| Subject | stored procedures permissions question |
|---|---|
| Author | Robby |
| Post date | 2005-08-26T01:24:49Z |
Hey guys, I'm wondering why something like the following doesn't work:
# isql-fb -u sysdba -p masterkey
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database '/var/lib/firebird2/test.fdb';
SQL> CREATE TABLE site
CON> (
CON> id BIGINT NOT NULL,
CON> whencreated TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
CON> lastmodified TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
CON> name VARCHAR(60) NOT NULL,
CON> PRIMARY KEY(id),
CON> UNIQUE(name)
CON> );
SQL> SET TERM !! ;
SQL> CREATE PROCEDURE GET_SITE_COUNT
CON> RETURNS (numsites BIGINT)
CON> AS
CON> BEGIN
CON> SELECT COUNT(*) FROM site INTO :numsites;
CON> END !!
SQL> SET TERM ; !!
SQL> grant EXECUTE ON PROCEDURE GET_SITE_COUNT TO test;
SQL> exit;
# isql-fb -u test -p test
Use CONNECT or CREATE DATABASE to specify a database
SQL> connect '/var/lib/firebird2/test.fdb';
Database: '/var/lib/firebird2/test.fdb', User: test
SQL> EXECUTE PROCEDURE GET_SITE_COUNT;
Statement failed, SQLCODE = -551
no permission for read/select access to TABLE SITE
SQL>
My question: why would user 'test' need read/select access to TABLE
SITE, doesn't GET_SITE_COUNT run with the permissions of the DB owner
(sysdba)?
Basically, I'd like to create a database, a table, and a SP that
sysdba owns. Okay, done. Then, I'd like to grant EXECUTE permissions
to call that SP to another user. From what I've read, if the table and
db is owned by sysdba, user 'test', when granted EXECUTE permissions
to a the SP, could run that SP, and the SP would run with the access
of the owner (being sysdba in this case).
Basically I want to have it so that user 'test' can just run SPs but
not access the data tables themselves. The SPs would be executed with
the permissions of sysdba however, who would have full access to the
data. This provides an API to user 'test', and gives me control of how
that user accesses the data.
If I'm totally off on how I should go about doing this, then please
let me know.
# isql-fb -u sysdba -p masterkey
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database '/var/lib/firebird2/test.fdb';
SQL> CREATE TABLE site
CON> (
CON> id BIGINT NOT NULL,
CON> whencreated TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
CON> lastmodified TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
CON> name VARCHAR(60) NOT NULL,
CON> PRIMARY KEY(id),
CON> UNIQUE(name)
CON> );
SQL> SET TERM !! ;
SQL> CREATE PROCEDURE GET_SITE_COUNT
CON> RETURNS (numsites BIGINT)
CON> AS
CON> BEGIN
CON> SELECT COUNT(*) FROM site INTO :numsites;
CON> END !!
SQL> SET TERM ; !!
SQL> grant EXECUTE ON PROCEDURE GET_SITE_COUNT TO test;
SQL> exit;
# isql-fb -u test -p test
Use CONNECT or CREATE DATABASE to specify a database
SQL> connect '/var/lib/firebird2/test.fdb';
Database: '/var/lib/firebird2/test.fdb', User: test
SQL> EXECUTE PROCEDURE GET_SITE_COUNT;
Statement failed, SQLCODE = -551
no permission for read/select access to TABLE SITE
SQL>
My question: why would user 'test' need read/select access to TABLE
SITE, doesn't GET_SITE_COUNT run with the permissions of the DB owner
(sysdba)?
Basically, I'd like to create a database, a table, and a SP that
sysdba owns. Okay, done. Then, I'd like to grant EXECUTE permissions
to call that SP to another user. From what I've read, if the table and
db is owned by sysdba, user 'test', when granted EXECUTE permissions
to a the SP, could run that SP, and the SP would run with the access
of the owner (being sysdba in this case).
Basically I want to have it so that user 'test' can just run SPs but
not access the data tables themselves. The SPs would be executed with
the permissions of sysdba however, who would have full access to the
data. This provides an API to user 'test', and gives me control of how
that user accesses the data.
If I'm totally off on how I should go about doing this, then please
let me know.