[SGVLUG] Database security for "sql" databases
Emerson, Tom
Tom.Emerson at wbconsultant.com
Fri Jul 15 14:50:36 PDT 2005
> -----Original Message-----
> Behalf Of John Riehl
>
> Emerson, Tom wrote:
> > I'm trying to determine and/or validate that the proper
> > permissions have been "granted"
>
> It depends on the database.
heh heh heh -- that much I know :)
> usually, there is a command to show all the information (e.g. show).
> Check your manual.
FWIW: here is the output of the "help" command that lists all of the commands available.
isql=> help;
HELP is available for the following:
===== SQL Statements =====
Commands marked by * can NOT be executed from ISQL.
ADD DBEFILE EXECUTE IMMEDIATE
ADD TO GROUP EXECUTE PROCEDURE
*ADVANCE *FETCH
ALTER DBEFILE *GOTO
ALTER TABLE GRANT
*BEGIN *IF
BEGIN ARCHIVE *INCLUDE
*BEGIN DECLARE SECTION INSERT
BEGIN WORK LOCK TABLE
CHECKPOINT LOG COMMENT
*CLOSE *OPEN
COMMIT ARCHIVE PREPARE
COMMIT WORK *PRINT
CONNECT RAISE ERROR
CREATE DBEFILE *REFETCH
CREATE DBEFILESET RELEASE
CREATE GROUP REMOVE DBEFILE
CREATE INDEX REMOVE FROM GROUP
CREATE PARTITION RESET
CREATE PROCEDURE *RETURN
CREATE RULE REVOKE
CREATE SCHEMA ROLLBACK WORK
CREATE TABLE SAVEPOINT
CREATE TEMPSPACE SELECT
CREATE VIEW SET CONNECTION
*DECLARE SET CONSTRAINTS
*DECLARE CURSOR SET DEFAULT DBEFILESET
DELETE SET DML ATOMICITY
*DELETE WHERE CURRENT SET MULTITRANSACTION
*DESCRIBE SET PRINTRULES
DISABLE AUDIT LOGGING SET SESSION
DISABLE RULES SET TRANSACTION
DISCONNECT SET USER TIMEOUT
DROP DBEFILE SETOPT
DROP DBEFILESET *SQLEXPLAIN
DROP GROUP START DBE
DROP INDEX START DBE NEW
DROP MODULE START DBE NEWLOG
DROP PARTITION STOP DBE
DROP PROCEDURE TERMINATE USER
DROP RULE TRANSFER OWNERSHIP
DROP TABLE TRUNCATE TABLE
DROP TEMPSPACE UPDATE
DROP VIEW UPDATE STATISTICS
ENABLE AUDIT LOGGING *UPDATE WHERE CURRENT
ENABLE RULES VALIDATE
*END DECLARE SECTION *WHENEVER
EXECUTE *WHILE
===== ISQL Commands =====
CHANGE GENPLAN LIST HISTORY SET
DO HELP LIST INSTALL SQLGEN
EDIT HOLD LIST SET SQLUTIL
END INFO LOAD START
ERASE INPUT RECALL STORE
EXIT INSTALL REDO SYSTEM
EXTRACT LIST FILE RENAME UNLOAD
(Enter name of command) isql HELP=> //
isql=>
>
> almost all sql databases store this information in its own internal
> tables. the names of these internal tables vary from db to
> db. select * from table.....
This is also known as "meta" data, or data/tables that describe the structure of the data rather than (being) the data itself. After a bit of digging, I *think* I've found the table, but "even as the creator", I don't seem to have "select" access to the particular table:
isql=> SELECT * FROM HPRDBSS.TABAUTH;
User MGR at COREDEV does not have SELECT authority on HPRDBSS.TABAUTH.
(DBERR 2301)
isql=>
there are, however, some "views" called CATALOG.<whatever> and SYSTEM.<likewise> that I think are views within the HPRDBSS tables (this figures in later -- see below)
> all sql databases that I know allow a admin to dump out the database
> into a stream of sql statements that recreates it. (e.g. mysqldump
> --all-databases ). if you pipe that to a file, then browse it, you
> should be able to discern the table that is used to store
> privledges, as well as all the data in it.
Actually, the system DOES have a utility for recreating the STRUCTURE, but not one that "dumps the data" as SQL statements to re-load the data (the files that house the data are typically stored and restored to/from "tape" as complete files, not discrete data) However, as part of the structure, the "authority" information is exported as GRANT/REVOKE statements as such:
>> gen tabauth
ALLBASE/SQL Command Generator for Table Authority
Schema File Name or '//' to STOP command >>
Please enter Owner Names. Type @ for all, ? for a list of
Owner Names, or RETURN to quit.
Owner Name >> tomsdb
Do you wish to specify Table Names for each Owner (n/y)? y
Enter Table Names for Owner TOMSDB
Type @ for all, ? for a list of Table Names, or RETURN to quit.
Table Name for Owner TOMSDB >> users
GRANT SELECT
ON TOMSDB.USERS TO TOMSDB_10
BY MGR at COREDEV;
GRANT SELECT,INSERT,DELETE,UPDATE
ON TOMSDB.USERS TO TOMSDB_20
BY MGR at COREDEV;
GRANT SELECT,INSERT,DELETE,UPDATE
ON TOMSDB.USERS TO TOMSDB_64
BY MGR at COREDEV;
REVOKE ALL
ON TOMSDB.USERS
FROM PUBLIC;
==================
This is all well and good, but it turns out what I need to verify is access to the meta-data tables in the first place! Perhaps a *tiny* bit more background will make sense (and bore the rest of you -- sorry...)
Basically, from my "front end" programs I'm opening this database as an "odbc" data source. When configuring the data source on the SERVER side, I need to specify what "tables" the front-end clients can see or access. In this DB environment, there are some 400+ tables (and views), but the user only needs to access a handful of them. (relatively speaking -- I think the actual number of tables is still over 100) Also, rather than explicitly name each one, the system allows the DBA to specify an "@" to mean "all tables", and, out of laziness or lack of understanding, "that's the way we've always done it".
The downside is that when you open a connection to the database, the server looks at this "@" and (internally?) gathers information about each and every table that the user can access -- this takes a noticable amount of time on a loaded server (10 seconds or more...) -- and the "optimization" that the maker of the ODBC server suggested was to explicitly note each table in the server config file.
When I do that, my front-end program chokes on a "select * from..." statement because it has to retrieve the column names from from one of these "meta" tables [this happens actually at the server side -- because the server does not have the authority, by it's own definition of the database, it just falls over...] when an "@" is used, these "meta" tables are in the list and everything works [so it isn't entirely laziness/misunderstanding...] Furthermore, even if these meta tables are explicitly defined, without the "@" access it still falls over, so there is still some sort of disconnect between theory and reality... ;)
More information about the SGVLUG
mailing list