| Subject | Re: [firebird-support] ROLE checking during login to firebird |
|---|---|
| Author | Helen Borrie |
| Post date | 2008-09-27T10:28:13Z |
At 18:07 27/09/2008, you wrote:
If the user and password are known to the server then the authentication succeeds. Any authenticated user has access to any database.
A role is a database-specific package of privileges to objects in that databases. If you are using privileges correctly then you should not have any grants to PUBLIC.
./heLen
>Hello,What would the warning be about?
>
> It's a known "feaure" I think, but it's still not as it should be.
>
> If I log on to firebird server with username, password and role and
> I was not granted to the role or have misspelled the role, there is
> no visible reaction of firebird.
>
> I always have to check via
> SELECT current_role FROM RDB$DATABASE
> for example.
>
> I'd expect at least a warning.
If the user and password are known to the server then the authentication succeeds. Any authenticated user has access to any database.
A role is a database-specific package of privileges to objects in that databases. If you are using privileges correctly then you should not have any grants to PUBLIC.
> Is the behavior of firebird according to SQL standard?SQL doesn't have a "standard" regarding the scope of users. But privileges are a standard SQL implementation. Privileges apply to database objects. It is very important to design a privileges schema that ensures full control of access for any user. Were you aware that a user doesn't have to exist in the security database, in order to be granted privileges?
> Are there planes for changing the described behavior?On Firebird, currently, *user authentication* is done at server level. In Fb 3, user authentication will be able to be more granular, i.e., security databases for each database or group of databases, if required.
./heLen