Commented by: @dyemanov

How is this supposed to work? Roles exist inside the database, but it's not created yet.

Commented by: @pavel-zotov

doc\sql.extensions\README.ddl_access.txt says:

...
For database access special form is supported:

GRANT CREATE DATABASE TO [USER | ROLE] <user/role name>;
...

For what 'ROLE' is mentioned here if it is impossible do to that ?

Commented by: @dyemanov

BTW, shouldn't the ROLE clause be prohibited for a CREATE DATABASE statement, as it can never be enforced? Well, it can be for RDB$ADMIN, but the database creator is already DBO which means the same level of privileges. Or maybe we should silently create the given role while creating the database, grant it to the database creator and activate for the CREATE DATABASE connection?

As for granting CREATE DATABASE to some role, I don't see how it could work at all. But maybe I'm missing something. Let's wait for Alex's explanations.

Commented by: @romansimakov

In RedDatabase we have "global role" which is a role living in security2.fdb (any system catalog). It's natural to keep not only users and their privileges in some system catalog but roles as well. No? I hope we can find some general solution for FB 3 to implement something like "global roles".

Commented by: @AlexPeshkoff

Role can be granted in security database, it's checked and used when CREATE DATABASE is executed. After it you can execute target statement. I.e. (use embedded access to security db):

#⁠ ./isql security.db
Database: security.db
SQL> show grant;

/* Grant permissions for this database */
..... --other grants
GRANT DB_CREATOR TO BILL_SCOTT
GRANT CREATE DATABASE TO ROLE DB_CREATOR
SQL> <ctrl-D>

localhost bin #⁠ ./isql
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database 'localhost:/tmp/bill_scott.fdb' user 'bill_scott' password '123' role 'DB_CREATOR';
SQL>

Commented by: @AlexPeshkoff

What should be fixed on my mind - prevent issuing GRANT CREATE DATABASE TO ROLE when there is no such role in security database.

Commented by: @AlexPeshkoff

Ensure CREATE DATABASE right is granted only to roles that do exist in security database

Commented by: @pavel-zotov

> Role can be granted in security database, it's checked and used when CREATE DATABASE is executed. After it you can execute target statement.

Alex, I can`t understand what I'm doing wrong but the following script has no effect: user who is granted role DB_CREATOR still can`t create database.

-- First, make embedded connect to sec3.fdb, create role and user there and make grants:

C:\1INSTALL\FIREBIRD\fb30sC>C:\1INSTALL\FIREBIRD\fb30sC\isql.exe security3.fdb
Database: security3.fdb
SQL> set term ^;
SQL> execute block as
CON> begin
CON> execute statement 'drop role db_creator';
CON> when any do begin end
CON> end
CON> ^
SQL> set term ;^
SQL> commit;
SQL> create role db_creator; ----------------------------------------- [ 1 ]
SQL> commit;
SQL> create or alter user almost_dba password '123'; ------- [ 2 ]
SQL> commit;
SQL> grant create database to role db_creator; ----------------- [ 3 ]
SQL> grant db_creator to almost_dba; ----------------------------- [ 4 ]
SQL> commit;
SQL> show grants;

Output:
<. . . skipped several lines related to default settings . . .>
GRANT DB_CREATOR TO ALMOST_DBA GRANTED BY SYSDBA
GRANT CREATE DATABASE TO ROLE DB_CREATOR

SQL> show role;
DB_CREATOR
SQL> show role db_creator;
Role DB_CREATOR is granted to:
ALMOST_DBA

So, the role DOES exists in sec3.fdb and was granted to CREATE DATABASE privilege.

-- Then I reconnect using remote protocol and do:

SQL> connect 'localhost/3330:e30' user 'almost_dba' password '123' role 'DB_CREATOR';
Database: 'localhost/3330:e30', User: almost_dba, Role: DB_CREATOR
SQL> set list on;
SQL> select current_user,current_role from rdb$database;

USER ALMOST_DBA
ROLE NONE

SQL> commit; connect 'localhost/3330:e30' user 'almost_dba' password '123' role 'db_creator';
Database: 'localhost/3330:e30', User: almost_dba, Role: db_creator
SQL> select current_user,current_role from rdb$database;

USER ALMOST_DBA
ROLE NONE

SQL> show grants;

/* Grant permissions for this database */
GRANT CREATE DATABASE TO ROLE DB_CREATOR
SQL> show role;
There are no roles in this database
SQL>

Output says that we can`t connect with role 'DB_CREATOR' -- AFAIU, just becase this role does not exist in the database with alias = 'e30'.
OK, create this role also here:

SQL> commit; connect 'localhost/3330:e30' user 'sysdba' password 'masterke';
SQL> create role db_creator;
SQL> commit;
SQL> grant db_creator to almost_dba;
SQL> commit;
SQL> connect 'localhost/3330:e30' user 'almost_dba' password '123' role 'db_creator';
Database: 'localhost/3330:e30', User: almost_dba, Role: db_creator
SQL> select current_user,current_role from rdb$database;

USER ALMOST_DBA
ROLE NONE

Actual role is still "NONE". Why ? What should be changed in this script in order to give user 'almost_dba' ability to create new database WITHOUT direct privilege but instead - through the role.

Commented by: @AlexPeshkoff

>
>-- Then I reconnect using remote protocol and do:
>
>SQL> connect 'localhost/3330:e30' user 'almost_dba' password '123' role 'DB_CREATOR';
>Database: 'localhost/3330:e30', User: almost_dba, Role: DB_CREATOR
>

And what client do you use? With current FB3 you should not be able to connect this way. You will get:

Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.

Correct ways are:

SQL> connect 'localhost:employee' user almost_dba password '123' role 'DB_CREATOR';
Database: 'localhost:employee', User: almost_dba, Role: DB_CREATOR
SQL>

or

SQL> connect 'localhost:employee' user 'ALMOST_DBA' password '123' role 'DB_CREATOR';
Database: 'localhost:employee', User: 'ALMOST_DBA', Role: DB_CREATOR
SQL>

BTW, the following works:

#⁠ ./isql
Use CONNECT or CREATE DATABASE to specify a database
SQL> CREATE DATABASE 'localhost:123.fdb' user almost_dba password '123' role db_creator;
SQL> show database;
Database: localhost:123.fdb
Owner: ALMOST_DBA
DB = /tmp/123.fdb
...

Commented by: @pavel-zotov

> And what client do you use? With current FB3 you should not be able to connect this way. You will get: Statement failed, SQLSTATE = 28000

You're right: since build 31868 one need specify login in UPPER_CASE if this login was created without double quotes, i.e. like this:

> create or alter user almost_dba password '123'; ------- [ 2 ]

But please note: I just repeated step of creating user 'almost_dba' and role and granting role to him on empty new database:
...
SQL> commit;
SQL> create role db_creator; ----------------------------------------- [ 1 ]
SQL> commit;
SQL> create or alter user almost_dba password '123'; ------- [ 2 ]
SQL> commit;
SQL> grant create database to role db_creator; ----------------- [ 3 ]
SQL> grant db_creator to almost_dba; ----------------------------- [ 4 ]
SQL> commit;
SQL> show grants;

-- and than do following:

SQL> exit;

C:\MIX\firebird\QA\fbt-repo\tmp>C:\MIX\firebird\fb30sc\isql.exe
Use CONNECT or CREATE DATABASE to specify a database
SQL> connect 'localhost/3330:e30' user 'almost_dba' password '123' role 'DB_CREATOR';
Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.

// YES, it's that SHOULD be on current FB build.

SQL> connect 'localhost/3330:e30' user 'ALMOST_DBA' password '123' role 'DB_CREATOR'; ----- login in U.P.P.E.R. case
Database: 'localhost/3330:e30', User: 'ALMOST_DBA', Role: DB_CREATOR
SQL> set list on;
SQL> select current_user,current_role from rdb$database;

USER ALMOST_DBA
ROLE NONE -------------------------------------- WHY ??

SQL> show version;
ISQL Version: WI-T3.0.0.31868 Firebird 3.0 Beta 2
Server version:
Firebird/Windows/Intel/i386 (access method), version "WI-T3.0.0.31868 Firebird 3.0 Beta 2"
Firebird/Windows/Intel/i386 (remote server), version "WI-T3.0.0.31868 Firebird 3.0 Beta 2/tcp (csprog)/P13"
Firebird/Windows/Intel/i386 (remote interface), version "WI-T3.0.0.31868 Firebird 3.0 Beta 2/tcp (csprog)/P13"
on disk structure version 12.0
SQL>

Commented by: @pavel-zotov

... and specifying ROLE in lowercase (as it was in CREATE ROLE statement, see above) - also doesn`t help:

SQL> commit;
SQL> connect 'localhost/3330:e30' user 'ALMOST_DBA' password '123' role 'db_creator';
Database: 'localhost/3330:e30', User: 'ALMOST_DBA', Role: db_creator
SQL> select current_user,current_role from rdb$database;

USER ALMOST_DBA
ROLE NONE

Commented by: @sim1984

In order that the user entered with a role, this role should be created in this database to be connected. Ie it is necessary to create a role not only in security3.fdb, but also in the database. The role was created in security3.fdb can only specify in the statement CREATE DATABASE. At this point in the CREATE DATABASE statement only makes sense to specify the role RDB$ADMIN.

Commented by: @pavel-zotov

If role is created in order to have ability of anyone who is granted with it to CREATE DATABASE than this role should be created like this:

SQL> create role db_creator2 grant admin role; --- similar to create user ... password ... grant admin role

But current syntax doesn`t allow it:

Statement failed, SQLSTATE = 42000
Dynamic SQL Error
-SQL error code = -104
-Token unknown - line 1, column 25
-grant

Commented by: @sim1984

So far, the FB is not possible to assign roles to another role. See CORE1815

Commented by: @pavel-zotov

This isnot asignment, it is like boolean flag that indicates place where this role will be stored.
Syntax could be more clear if one might to do like this:

#⁠ ./isql remote_host/3050:path/my_database.fdb -q -user SYSDBA -pas masterkey
SQL> CREATE ROLE DB_CREATOR STORE IN SECURITY DATABASE; -- this mean that role will be created in SEC3.FDB
SQL> COMMIT;
SQL> CREATE USER BILL_SCOTT PASSWORD '123';
SQL> GRANT CREATE DATABASE TO DB_CREATOR; -- this will add record in rdb$privileges from SEC3.FDB rather than from my_database.fdb
SQL> GRANT DB_CREATOR TO BILL_SCOTT; -- this also add record in rdb$privileges from SEC3.FDB