Опубликовано: 14 янв 15
Рейтинг:
Рейтинг:
Автор: churupaha
Прислал: churupaha
Для чтения:
Ownership Chains
CREATE LOGIN
CREATE USER
CREATE CERTIFICATE
ADD SIGNATURE / ADD COUNTER SIGNATURE
Пример:
/* Задача. Пусть есть две базы db1 и db2: master: test_login (user login) db1: test_user (database user for test_login) dbo.test_proc1 (stored procedure) dbo.test_proc2 (stored procedure) db2: dbo.t (table) dbo.p (stored procedure) Нужно от некоторого пользователя test_user: 1) из процедуры db1.dbo.test_proc1: - вызвать процедуру db2.dbo.p - сделать явную вставку в db2.dbo.t 2) из процедуры db1.dbo.test_proc2: - опросить какую-нибудь системную DMV с минимальными правами пользователя test_user: - execute на test_proc1 - execute на test_proc2 */ /* Создаем базы, сертификаты и пользоваетелей. */ create database db1; go create database db2; go use db1; go create certificate __c encryption by password = 'P@ssw0rd12435rrfr' with subject = '...', expiry_date = '20991231'; go create user __u from certificate __c; go backup certificate __c to file = 'c:\temp\__c.bak' with private key ( file = 'c:\temp\__c_priv.bak' , encryption by password = 'P@ssw0rd12435rrfr', decryption by password = 'P@ssw0rd12435rrfr' ) go use master; go create certificate __c from file = 'c:\temp\__c.bak' with private key ( file = 'c:\temp\__c_priv.bak', decryption by password = 'P@ssw0rd12435rrfr', encryption by password = 'P@ssw0rd12435rrfr' ); go -- Этому логину будут раздаваться права на объекты сервера, -- которые будут использоваться в пользовательских хранимках, -- подписанных сертификатом __c. create login __l from certificate __c; go use db2; go create certificate __c from file = 'c:\temp\__c.bak' with private key ( file = 'c:\temp\__c_priv.bak', decryption by password = 'P@ssw0rd12435rrfr', encryption by password = 'P@ssw0rd12435rrfr' ); go -- Этому пользователю будут раздаваться права на объекты базы db2, -- которые будут использоваться во внешних хранимках, -- подписанных сертификатом __c. create user __u from certificate __c; go /* Создаем объекты в базе db1 */ use db1; go create procedure test_proc1 as begin set nocount on; insert into db2.dbo.t(id, name) values(1, 'Строка вставлена из db1.dbo.test_proc1 в db2.dbo.p'); exec db2.dbo.p; end go create procedure test_proc2 as begin set nocount on; select * from sys.dm_exec_sessions; end go add signature to test_proc1 by certificate __c with password = 'P@ssw0rd12435rrfr'; go add signature to test_proc2 by certificate __c with password = 'P@ssw0rd12435rrfr'; go -- Этот grant нужен только для test_proc2 use master go grant view server state to __l; go /* Создаем объекты в базе db2 */ use db2 go create table t(id int, name nvarchar(100)); go create procedure p as begin set nocount on; select id, name from t union all select 2, 'Процедура db2.dbo.p вызвана из db1.dbo.test_proc1'; end go add counter signature to p by certificate __c with password = 'P@ssw0rd12435rrfr'; go -- этот грант нужент ТОЛЬКО для разрешения ЯВНОЙ вставки в базу -- из любой процедуры, подписанной сертификатом __c (в примере db1.dbo.test_proc1) grant insert on t to __u; -- если требуется только вызов процедуры p, достаточно только -- далее отработает owner chaining grant execute on p to __u; go /* Для наглядности происходящего явно выключаем: DB_CHAINING TRUSTWORTHY */ use master; go alter database db1 set db_chaining off; go alter database db2 set db_chaining off; go alter database db1 set trustworthy off; go alter database db2 set trustworthy off; go /* Некий пользовательский логин для тестирования. */ create login test_login with password = 'P@ssw0rd2asdvas'; go use db1; go create user test_user for login test_login; go grant execute on test_proc1 to test_user; go grant execute on test_proc2 to test_user; go /* Тестируем */ use db1; go execute as login = 'test_login' select suser_sname(), user_name(), * from sys.fn_my_permissions(NULL, 'SERVER'); select suser_sname(), user_name(), * from sys.fn_my_permissions(NULL, 'DATABASE'); select suser_sname(), user_name(), * from sys.fn_my_permissions('dbo.test_proc1', 'OBJECT'); select suser_sname(), user_name(), * from sys.fn_my_permissions('dbo.test_proc2', 'OBJECT'); exec test_proc1; exec test_proc2; revert;
Комментарии
<a href="http://www.jordans-retro.us.com">jordan retro 11</a>
<a href="http://www.ultraboost.us.org">ultra boost</a>
<a href="http://www.adidasoutlets.us">adidas outlet</a>
<a href="http://www.mbt.us.org">mbt</a>
<a href="http://www.coachhandbagsoutletstores.us.com">coach handbags</a>
<a href="http://www.pandoras-jewelry.us.com">pandora jewelry</a>
<a href="http://www.birkenstocks-outlet.us.com">birkenstock outlet</a>
<a href="http://www.north-face-jackets.us.com">north face jackets</a>
<a href="http://www.northface-jacket.org.uk">north face uk</a>
<a href="http://www.kyrie4-shoes.us.com">kyrie 4</a>
<a href="http://www.vapormax-nike.us.com">vapormax</a>
<a href="http://www.nmd-r1.us.com">nmd r1</a>
<a href="http://www.pumafentyshoes.us.com">rihanna puma</a>
<a href="http://www.redjordan11.us.com">jordan 11 red</a>
<a href="http://www.lebronshoes15.us.com">lebron shoes</a>
<a href="http://www.kobebryant-shoes.us.com">nike kobe</a>
<a href="http://www.red11s.us.com">gym red 11</a>
<a href="http://www.pandorajewelry-bracelet.us.com">pandora jewelry</a>
<a href="http://www.huarachenike.us.com">nike air huarache</a>
<a href="http://www.charms-pandora.org.uk">pandora jewelry</a>
<a href="http://www.poralphlaurenfactorystore.us.com">polo ralph lauren outlet</a>
<a href="http://www.soccer-cleats.us.com">soccer shoes</a>
<a href="http://www.curry-shoes.us">curry shoes</a>
<a href="http://www.rihanna-puma.us.com">rihanna puma</a>
<a href="http://www.nikeclearance.us.com">nike clearance store</a>
<a href="http://www.fitflopshoesclearance.us.com">fitflops</a>
<a href="http://www.coachoutletclearances.us.com">coach outlet online</a>
<a href="http://www.supremehoodie.us">supreme hoodie</a>
<a href="http://www.kyrie3s.us.com">kyrie 3nike kyrie 3</a>
<a href="http://www.skechers-shoes.org.uk">skechers go walk</a>
<a href="http://www.underarmouroutletonline.us.com">under armour outlet</a>
<a href="http://www.fitflops-sale-clearance.us">fitflops sale clearance</a>
<a href="http://www.timberlandoutletstores.us.com">timberland outlet</a>
<a href="http://www.underarmourclearance.us">under armour outlet</a>
<a href="http://www.ultraboost-adidas.us.com">ultra boost adidas</a>
<a href="http://www.kd10-shoes.us">nike kd 10</a>
<a href="http://www.supreme-clothings.us.com">supreme hoodie</a>
<a href="http://www.jordan11red.us">red jordan 11</a>
<a href="http://www.lebron15shoes.us">lebron 15</a>
<a href="http://www.curry4s-shoes.us.com">curry 4 shoes</a>
<a href="http://www.wholesalejerseyschinasale.us.com">cheap wholesale jerseys</a>
<a href="http://www.skechers-uk.org.uk">skechers boots</a>
<a href="http://www.airjordan11swinlike82.us">win like 82</a>
<a href="http://www.michaelkorsoutletclearancestore.us.com">michael kors outlet</a>
<a href="http://www.jordan11winlike96.us.com">win like 96</a>
<a href="http://www.canadagoosejacketoutlet.us">canada goose coats</a>
<a href="http://www.ralphlaurenclearanceuk.org.uk">ralph lauren sale clearance uk</a>
<a href="http://www.pandorauksale.org.uk">pandora sale uk</a>
<a href="http://www.rihannafenty.us.com">fenty puma</a>
<a href="http://www.adidas-outletstore.us.com">adidas outlet store</a>
<a href="http://www.birkenstockoutletsandals.us.com">birkenstock outlet</a>
<a href="http://www.nike-airmax2018.us">nike air max</a>
<a href="http://www.airjordansretro11.us">retro jordans</a>
<a href="http://www.jewelry-pandora.org.uk">pandora jewelry</a>
<a href="http://www.mbtshoes-clearance.us.com">mbt shoes</a>
<a href="http://www.pandorajewelrybracelet.us">pandora bracelet</a>
<a href="http://www.pandorajewelry-store.us.com">pandora jewelry</a>
<a href="http://www.birkenstocks.us.org">birkenstocks</a>
<a href="http://www.kyrieirving-shoes.us">kyrie 4 shoes</a>
<a href="http://www.longchampbag.us">longchamp</a>
<a href="http://www.yeezy--shoes.us.com">yeezy shoes</a>
<a href="http://www.louboutin-outlets.us">christian louboutin outlet</a>
<a href="http://www.ralphlaurenfactorystore.us">ralph lauren outlet</a>
<a href="http://www.northfacejackets-clearance.us.com">north face clearance</a>
<a href="http://www.jordan11swinlike82.us.com">air jordan 11 win like 82</a>
<a href="http://www.timberlandshoes-outlet.us">timberland boots</a>
<a href="http://www.nike-factory.us.com">nike factory outlet</a>
<a href="http://www.canadian-goose.us.com">canada goose jackets</a>
<a href="http://www.air-vapor-max.us.com">air vapormax</a>
<a href="http://www.jimmychoooutlets.us.com">jimmy choo shoes</a>
<a href="http://www.handbagsoutlet-michaelkors.us.com">michael kors handbags outlet</a>
<a href="http://www.kd10s.us.com">nike kd 10</a>
<a href="http://www.pandorasjewelrys.us.com">pandora charms</a>
<a href="http://www.goyard-bags.us.com">goyard handbags</a>
<a href="http://www.yeezysboost350-v2.us.com">yeezy boost</a>
<a href="http://www.kobe12shoes.us">kobe shoes</a>
<a href="http://www.cheapnfljerseysnfls.us.com">cheap nfl jerseys wholesale</a>
<a href="http://www.pandorajewelrysite.us.com">pandora</a>
<a href="http://www.thenorthfaceoutletonline.us.com">north face outlet</a>
<a href="http://www.northfaceclearances.us">north face outlet 70 off</a>
<a href="http://www.northface-uk.org.uk">north face jackets</a>
<a href="http://www.lacoste-poloshirts.us.com">lacoste</a>
<a href="http://www.fitflop-sandals.us.com">fitflops sale</a>
<a href="http://www.red-bottoms-shoes.us">red bottoms louboutin</a>
<a href="http://www.goyard.us.org">goyard handbags</a>
<a href="http://www.charmspandora.org.uk">pandora uk</a>
<a href="http://www.jordan11-red.us.com">jordan 11 gym red</a>
<a href="http://www.nike-outletonline.us.com">nike outlet store</a>
<a href="http://www.nike-airvapormax.us">vapormax</a>
<a href="http://www.nflcheapjerseysfromchina.us.com">nfl jerseys from china</a>
<a href="http://www.louboutinoutletus.us.com">christian louboutin outlet</a>
<a href="http://www.huarache-shoes.us">nike huarache</a>
<a href="http://www.skechersoutletonline.us">skechers outlet</a>
<a href="http://www.yeezy350boost-v2.us">yeezy boost 350 v2</a>
<a href="http://www.valentino-shoes.us">valentino</a>
<a href="http://www.canadiangoosejacket.us.com">canadian goose jacket</a>
<a href="http://www.curry4s.us">curry 4</a>
<a href="http://www.adidas--nmd.us.com">adidas nmd r1</a>
<a href="http://www.lacosteoutletstores.us">lacoste</a>
<a href="http://www.gymred11.us.com">gym red 11s</a>