;
revoke all on all from bill_scott;
revoke all on all from role db_creator;
commit;
grant create database to role db_creator;
grant db_creator to bill_scott;
--grant rdb$admin to bill_scott;
commit;
show grants;
commit;
EXIT;
Output:
/* Grant permissions for this database */
GRANT DB_CREATOR TO BILL_SCOTT
GRANT CREATE DATABASE TO ROLE DB_CREATOR
Run (isql -q -i <name.sql>):
set bail on;
set echo on;
connect 'localhost/3333:e30' user 'bill_scott' password '123' role 'DB_CREATOR';
set list on; select current_user, current_role, m.*, a.* from mon$database m join mon$attachments a on a.mon$attachment_id = current_connection;
commit;
create database 'localhost/3333:c:\temp\e30_bill_scott.fdb' user 'bill_scott' password '123' role 'DB_CREATOR';
commit;
set list on; select current_user, current_role, m.*, a.* from mon$database m join mon$attachments a on a.mon$attachment_id = current_connection;
commit;
drop database;
STDOUT:
connect 'localhost/3333:e30' user 'bill_scott' password '123' role 'DB_CREATOR';
set list on; select current_user, current_role, m.*, a.* from mon$database m join mon$attachments a on a.mon$attachment_id = current_connection;
USER BILL_SCOTT
ROLE DB_CREATOR
MON$DATABASE_NAME C:\FBTESTING\qa\fbt-repo\tmp\E30.fdb
. . .
MON$OWNER SYSDBA
MON$SEC_DATABASE Default
. . .
MON$USER BILL_SCOTT
MON$ROLE DB_CREATOR
MON$REMOTE_PROTOCOL TCPv4
MON$REMOTE_ADDRESS 127.0.0.1
. . .
MON$REMOTE_PROCESS C:\1INSTALL\FIREBIRD\fb30sS\isql.exe
MON$CLIENT_VERSION WI-T3.0.0.31845 Firebird 3.0 Beta 2
MON$REMOTE_VERSION P13
MON$REMOTE_HOST balaha
MON$REMOTE_OS_USER john smith
MON$AUTH_METHOD Srp
MON$SYSTEM_FLAG 0
commit;
create database 'localhost/3333:c:\temp\e30_bill_scott.fdb' user 'bill_scott' password '123' role 'DB_CREATOR';
STDERR:
Statement failed, SQLSTATE = 28000
no permission for CREATE access to DATABASE C:\TEMP\E30_BILL_SCOTT.FDB
(on attempt to perform statement: "create database 'localhost/3333:c:\temp\e30_bill_scott.fdb' user 'bill_scott' password '123' role 'DB_CREATOR';").
PS. firebird.conf:
RemoteServicePort = 3333
SharedCache = true
SharedDatabase = false
DefaultDbCachePages = 2048
AuthClient = Srp,Legacy_Auth,Win_Sspi
AuthServer = Srp,Legacy_Auth
ExternalFileAccess = Restrict C:\1INSTALL\FIREBIRD\FB30SNAP
FileSystemCacheThreshold = 65536K
LockHashSlots = 22111
MaxUserTraceLogSize = 99999
UserManager = Srp
#WireCrypt = Disabled
FB version: WI-T3.0.0.31845
Commits: 4e9539b 5dff2e4 FirebirdSQL/fbt-repository@5c64038 FirebirdSQL/fbt-repository@c37bb38
====== Test Details ======
::: NOTE ::: Test requires that databases.conf contains 'RemoteAccess = true' for security.db
This line is added there by scenario '<QA_HOME>\rundaily.bat' every time when check new FB snapshot.
The text was updated successfully, but these errors were encountered: