| Subject | Re: [firebird-support] Re: Delegating SYSDBA and enumerating users |
|---|---|
| Author | |
| Post date | 2017-02-23T22:04:02Z |
Thanks Vlad for your replies. In response to your first reply:
a) Yes, I had read "Escalating RDB$ADMIN Scope for User Management" but I appreciate the link and others may too. My users with admin access have already been granted the RDB$ADMIN ROLE.
b) gsec -role - that is great to know the proper gsec syntax to log in using a ROLE. Thanks :).
So I am now getting the same result using gsec. Unfortunately in Flame Robin it is as originally noted:
Now I have a couple of questions for you:
1. Do you know if it is possible in gsec to log in under a custom ROLE? Further to this, is there a way of GRANTing the custom ROLE the RDB$ADMIN ROLE? I am guessing this isn't possible for 2 reasons; custom ROLE is in a particular DB not the Security2.fdb, and you can't GRANT a ROLE to a ROLE.
2. Do you know how things work via the .NET Provider (or rather why they don't :)? When connecting using SYSDBA I see all users (ie via FirebirdSql.Data.Services.FbSecurity.DisplayUsers()), however logging in using another user (eg your ADM1) and the RDB$ADMIN ROLE, I am still only seeing the the single user ADM1.
Thanks,
David
David
On Thursday, February 23, 2017 1:17 AM, "hvlad@... [firebird-support]" <firebird-support@yahoogroups.com> wrote:
A little sample with Firebird 2.5
I added ordinary users 'user1' and 'user2' and admin user 'adm1'.
Now try to display list of users
1. Use sysdba account:
firebird\bin>gsec -user sysdba -pass masterkey -display
user name uid gid admin full name
------------------------------------------------------------------------------------------------
SYSDBA 0 0 Sql Server Administrator
USER1 0 0
USER2 0 0
ADM1 0 0 admin
Of course, sysdba could see all users.
You see - adm1 is really admin user while user1 and user2 are not admins.
2. Ordinary users could see itself only:
firebird\bin>gsec -user user1 -pass u1 -display
user name uid gid admin full name
------------------------------------------------------------------------------------------------
USER1 0 0
3. What about non-sysdba admin ?
firebird\bin>gsec -user adm1 -pass adm1 -display
user name uid gid admin full name
------------------------------------------------------------------------------------------------
ADM1 0 0 admin
Something wrong ? Let see next sample
4. Specify admin role:
firebird\bin>gsec -user adm1 -pass adm1 -role rdb$admin -display
user name uid gid admin full name
------------------------------------------------------------------------------------------------
SYSDBA 0 0 Sql Server Administrator
USER1 0 0
USER2 0 0
ADM1 0 0 admin
Is it what you need ?
Regards,
Vlad
I added ordinary users 'user1' and 'user2' and admin user 'adm1'.
Now try to display list of users
1. Use sysdba account:
firebird\bin>gsec -user sysdba -pass masterkey -display
user name uid gid admin full name
------------------------------------------------------------------------------------------------
SYSDBA 0 0 Sql Server Administrator
USER1 0 0
USER2 0 0
ADM1 0 0 admin
Of course, sysdba could see all users.
You see - adm1 is really admin user while user1 and user2 are not admins.
2. Ordinary users could see itself only:
firebird\bin>gsec -user user1 -pass u1 -display
user name uid gid admin full name
------------------------------------------------------------------------------------------------
USER1 0 0
3. What about non-sysdba admin ?
firebird\bin>gsec -user adm1 -pass adm1 -display
user name uid gid admin full name
------------------------------------------------------------------------------------------------
ADM1 0 0 admin
Something wrong ? Let see next sample
4. Specify admin role:
firebird\bin>gsec -user adm1 -pass adm1 -role rdb$admin -display
user name uid gid admin full name
------------------------------------------------------------------------------------------------
SYSDBA 0 0 Sql Server Administrator
USER1 0 0
USER2 0 0
ADM1 0 0 admin
Is it what you need ?
Regards,
Vlad