Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GRANT ADMIN ROLE (in CREATE USER statement) can be specified only before 'USING PLUGIN' if clause TAGS present [CORE5826] #6087

Open
firebird-automations opened this issue May 16, 2018 · 0 comments
Open

GRANT ADMIN ROLE (in CREATE USER statement) can be specified only before 'USING PLUGIN' if clause TAGS present [CORE5826] #6087

firebird-automations opened this issue May 16, 2018 · 0 comments
Labels
affect-version: 3.0.3 affect-version: 4.0 Alpha 1 component: engine component: security priority: major type: bug

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: @pavel-zotov

Consider following samples:

SQL> create user foo password '123' grant admin role using plugin Srp;
SQL> drop user foo using plugin srp;
SQL> create user foo password '123' using plugin Srp grant admin role;
SQL> drop user foo using plugin Srp;

-- all above will be performed without errors.
Note that we can specify 'GRANT ADMIN ROLE' both *before* and *after* 'USING PLUGIN' clause.

This also works Ok:

SQL> create user foo password '123' grant admin role using plugin Srp tags( key1 = 'val1' );
SQL> drop user foo using plugin srp;

But this fails:

SQL> create user foo password '123' using plugin Srp tags( key1 = 'val1' ) grant admin role;
Statement failed, SQLSTATE = 42000
Dynamic SQL Error
-SQL error code = -104
-Token unknown - line 1, column 71
-grant

So, 'GRANT ADMIN ROLE' can be specified only BEFORE 'using plugin Srp' if TAGS clause present in the statement.

It seems that this contradicts to syntax from langref30.pdf & langref40.pdf (unfortunately, this docs still only in russian):

CREATE USER username PASSWORD 'password'
[FIRSTNAME 'firstname']
[MIDDLENAME 'middlename']
[LASTNAME 'lastname']
[ACTIVE | INACTIVE]
[USING PLUGIN pluginname] --------------------------------- [1]
[TAGS (<tag>[, <tag>[, <tag>...]] )]
[GRANT ADMIN ROLE] ------------------------------------------ [2]

Checked on:
* WI-V3.0.4.32972
* WI-T4.0.0.977

PS.

Please look in:
* https://firebirdsql.org/file/documentation/reference_manuals/user_manuals/html/qsg3-config.html#qsg3-config-gsec
* https://firebirdsql.org/file/documentation/reference_manuals/user_manuals/Firebird-3-QuickStart.pdf
* %FB_HOME%\doc\sql.extensions\README.user_management

IMO, existing documentation of 'CREATE/ALTER USER' should explicitly point about necessity of USING PLUGIN clause if we want to use any new features that appeared in 3.0+ (TAGS clause; ALTER USER INACTIVE / ACTIVE etc). All of them will be ignored if user is created / altered with legacy plugin.

Currently we have only phrase: "*some* options are ignored when using legacy user management plugin." (see %FB_HOME%\doc\sql.extensions\README.user_management )
Only langref30.pdf & langref40.pdf (rus) have warnings about necessity to use plugin that differs from legacy one
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affect-version: 3.0.3 affect-version: 4.0 Alpha 1 component: engine component: security priority: major type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@firebird-automations