Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FBTRACEMGR should understand 'role <name>' command switch (needed to explicitly connect with role with "TRACE_ANY_ATTACHMENT" privilege) [CORE5269] #5547

Closed
firebird-automations opened this issue Jun 10, 2016 · 10 comments

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: @pavel-zotov

Consider following script:

set wng off;
set bail on;
set list on;
set count on;
set echo on;

create or alter user u01 password '123' revoke admin role;
create or alter user u02 password '456' revoke admin role;
revoke all on all from u01;
revoke all on all from u02;
commit;

set term ^;
execute block as
begin
execute statement 'drop role role_for_trace_any_attachment';
when any do begin end
end
^
set term ;^
commit;

-- Trace other users' attachments
create role role_for_trace_any_attachment
set system privileges to TRACE_ANY_ATTACHMENT;
commit;

grant default role_for_trace_any_attachment to user u01;
grant role_for_trace_any_attachment to user u02;
commit;

show users;
show roles;
show grants;

User 'U01' will be able to trace any attachment when he runs FBSVCMGR utility just with specifying his user name and password, i.e. WITHOUT need to type his default role = "role_for_trace_any_attachment ".

But with the same keys for FBSVCMGR user 'U02' can watch only for his own activity.
In order to get trace info about other users he must issue this command:

fbsvcmgr.exe localhost:service_mgr ^
user u02 ^
password 456 ^
role role_for_trace_any_attachment ^
action_trace_start trc_cfg 1runtrace.conf

(NOTE on "role role_for_trace_any_attachment").
But this command can not be executed: FBSVCMGR issues:

unknown switch "-role" encountered

(and the same if we specify switch with hyphen prefix: "-role").

Commits: 70912f2 8bc941c 9d8b20a

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

More precise summary

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

Component: TRACEMGR [ 10140 ]

summary: Teach FBSVCMGR to understand command switch 'role <name>' ( this is needed for connect with explicit specifying role which has privilege "TRACE_ANY_ATTACHMENT") => Teach FBTRACEMGR to understand command switch 'role <name>' ( this is needed for connect explicitly specifying role which has privilege "TRACE_ANY_ATTACHMENT")

Component: SVCMGR [ 10141 ] =>

@firebird-automations
Copy link
Collaborator Author

Modified by: Sean Leyne (seanleyne)

summary: Teach FBTRACEMGR to understand command switch 'role <name>' ( this is needed for connect explicitly specifying role which has privilege "TRACE_ANY_ATTACHMENT") => FBTRACEMGR should understand 'role <name>' command switch (needed to explicitly connect with role with "TRACE_ANY_ATTACHMENT" privilege)

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 4.0 Alpha 1 [ 10731 ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @pavel-zotov

No error from FBSVCMGR command but user U02 still can NOT to trace attachment activity from OTHER user.
Steps:

1) prepare trace config ('tmptrc.cfg'):

database=#⁠%[\\/]bugs.core_5269.fdb
{
enabled = true
log_statement_prepare = true
#⁠log_statement_finish = true
time_threshold = 0
max_sql_length = 5000
}
services {
enabled = false
log_services = false
log_service_query = false
}

2) Open command window #⁠1 and run there in ISQL:

set wng off;
set bail on;
set list on;

create or alter user u01 password '123' revoke admin role;
create or alter user u02 password '456' revoke admin role;
revoke all on all from u01;
revoke all on all from u02;
commit;

-- Trace other users' attachments
create role role_for_trace_any_attachment
set system privileges to TRACE_ANY_ATTACHMENT;
commit;
grant role_for_trace_any_attachment to user u02;
commit;
quit;

3) run in window #⁠1 FBSVCMGR with specifying user U02 and role 'role_for_trace_any_attachment':

fbsvcmgr localhost:service_mgr user U02 password 456 role role_for_trace_any_attachment action_trace_start trc_cfg tmptrc.cfg

Output:
Trace session ID 3 started

(i.e. no error, it's OK)

4) Open command window #⁠2 and run there:

4.1) echo select 1 from rdb$database;|isql -q /:e40 -user u02 -pas 456

Check window #⁠1: it *will* contain output about activity of user U02 (which was specified in FBSVCMGR command, i.e. this is his *own* activity):

2016-08-04T08:19:01.3630 (2928:00D30B48) PREPARE_STATEMENT
e40 (ATT_21, U02:NONE, NONE, TCPv4:192.168.43.154/4116)
C:\MIX\Firebird\fb40\isql.exe:2632
(TRA_28, READ_COMMITTED | NO_REC_VERSION | WAIT | READ_WRITE)

Statement 26:
-------------------------------------------------------------------------------
select 1 from rdb$database
0 ms

4.2) echo select 1 from rdb$database;|isql -q /:e40 -user u01 -pas 123

Chck window #⁠1: NO any new text, activity from U01 is not displayed.

PS. Tested on WI-T4.0.0.320.

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Pavel, please recheck with next snapshot

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: No test => Done successfully

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Closed [ 6 ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @pavel-zotov

> please recheck with next snapshot

All OK on WI-T4.0.0.321

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants