New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FBTRACEMGR should understand 'role <name>' command switch (needed to explicitly connect with role with "TRACE_ANY_ATTACHMENT" privilege) [CORE5269] #5547
Comments
Modified by: @AlexPeshkoffassignee: Alexander Peshkov [ alexpeshkoff ] |
Commented by: @AlexPeshkoff More precise summary |
Modified by: @AlexPeshkoffComponent: TRACEMGR [ 10140 ] summary: Teach FBSVCMGR to understand command switch 'role <name>' ( this is needed for connect with explicit specifying role which has privilege "TRACE_ANY_ATTACHMENT") => Teach FBTRACEMGR to understand command switch 'role <name>' ( this is needed for connect explicitly specifying role which has privilege "TRACE_ANY_ATTACHMENT") Component: SVCMGR [ 10141 ] => |
Modified by: Sean Leyne (seanleyne)summary: Teach FBTRACEMGR to understand command switch 'role <name>' ( this is needed for connect explicitly specifying role which has privilege "TRACE_ANY_ATTACHMENT") => FBTRACEMGR should understand 'role <name>' command switch (needed to explicitly connect with role with "TRACE_ANY_ATTACHMENT" privilege) |
Modified by: @AlexPeshkoffstatus: Open [ 1 ] => Resolved [ 5 ] resolution: Fixed [ 1 ] Fix Version: 4.0 Alpha 1 [ 10731 ] |
Commented by: @pavel-zotov No error from FBSVCMGR command but user U02 still can NOT to trace attachment activity from OTHER user. 1) prepare trace config ('tmptrc.cfg'):database=#%[\\/]bugs.core_5269.fdb
|
Commented by: @AlexPeshkoff Pavel, please recheck with next snapshot |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Resolved [ 5 ] QA Status: No test => Done successfully |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Closed [ 6 ] |
Commented by: @pavel-zotov > please recheck with next snapshot All OK on WI-T4.0.0.321 |
Submitted by: @pavel-zotov
Consider following script:
set wng off;
set bail on;
set list on;
set count on;
set echo on;
create or alter user u01 password '123' revoke admin role;
create or alter user u02 password '456' revoke admin role;
revoke all on all from u01;
revoke all on all from u02;
commit;
set term ^;
execute block as
begin
execute statement 'drop role role_for_trace_any_attachment';
when any do begin end
end
^
set term ;^
commit;
-- Trace other users' attachments
create role role_for_trace_any_attachment
set system privileges to TRACE_ANY_ATTACHMENT;
commit;
grant default role_for_trace_any_attachment to user u01;
grant role_for_trace_any_attachment to user u02;
commit;
show users;
show roles;
show grants;
User 'U01' will be able to trace any attachment when he runs FBSVCMGR utility just with specifying his user name and password, i.e. WITHOUT need to type his default role = "role_for_trace_any_attachment ".
But with the same keys for FBSVCMGR user 'U02' can watch only for his own activity.
In order to get trace info about other users he must issue this command:
fbsvcmgr.exe localhost:service_mgr ^
user u02 ^
password 456 ^
role role_for_trace_any_attachment ^
action_trace_start trc_cfg 1runtrace.conf
(NOTE on "role role_for_trace_any_attachment").
But this command can not be executed: FBSVCMGR issues:
unknown switch "-role" encountered
(and the same if we specify switch with hyphen prefix: "-role").
Commits: 70912f2 8bc941c 9d8b20a
The text was updated successfully, but these errors were encountered: