Startseite Erkunden Hilfe
Anmelden
FirebirdDB
/
firebird
Mirror von https://github.com/FirebirdSQL/firebird.git
2
0
Fork 0
Dateien Issues 0 Wiki
Branch: metacache
Branches Tags
firebird
/
doc
/
sql.extensions
/
README.mapping.html

README.mapping.html 15 KB
Permalink Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321 
  1. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    2. 

  2. <html>
    3. 

  3. <head>
    4. 

  4. 	<meta http-equiv="content-type" content="text/html; charset=utf-8"/>
    5. 

  5. 	<title></title>
    6. 

  6. 	<meta name="generator" content="LibreOffice 6.3.4.2.0 (Linux)"/>
    7. 

  7. 	<meta name="author" content="irina "/>
    8. 

  8. 	<meta name="created" content="2014-03-25T00:00:00.010305100"/>
    9. 

  9. 	<meta name="changed" content="2020-04-13T14:19:46.849216419"/>
    10. 

  10. 	<style type="text/css">
    11. 

  11. 		@page { margin: 2.01cm }
    12. 

  12. 		p { margin-bottom: 0.2cm }
    13. 

  13. 		a:link { so-language: zxx }
    14. 

  14. 	</style>
    15. 

  15. </head>
    16. 

  16. <body lang="ru-RU" dir="ltr"><p lang="en-US" style="margin-bottom: 0cm">
    17. 

  17. <font size="4" style="font-size: 14pt">SQL Language Extension:
    18. 

  18. CREATE/ALTER/CREATE_OR_ALTER/DROP MAPPING</font></p>
    19. 

  19. <p style="margin-bottom: 0cm"><br/>
    20. 

  20. 

  21. </p>
    22. 

  22. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Implements
    23. 

  23. capability to control mapping of security objects to and between
    24. 

  24. databases.</font></p>
    25. 

  25. <p style="margin-bottom: 0cm"><br/>
    26. 

  26. 

  27. </p>
    28. 

  28. <p style="margin-bottom: 0cm"><br/>
    29. 

  29. 

  30. </p>
    31. 

  31. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Author:</font></p>
    32. 

  32. <p style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt"><span lang="en-US">Alex
    33. 

  33. Peshkoff &lt;<a href="mailto:[email protected]">[email protected]</a>&gt;</span></font></p>
    34. 

  34. <p style="margin-bottom: 0cm"><br/>
    35. 

  35. 

  36. </p>
    37. 

  37. <p style="margin-bottom: 0cm"><br/>
    38. 

  38. 

  39. </p>
    40. 

  40. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Preamble:</font></p>
    41. 

  41. <p style="margin-bottom: 0cm"><br/>
    42. 

  42. 

  43. </p>
    44. 

  44. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Firebird
    45. 

  45. 3 supports multiple security databases. This is great feature, but it
    46. 

  46. raises some problems, missing in systems with single security
    47. 

  47. database. Clusters of databases, using same security database, are
    48. 

  48. efficiently separated and this is what we typically want to achieve
    49. 

  49. using different security databases. But in some cases we need
    50. 

  50. controlled limited interaction between such clusters. As an examples
    51. 

  51. can be provided EXECUTE STATEMENT ON EXTERNAL DATA SOURCE when some
    52. 

  52. data exchange between clusters is required and letting server-wide
    53. 

  53. SYSDBA access databases from other clusters using services. More or
    54. 

  54. less similar problems were already known in windows version of
    55. 

  55. firebird since v. 2.1 due to presence of trusted windows
    56. 

  56. authentication – we had 2 separate lists of users (in security
    57. 

  57. database and OS) and sometimes it was needed to make them be related.
    58. 

  58. For example it appears to be good idea to automatically assign to
    59. 

  59. windows users from some group appropriate firebird role.</font></p>
    60. 

  60. <p style="margin-bottom: 0cm"><br/>
    61. 

  61. 

  62. </p>
    63. 

  63. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Single
    64. 

  64. solution for all this problems is MAPPING login information, assigned
    65. 

  65. to user when it connected to firebird server, to internal security
    66. 

  66. objects in database – current_user and current_role. Mapping rule
    67. 

  67. contains 4 parts of information: </font>
    68. 

  68. </p>
    69. 

  69. <ul>
    70. 

  70. 	<li><p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">mapping
    71. 

  71. 	scope (is mapping local for current database or affects all
    72. 

  72. 	databases in cluster, including security database),</font></p>
    73. 

  73. 	<li><p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">mapping
    74. 

  74. 	name (mappings are named like all the other objects in database), </font>
    75. 

  75. 	</p>
    76. 

  76. 	<li><p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">from
    77. 

  77. 	what we map </font>
    78. 

  78. 	</p>
    79. 

  79. 	<li><p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">to
    80. 

  80. 	what we map.</font></p>
    81. 

  81. </ul>
    82. 

  82. <p style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Here
    83. 

  83. it's necessary to mention that all versions of firebird had one
    84. 

  84. hardcoded global default rule – users authenticated in security
    85. 

  85. database are always mapped into any database one-to-one. This rule is
    86. 

  86. safe - if we have some security database it makes no use not to trust
    87. 

  87. itself. Therefore (and due to backward compatibility) this rule is
    88. 

  88. kept as is in firebird 3. What about mapping windows users to
    89. 

  89. current_user (which was enabled by default in 2.1 &amp; 2.5 when
    90. 

  90. trusted authentication enabled) in firebird 3 it must be done
    91. 

  91. explicitly. This is required for systems with multiple security
    92. 

  92. databases - not all of them need/use windows trusted authentication.</font></p>
    93. 

  93. <p style="margin-bottom: 0cm"><br/>
    94. 

  94. 

  95. </p>
    96. 

  96. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">'From'
    97. 

  97. part of mapping has 4 items:</font></p>
    98. 

  98. <ul>
    99. 

  99. 	<li><p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">authentication
    100. 

  100. 	source (plugin name or result of mapping in other database or use of
    101. 

  101. 	serverwide authentication or any method),</font></p>
    102. 

  102. 	<li><p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">name
    103. 

  103. 	of database where authentication succeeded, </font>
    104. 

  104. 	</p>
    105. 

  105. 	<li><p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">name
    106. 

  106. 	from which mapping is performed,</font></p>
    107. 

  107. 	<li><p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">type
    108. 

  108. 	of that name (username, role, OS group – this depends upon plugin
    109. 

  109. 	which added that name during authentication).</font></p>
    110. 

  110. </ul>
    111. 

  111. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Each
    112. 

  112. item may be ignored (any item is accepted) except type – it's
    113. 

  113. definitely bad idea to mix different types of security objects.</font></p>
    114. 

  114. <p style="margin-bottom: 0cm"><br/>
    115. 

  115. 

  116. </p>
    117. 

  117. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">'To'
    118. 

  118. part has 2 items:</font></p>
    119. 

  119. <ul>
    120. 

  120. 	<li><p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">name
    121. 

  121. 	to which mapping is performed,</font></p>
    122. 

  122. 	<li><p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">type
    123. 

  123. 	of that name (only USER/ROLE are accepted here).</font></p>
    124. 

  124. </ul>
    125. 

  125. <p style="margin-bottom: 0cm"><br/>
    126. 

  126. 

  127. </p>
    128. 

  128. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Mappings
    129. 

  129. are defined using SQL (DDL) commands.</font></p>
    130. 

  130. <p style="margin-bottom: 0cm"><br/>
    131. 

  131. 

  132. </p>
    133. 

  133. <p style="margin-bottom: 0cm"><br/>
    134. 

  134. 

  135. </p>
    136. 

  136. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Syntax:</font></p>
    137. 

  137. <p style="margin-bottom: 0cm"><br/>
    138. 

  138. 

  139. </p>
    140. 

  140. <p lang="en-US" style="margin-left: 1.17cm; margin-bottom: 0cm; page-break-before: auto; page-break-after: auto">
    141. 

  141. <font size="4" style="font-size: 14pt">{CREATE | ALTER | CREATE OR
    142. 

  142. ALTER} [GLOBAL] MAPPING name</font></p>
    143. 

  143. <p lang="en-US" style="margin-left: 2.18cm; margin-bottom: 0cm; page-break-before: auto; page-break-after: auto">
    144. 

  144. <font size="4" style="font-size: 14pt">USING {PLUGIN name [IN
    145. 

  145. database] | </font>
    146. 

  146. </p>
    147. 

  147. <p lang="en-US" style="margin-left: 4.06cm; margin-bottom: 0cm; page-break-before: auto; page-break-after: auto">
    148. 

  148. <font size="4" style="font-size: 14pt">ANY PLUGIN [IN database |
    149. 

  149. SERVERWIDE] | </font>
    150. 

  150. </p>
    151. 

  151. <p lang="en-US" style="margin-left: 4.06cm; margin-bottom: 0cm"><font size="4" style="font-size: 14pt">MAPPING
    152. 

  152. [IN database] | </font>
    153. 

  153. </p>
    154. 

  154. <p lang="en-US" style="margin-left: 4.06cm; margin-bottom: 0cm"><font size="4" style="font-size: 14pt">'*'
    155. 

  155. [IN database]}</font></p>
    156. 

  156. <p lang="en-US" style="margin-left: 2.23cm; margin-bottom: 0cm; page-break-before: auto; page-break-after: auto">
    157. 

  157. <font size="4" style="font-size: 14pt">FROM {ANY type | type name}</font></p>
    158. 

  158. <p lang="en-US" style="margin-left: 2.23cm; margin-bottom: 0cm"><font size="4" style="font-size: 14pt">TO
    159. 

  159. {USER | ROLE} [name]</font></p>
    160. 

  160. <p style="margin-left: 1.17cm; margin-bottom: 0cm"><br/>
    161. 

  161. 

  162. </p>
    163. 

  163. <p lang="en-US" style="margin-left: 1.17cm; margin-bottom: 0cm"><font size="4" style="font-size: 14pt">DROP
    164. 

  164. [GLOBAL] MAPPING name</font></p>
    165. 

  165. <p style="margin-bottom: 0cm"><br/>
    166. 

  166. 

  167. </p>
    168. 

  168. <p style="margin-bottom: 0cm"><br/>
    169. 

  169. 

  170. </p>
    171. 

  171. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Description:</font></p>
    172. 

  172. <p style="margin-bottom: 0cm"><br/>
    173. 

  173. 

  174. </p>
    175. 

  175. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Each
    176. 

  176. mapping may be tagged as GLOBAL. Pay attention that global and local
    177. 

  177. maps with same name may exist and they are different objects!</font></p>
    178. 

  178. <p style="margin-bottom: 0cm"><br/>
    179. 

  179. 

  180. </p>
    181. 

  181. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Create,
    182. 

  182. alter and create or alter commands use same set of options. Name of
    183. 

  183. mapping is used to identify it in former DDL commands. USING clause
    184. 

  184. has a most complicated set of options. One can provide explicit
    185. 

  185. plugin name, making it work only for given plugin, or make it use any
    186. 

  186. plugin (but not a result of previous mappings), or make it work only
    187. 

  187. with server-wide plugins, or make it work only with previous mapping
    188. 

  188. results, or let it use any method using asterisk. In almost all cases
    189. 

  189. (except server-wide authentication which is not related with
    190. 

  190. databases) one can also provide name of database in which name from
    191. 

  191. which mapping is performed was “born”. FROM clause must set
    192. 

  192. required parameter – type of name from which mapping is done. When
    193. 

  193. mapping names from plugins type is defined by plugin, when previous
    194. 

  194. mapping results - type can be only user or role. One can provide
    195. 

  195. explicit name which will be taken into an account by this mapping or
    196. 

  196. use ANY keyword to work with any name of given type. In TO clause
    197. 

  197. USER or ROLE (to what mapping is done) must be specified, name is
    198. 

  198. optional - when it is not provided original name (from what mapping
    199. 

  199. is done) is used.</font></p>
    200. 

  200. <p style="margin-bottom: 0cm"><br/>
    201. 

  201. 

  202. </p>
    203. 

  203. <p style="margin-bottom: 0cm"><br/>
    204. 

  204. 

  205. </p>
    206. 

  206. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Samples:</font></p>
    207. 

  207. <p style="margin-bottom: 0cm"><br/>
    208. 

  208. 

  209. </p>
    210. 

  210. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">All
    211. 

  211. sample are provided for CREATE command, use of ALTER is exactly the
    212. 

  212. same, use of DROP is obvious.</font></p>
    213. 

  213. <p style="margin-bottom: 0cm"><br/>
    214. 

  214. 

  215. </p>
    216. 

  216. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Enable
    217. 

  217. use of windows trusted authentication in all databases that use
    218. 

  218. current security database:</font></p>
    219. 

  219. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">CREATE
    220. 

  220. GLOBAL MAPPING TRUSTED_AUTH USING PLUGIN WIN_SSPI FROM ANY USER TO
    221. 

  221. USER;</font></p>
    222. 

  222. <p style="margin-bottom: 0cm"><br/>
    223. 

  223. 

  224. </p>
    225. 

  225. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Enable
    226. 

  226. SYSDBA-like access for windows admins in current database:</font></p>
    227. 

  227. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">CREATE
    228. 

  228. MAPPING WIN_ADMINS USING PLUGIN WIN_SSPI FROM Predefined_Group
    229. 

  229. DOMAIN_ANY_RID_ADMINS TO ROLE RDB$ADMIN;</font></p>
    230. 

  230. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">(there
    231. 

  231. is no group DOMAIN_ANY_RID_ADMINS in windows, but such name is added
    232. 

  232. by win_sspi plugin to provide exact backwards compatibility)</font></p>
    233. 

  233. <p style="margin-bottom: 0cm"><br/>
    234. 

  234. 

  235. </p>
    236. 

  236. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Enable
    237. 

  237. particular user from other database access current database with
    238. 

  238. other name:</font></p>
    239. 

  239. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">CREATE
    240. 

  240. MAPPING FROM_RT USING PLUGIN SRP IN &quot;rt&quot; FROM USER U1 TO
    241. 

  241. USER U2;</font></p>
    242. 

  242. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">(providing
    243. 

  243. database names/aliases in double quotes is important for operating
    244. 

  244. systems that have case-sensitive file names)</font></p>
    245. 

  245. <p style="margin-bottom: 0cm"><br/>
    246. 

  246. 

  247. </p>
    248. 

  248. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Enable
    249. 

  249. server's SYSDBA (from main security database) access current database
    250. 

  250. (assuming it has non-default security database):</font></p>
    251. 

  251. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">CREATE
    252. 

  252. MAPPING DEF_SYSDBA USING PLUGIN SRP IN &quot;security.db&quot; FROM
    253. 

  253. USER SYSDBA TO USER;</font></p>
    254. 

  254. <p style="margin-bottom: 0cm"><br/>
    255. 

  255. 

  256. </p>
    257. 

  257. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Force
    258. 

  258. people who logged in using legacy authentication plugin have not too
    259. 

  259. much rights:</font></p>
    260. 

  260. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">CREATE
    261. 

  261. MAPPING LEGACY_2_GUEST USING PLUGIN legacy_auth FROM ANY USER TO USER
    262. 

  262. GUEST;</font></p>
    263. 

  263. <p style="margin-bottom: 0cm"><br/>
    264. 

  264. 

  265. </p>
    266. 

  266. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Map
    267. 

  267. windows group to trusted firebird role:</font></p>
    268. 

  268. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">CREATE
    269. 

  269. MAPPING WINGROUP1 USING PLUGIN WIN_SSPI FROM GROUP GROUP_NAME TO ROLE
    270. 

  270. ROLE_NAME;</font></p>
    271. 

  271. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Here
    272. 

  272. we expect that some windows users may belong to group GROUP_NAME. If
    273. 

  273. needed name of the group may be given in long form, i.e.
    274. 

  274. DOMAIN\GROUP.</font></p>
    275. 

  275. <p style="margin-bottom: 0cm"><br/>
    276. 

  276. 

  277. </p>
    278. 

  278. <p style="margin-bottom: 0cm"><br/>
    279. 

  279. 

  280. </p>
    281. 

  281. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Notice:</font></p>
    282. 

  282. <p style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt"><span lang="en-US">-
    283. 

  283. Global mapping works best if firebird 3 or higher version database is
    284. 

  284. used as security database. If you plan to use other database as
    285. 

  285. security one (using for example your own provider) please create in
    286. 

  286. it table RDB$AUTH_MAPPING with structure repeating one in firebird 3
    287. 

  287. database, public read access and SYSDBA-only write access.</span></font></p>
    288. 

  288. <p style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt"><span lang="en-US">-
    289. 

  289. </span></font><font size="4" style="font-size: 14pt"><span lang="en-US">Mappings
    290. 

  290. work only with information, coming from authentication plugins or
    291. 

  291. previously done mapping. Information present in DPB (particular SQL
    292. 

  292. role name) is not affected by mappings and can not be changed using
    293. 

  293. them.</span></font></p>
    294. 

  294. <p style="margin-bottom: 0cm"><br/>
    295. 

  295. 

  296. </p>
    297. 

  297. <p style="margin-bottom: 0cm"><br/>
    298. 

  298. 

  299. </p>
    300. 

  300. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">Tip:</font></p>
    301. 

  301. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">It’s
    302. 

  302. relatively easy to accidentally make a database remotely inaccessible
    303. 

  303. using CREATE MAPPING statement. For example: </font>
    304. 

  304. </p>
    305. 

  305. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">CREATE
    306. 

  306. MAPPING BREAK_DB_1 USING * FROM ANY USER TO ROLE ROLE1;</font></p>
    307. 

  307. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">CREATE
    308. 

  308. MAPPING BREAK_DB_2 USING * FROM ANY USER TO ROLE ROLE2;</font></p>
    309. 

  309. <p lang="en-US" style="margin-bottom: 0cm"><font size="4" style="font-size: 14pt">This
    310. 

  310. will disallow any user (including SYSDBA) to connect. Luckily
    311. 

  311. mappings are not processed when database is used in embedded mode,
    312. 

  312. i.e. in such a case one should attach to database using embedded
    313. 

  313. access and fix bad mappings.</font></p>
    314. 

  314. <p style="margin-bottom: 0cm"><br/>
    315. 

  315. 

  316. </p>
    317. 

  317. <p style="margin-bottom: 0cm"><br/>
    318. 

  318. 

  319. </p>
    320. 

  320. </body>
    321. 

  321. </html>
    322.