Ben*_*hul 5 security sql-server signature certificate impersonation
我有一种情况,虽然我能够解决它(如重现所示),但我不明白。以下是重点
EXEC(@sql)访问 ChainingDestination 中的表execute as子句定义的execute as条款,我会得到同样的错误。execute as条款,一切都很好。这是我感到困惑的倒数第二点。或者,具体地,为什么一个不工作,最后一个呢。
/******************************
Setup
******************************/
USE [master];
go
IF EXISTS (SELECT 1 FROM [sys].[databases] WHERE [name] = 'ChainingSource')
BEGIN
ALTER DATABASE [ChainingSource] SET OFFLINE WITH ROLLBACK IMMEDIATE;
ALTER DATABASE [ChainingSource] SET ONLINE;
DROP DATABASE [ChainingSource];
END
IF EXISTS (SELECT 1 FROM [sys].[databases] WHERE [name] = 'ChainingDestination')
BEGIN
ALTER DATABASE [ChainingDestination] SET OFFLINE WITH ROLLBACK IMMEDIATE;
ALTER DATABASE [ChainingDestination] SET ONLINE;
DROP DATABASE [ChainingDestination];
END
GO
EXECUTE AS LOGIN = 'sa';
CREATE DATABASE [ChainingSource];
CREATE DATABASE [ChainingDestination];
GO
REVERT;
GO
ALTER DATABASE [ChainingSource] SET DB_CHAINING ON;
ALTER DATABASE [ChainingDestination] SET DB_CHAINING ON;
IF SUSER_ID('myAppUser') IS null
CREATE LOGIN [myAppUser] WITH password = 'p@ssw0rd!23';
IF SUSER_ID('myAppUserEscalated') IS null
CREATE LOGIN [myAppUserEscalated] WITH password = 'p@ssw0rd!23';
IF NOT EXISTS (
SELECT * FROM sys.[symmetric_keys] AS [sk]
WHERE name = '##MS_DatabaseMasterKey##'
)
BEGIN
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'f00bar!23';
PRINT 'Created master key in databse [master]';
END
IF CERT_ID('myAppCert') IS NULL
CREATE CERTIFICATE [myAppCert] AUTHORIZATION dbo FROM BINARY = 0x308201BD30820126A003020102021061AF3EB269776BB74629F44629EF9216300D06092A864886F70D0101050500301C311A301806035504031311436F6465205369676E696E6720436572743020170D3136313032303232303932335A180F32303939303130313030303030305A301C311A301806035504031311436F6465205369676E696E67204365727430819F300D06092A864886F70D010101050003818D0030818902818100BCCA7DC1CF2F4874F341AF3C586F0B023CAAD16986ADDAC2F7BFB3BCE590F2A952218F51298067CE3BE9ED695A229DADD029510F0927F30484A587024E0F58EC83924BE49D227D2FE1FCCA0C682528D6A0658AAA6CA5D9F2405AB6950B7D5BA672BB971910D71CEE3B77FF0A4EF59F010AAB445FD127944966C141F7CFC3D5790203010001300D06092A864886F70D010105050003818100011525EDD191767041659701F13F4370F803E6C981A6E33D68863FDACADE709926AB7E3BC8D618EDD07FC52058EFE42D96CA49961CF2936F446EDC4B7D55725FF2F1B37B326D564941CF6A7424551828FE198335AEFA0C892B375D3B676F35B708A48C67F80714643A34050CF9C557FBDD01274BC1ACCCA9A7AD3EC37DD2DA31 WITH PRIVATE KEY (BINARY = 0x1EF1B5B00000000001000000010000001000000054020000CF21B85A9464B60CDAB9F2E419B341490702000000A4000002E67BDF3CE02406E4D69A760D519B3BB6DA77FAFA7D710936EAE5267F072F98A1F7521110EB03955427B79FA386F7D70EDF6E977E92E59761DE0EB186F895AD975CE63C4D8A8B67BA487B9807EDB8B33C7C08EABCCD716E9505170A9729B6E165CE0ED0CA35B5C62D548367FEFC2C694060184D9185331466A0C64A9CB7BF8CA7AC0946A54091A4626978320C7290A784C6147BAF23FD866D9D1D4D1D79DA1B4D2DE213D11299F1417D8C421CC25A2E851FF9CEFA0ECA2006186C787692FDC28F2E702FCC7E76AFBEB95B954B50AA3697E60FC6928392664CE0EDB794AA392C1CC6326102B7CE8A02B367D2F416269DBBF4C16F096780517D32B4653E94DE5C24CE9D39EBC8E6A4EF1B9217F1B4F098F4F77F88CC11C40DDB312BE87CC1430C16AED8773E7691ADE8472BFC02B458B09B40404F61D2E02746AE576582DEE3EC5C09077E127BB4E996A9C4A840E6E0F59D85A3FC4E2844679927DBA6A571927A1F1C938716B8FC922B1D77FAA90BDBA49D1084081E4198A50506C5F6FE87F81B759EE0688428ABA7B2E8CC7D96AC6409DAE41937DB9C1E1CACCD7AE86A8F161316A07B05D523A116AB87022978312EE9853AE9FFA44FFF52114D084934D86D0FFD2D47B974769812BF0F4FE8276FD0DCE4069F11EC3915A68F4454166E3ABAAB9539530117597EE52213FEC7C87254634F10062C5C1D97CE5FEABB13252B22E210F56DB281FC1CE5432A7144FB4B89D00B4F8BC876C8C0F397DB9D22E15E2B07FBB44ADDDFBB6A75728917AC330E3A9F978847AC2D27913B3B6CBF54F1BAEF06072D15050ED1CA7BF9C5763A, DECRYPTION BY PASSWORD = 'f00bar!23')
IF SUSER_ID('myAppCert') IS NULL
CREATE LOGIN [myAppCert] FROM CERTIFICATE [myAppCert];
USE [ChainingDestination];
CREATE USER [myAppUser];
CREATE USER [myAppUserEscalated];
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'f00bar!23';
CREATE CERTIFICATE [myAppCert] AUTHORIZATION dbo FROM BINARY = 0x308201BD30820126A003020102021061AF3EB269776BB74629F44629EF9216300D06092A864886F70D0101050500301C311A301806035504031311436F6465205369676E696E6720436572743020170D3136313032303232303932335A180F32303939303130313030303030305A301C311A301806035504031311436F6465205369676E696E67204365727430819F300D06092A864886F70D010101050003818D0030818902818100BCCA7DC1CF2F4874F341AF3C586F0B023CAAD16986ADDAC2F7BFB3BCE590F2A952218F51298067CE3BE9ED695A229DADD029510F0927F30484A587024E0F58EC83924BE49D227D2FE1FCCA0C682528D6A0658AAA6CA5D9F2405AB6950B7D5BA672BB971910D71CEE3B77FF0A4EF59F010AAB445FD127944966C141F7CFC3D5790203010001300D06092A864886F70D010105050003818100011525EDD191767041659701F13F4370F803E6C981A6E33D68863FDACADE709926AB7E3BC8D618EDD07FC52058EFE42D96CA49961CF2936F446EDC4B7D55725FF2F1B37B326D564941CF6A7424551828FE198335AEFA0C892B375D3B676F35B708A48C67F80714643A34050CF9C557FBDD01274BC1ACCCA9A7AD3EC37DD2DA31 WITH PRIVATE KEY (BINARY = 0x1EF1B5B00000000001000000010000001000000054020000CF21B85A9464B60CDAB9F2E419B341490702000000A4000002E67BDF3CE02406E4D69A760D519B3BB6DA77FAFA7D710936EAE5267F072F98A1F7521110EB03955427B79FA386F7D70EDF6E977E92E59761DE0EB186F895AD975CE63C4D8A8B67BA487B9807EDB8B33C7C08EABCCD716E9505170A9729B6E165CE0ED0CA35B5C62D548367FEFC2C694060184D9185331466A0C64A9CB7BF8CA7AC0946A54091A4626978320C7290A784C6147BAF23FD866D9D1D4D1D79DA1B4D2DE213D11299F1417D8C421CC25A2E851FF9CEFA0ECA2006186C787692FDC28F2E702FCC7E76AFBEB95B954B50AA3697E60FC6928392664CE0EDB794AA392C1CC6326102B7CE8A02B367D2F416269DBBF4C16F096780517D32B4653E94DE5C24CE9D39EBC8E6A4EF1B9217F1B4F098F4F77F88CC11C40DDB312BE87CC1430C16AED8773E7691ADE8472BFC02B458B09B40404F61D2E02746AE576582DEE3EC5C09077E127BB4E996A9C4A840E6E0F59D85A3FC4E2844679927DBA6A571927A1F1C938716B8FC922B1D77FAA90BDBA49D1084081E4198A50506C5F6FE87F81B759EE0688428ABA7B2E8CC7D96AC6409DAE41937DB9C1E1CACCD7AE86A8F161316A07B05D523A116AB87022978312EE9853AE9FFA44FFF52114D084934D86D0FFD2D47B974769812BF0F4FE8276FD0DCE4069F11EC3915A68F4454166E3ABAAB9539530117597EE52213FEC7C87254634F10062C5C1D97CE5FEABB13252B22E210F56DB281FC1CE5432A7144FB4B89D00B4F8BC876C8C0F397DB9D22E15E2B07FBB44ADDDFBB6A75728917AC330E3A9F978847AC2D27913B3B6CBF54F1BAEF06072D15050ED1CA7BF9C5763A, DECRYPTION BY PASSWORD = 'f00bar!23')
CREATE USER [myAppCert];
GO
CREATE TABLE [dbo].[topSecret] ([ID] INT IDENTITY, [Secrets] NVARCHAR(100));
INSERT INTO [dbo].[topSecret] ([Secrets]) VALUES ('Nuke Codes!');
GRANT SELECT ON [dbo].[topSecret] TO [myAppUserEscalated];
GRANT SELECT ON [dbo].[topSecret] TO [myAppCert];
GO
USE [ChainingSource];
GO
CREATE USER [myAppUser]
CREATE USER [myAppUserEscalated];
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'f00bar!23';
CREATE CERTIFICATE [myAppCert] AUTHORIZATION dbo FROM BINARY = 0x308201BD30820126A003020102021061AF3EB269776BB74629F44629EF9216300D06092A864886F70D0101050500301C311A301806035504031311436F6465205369676E696E6720436572743020170D3136313032303232303932335A180F32303939303130313030303030305A301C311A301806035504031311436F6465205369676E696E67204365727430819F300D06092A864886F70D010101050003818D0030818902818100BCCA7DC1CF2F4874F341AF3C586F0B023CAAD16986ADDAC2F7BFB3BCE590F2A952218F51298067CE3BE9ED695A229DADD029510F0927F30484A587024E0F58EC83924BE49D227D2FE1FCCA0C682528D6A0658AAA6CA5D9F2405AB6950B7D5BA672BB971910D71CEE3B77FF0A4EF59F010AAB445FD127944966C141F7CFC3D5790203010001300D06092A864886F70D010105050003818100011525EDD191767041659701F13F4370F803E6C981A6E33D68863FDACADE709926AB7E3BC8D618EDD07FC52058EFE42D96CA49961CF2936F446EDC4B7D55725FF2F1B37B326D564941CF6A7424551828FE198335AEFA0C892B375D3B676F35B708A48C67F80714643A34050CF9C557FBDD01274BC1ACCCA9A7AD3EC37DD2DA31 WITH PRIVATE KEY (BINARY = 0x1EF1B5B00000000001000000010000001000000054020000CF21B85A9464B60CDAB9F2E419B341490702000000A4000002E67BDF3CE02406E4D69A760D519B3BB6DA77FAFA7D710936EAE5267F072F98A1F7521110EB03955427B79FA386F7D70EDF6E977E92E59761DE0EB186F895AD975CE63C4D8A8B67BA487B9807EDB8B33C7C08EABCCD716E9505170A9729B6E165CE0ED0CA35B5C62D548367FEFC2C694060184D9185331466A0C64A9CB7BF8CA7AC0946A54091A4626978320C7290A784C6147BAF23FD866D9D1D4D1D79DA1B4D2DE213D11299F1417D8C421CC25A2E851FF9CEFA0ECA2006186C787692FDC28F2E702FCC7E76AFBEB95B954B50AA3697E60FC6928392664CE0EDB794AA392C1CC6326102B7CE8A02B367D2F416269DBBF4C16F096780517D32B4653E94DE5C24CE9D39EBC8E6A4EF1B9217F1B4F098F4F77F88CC11C40DDB312BE87CC1430C16AED8773E7691ADE8472BFC02B458B09B40404F61D2E02746AE576582DEE3EC5C09077E127BB4E996A9C4A840E6E0F59D85A3FC4E2844679927DBA6A571927A1F1C938716B8FC922B1D77FAA90BDBA49D1084081E4198A50506C5F6FE87F81B759EE0688428ABA7B2E8CC7D96AC6409DAE41937DB9C1E1CACCD7AE86A8F161316A07B05D523A116AB87022978312EE9853AE9FFA44FFF52114D084934D86D0FFD2D47B974769812BF0F4FE8276FD0DCE4069F11EC3915A68F4454166E3ABAAB9539530117597EE52213FEC7C87254634F10062C5C1D97CE5FEABB13252B22E210F56DB281FC1CE5432A7144FB4B89D00B4F8BC876C8C0F397DB9D22E15E2B07FBB44ADDDFBB6A75728917AC330E3A9F978847AC2D27913B3B6CBF54F1BAEF06072D15050ED1CA7BF9C5763A, DECRYPTION BY PASSWORD = 'f00bar!23')
CREATE USER [myAppCert];
GO
CREATE SYNONYM [dbo].[topSecret] FOR [ChainingDestination].[dbo].[topSecret];
GRANT SELECT ON [dbo].[topSecret] TO [myAppUserEscalated];
GRANT SELECT ON [dbo].[topSecret] TO [myAppCert];
GO
IF OBJECT_ID('[dbo].[getSecrets]') IS NOT null
DROP PROCEDURE [dbo].[getSecrets]
GO
CREATE PROCEDURE [dbo].[getSecrets]
WITH EXECUTE AS 'myAppUserEscalated'
AS
BEGIN
SELECT * FROM sys.login_token;
SELECT * FROM sys.user_token;
EXEC('SELECT * FROM [dbo].[topSecret] AS [ts];');
END
GO
GRANT EXECUTE ON [dbo].[getSecrets] TO [myAppUser];
GO
/******************************
DEMO
******************************/
-- EXECUTE AS clause only
EXECUTE AS LOGIN = 'myAppUser';
GO
EXEC dbo.[getSecrets]
GO
REVERT;
GO
-- no bueno. let's try to add a signature!
ADD SIGNATURE TO [dbo].[getSecrets]
BY CERTIFICATE [myAppCert];
EXECUTE AS LOGIN = 'myAppUser';
GO
EXEC dbo.[getSecrets]
GO
REVERT;
GO
-- still no bueno.
-- let's take off the EXECUTE AS clause and sign
ALTER PROCEDURE [dbo].[getSecrets]
AS
BEGIN
SELECT * FROM sys.login_token;
SELECT * FROM sys.user_token;
EXEC('SELECT * FROM [dbo].[topSecret] AS [ts];');
END
GO
ADD SIGNATURE TO [dbo].[getSecrets]
BY CERTIFICATE [myAppCert];
EXECUTE AS LOGIN = 'myAppUser';
GO
EXEC dbo.[getSecrets]
GO
REVERT;
GO
-- bueno
您正朝着正确的方向前进并且非常接近。现在,您只需要将模块签名视为替代EXECUTE AS而不是添加到其中的内容。删除EXECUTE AS和myAppUserEscalated完全依赖模块签名(以及基于证书的登录和相关用户)允许跨数据库权限并在所有权链接不起作用(即动态 SQL)时维护权限,同时保持TRUSTWORTHY设置为OFF(和甚至保持DB_CHAINING设置为OFF)。
下面是一个基于问题中的脚本的测试脚本,但修改为以最少的选项开始(即DB_CHAINING 未打开,并且未创建证书和基于证书的登录/用户)。它还具有 4 个存储过程,可以轻松测试以下各种组合:
脚本中有六个测试:
测试 1 显示默认情况下,所有组合都不起作用。getSecrets由于所有权链接,存储过程(无模拟或动态 SQL)比直接 SQL 更远,但由于没有跨数据库所有权链接而无法访问其他数据库。由于动态 SQL 破坏了所有权链,使用动态 SQL 的两个存储过程得到与直接 SQL 相同的错误。
测试 2 显示,当 onlyDB_CHAINING设置为 时ON,存储过程getSecrets(无模拟或动态 SQL)在数据库之间按需要工作。但是getSecretsWithDynamicSql由于动态 SQL 破坏了所有权链,存储过程失败,因此它无法从跨数据库所有权链中受益。
测试 3 表明,当 onlyTRUSTWORTHY设置为ON(仅针对“源”数据库)时,使用模拟(即EXECUTE AS)的代码,无论是否使用动态 SQL,都可以在数据库之间按需要工作。但是不使用 Impersonation 的代码不起作用,与测试 1 中相同。当然,我们不想这样做TRUSTWORTHY,ON因为它存在安全风险。这个测试只是为了展示在模块签名之前的情况(即TRUSTWORTHY使用模拟时需要,而使用动态 SQL 时需要模拟)。
测试 4 显示,当DB_CHAINING 和 TRUSTWORTHY都设置为 时ON,不使用动态 SQL 的代码无需模拟即可工作,并且任何使用模拟的代码,无论是否存在动态 SQL,都可以在数据库之间按需要工作。但同样,我们不想TRUSTWORTHY成为,ON因为它存在安全风险。这个测试只是为了展示在模块签名之前的情况。
测试5圈DB_CHAINING 和 TRUSTWORTHY回OFF,创建证书和相关的登录和用户,迹象表明,在两个存储过程不使用模拟(因为不再需要使用模拟)。两个签名的存储过程都按预期工作:-)。
测试 6 删除了两个使用模拟的存储过程,甚至删除了“升级”登录和被模拟的关联用户。再次运行测试 5 证明,所需要的只是模块签名(这就是为什么它是控制权限的超酷方式:-)。
测试脚本:
/******************************
Setup
******************************/
/************************* CLEANUP *************************************/
USE [master];
GO
IF EXISTS (SELECT 1 FROM [sys].[databases] WHERE [name] = N'ChainingSource')
BEGIN
PRINT 'Dropping [ChainingSource] DB...';
ALTER DATABASE [ChainingSource] SET OFFLINE WITH ROLLBACK IMMEDIATE;
ALTER DATABASE [ChainingSource] SET ONLINE;
DROP DATABASE [ChainingSource];
END;
IF EXISTS (SELECT 1 FROM [sys].[databases] WHERE [name] = N'ChainingDestination')
BEGIN
PRINT 'Dropping [ChainingDestination] DB...';
ALTER DATABASE [ChainingDestination] SET OFFLINE WITH ROLLBACK IMMEDIATE;
ALTER DATABASE [ChainingDestination] SET ONLINE;
DROP DATABASE [ChainingDestination];
END;
IF (SUSER_ID(N'myAppUser') IS NOT NULL)
BEGIN
PRINT 'Dropping [myAppUser] Login...';
DROP LOGIN [myAppUser];
END;
IF (SUSER_ID(N'myAppUserEscalated') IS NOT NULL)
BEGIN
PRINT 'Dropping [myAppUserEscalated] Login...';
DROP LOGIN [myAppUserEscalated];
END;
GO
/************************* CREATE *************************************/
EXECUTE AS LOGIN = N'sa';
PRINT 'Creating databases...';
CREATE DATABASE [ChainingSource] COLLATE Latin1_General_100_CI_AS_SC;
CREATE DATABASE [ChainingDestination] COLLATE Latin1_General_100_CI_AS_SC;
REVERT;
GO
-- Set up Login/User: [myAppUser]
IF (SUSER_ID(N'myAppUser') IS NULL)
BEGIN
EXEC(N'
PRINT ''Creating [myAppUser]...'';
USE [master];
CREATE LOGIN [myAppUser] WITH PASSWORD = N''p@ssw0rd!23'';
USE [ChainingDestination];
CREATE USER [myAppUser];
USE [ChainingSource];
CREATE USER [myAppUser];
');
END;
-- Set up Login/User: [myAppUserEscalated]
IF (SUSER_ID(N'myAppUserEscalated') IS NULL)
BEGIN
EXEC(N'
PRINT ''Creating [myAppUserEscalated]...'';
USE [master];
CREATE LOGIN [myAppUserEscalated] WITH PASSWORD = N''p@ssw0rd!23'';
USE [ChainingDestination];
CREATE USER [myAppUserEscalated];
USE [ChainingSource];
CREATE USER [myAppUserEscalated];
');
END;
GO
USE [ChainingDestination];
CREATE TABLE [dbo].[topSecret] ([ID] INT IDENTITY, [Secrets] NVARCHAR(100));
INSERT INTO [dbo].[topSecret] ([Secrets]) VALUES (N'Nuke Codes!');
GRANT SELECT ON [dbo].[topSecret] TO [myAppUserEscalated];
GO
USE [ChainingSource];
CREATE SYNONYM [dbo].[topSecret] FOR [ChainingDestination].[dbo].[topSecret];
GRANT SELECT ON [dbo].[topSecret] TO [myAppUserEscalated];
GO
----
IF OBJECT_ID(N'[dbo].[getSecrets]') IS NOT NULL
DROP PROCEDURE [dbo].[getSecrets]
GO
CREATE PROCEDURE [dbo].[getSecrets]
AS
BEGIN
SELECT SESSION_USER AS [User], ORIGINAL_LOGIN() AS [OriginalLogin];
SELECT * FROM sys.login_token;
SELECT * FROM sys.user_token;
SELECT * FROM [dbo].[topSecret] AS [ts];
END
GO
GRANT EXECUTE ON [dbo].[getSecrets] TO [myAppUser];
GO
----
IF OBJECT_ID(N'[dbo].[getSecretsWithDynamicSql]') IS NOT NULL
DROP PROCEDURE [dbo].[getSecretsWithDynamicSql]
GO
CREATE PROCEDURE [dbo].[getSecretsWithDynamicSql]
AS
BEGIN
SELECT SESSION_USER AS [User], ORIGINAL_LOGIN() AS [OriginalLogin];
SELECT * FROM sys.login_token;
SELECT * FROM sys.user_token;
EXEC(N'SELECT * FROM [dbo].[topSecret] AS [ts];');
END
GO
GRANT EXECUTE ON [dbo].[getSecretsWithDynamicSql] TO [myAppUser];
GO
----
IF OBJECT_ID(N'[dbo].[getSecretsWithDynamicSqlAndImpersonation]') IS NOT NULL
DROP PROCEDURE [dbo].[getSecretsWithDynamicSqlAndImpersonation]
GO
CREATE PROCEDURE [dbo].[getSecretsWithDynamicSqlAndImpersonation]
WITH EXECUTE AS N'myAppUserEscalated'
AS
BEGIN
SELECT SESSION_USER AS [User], ORIGINAL_LOGIN() AS [OriginalLogin];
SELECT * FROM sys.login_token;
SELECT * FROM sys.user_token;
EXEC(N'SELECT * FROM [dbo].[topSecret] AS [ts];');
END
GO
GRANT EXECUTE ON [dbo].[getSecretsWithDynamicSqlAndImpersonation] TO [myAppUser];
GO
----
IF OBJECT_ID(N'[dbo].[getSecretsWithImpersonation]') IS NOT NULL
DROP PROCEDURE [dbo].[getSecretsWithImpersonation]
GO
CREATE PROCEDURE [dbo].[getSecretsWithImpersonation]
WITH EXECUTE AS N'myAppUserEscalated'
AS
BEGIN
SELECT SESSION_USER AS [User], ORIGINAL_LOGIN() AS [OriginalLogin];
SELECT * FROM sys.login_token;
SELECT * FROM sys.user_token;
SELECT * FROM [dbo].[topSecret] AS [ts];
END
GO
GRANT EXECUTE ON [dbo].[getSecretsWithImpersonation] TO [myAppUser];
GO
/******************************
DEMO
******************************/
/****************** TEST 1 (both DB_CHAINING and TRUSTWORTHY OFF) ********************/
-- Default is OFF, but make resetting after running Tests 2 and 3 easier
ALTER DATABASE [ChainingSource] SET DB_CHAINING OFF;
ALTER DATABASE [ChainingDestination] SET DB_CHAINING OFF;
ALTER DATABASE [ChainingSource] SET TRUSTWORTHY OFF;
USE [ChainingSource];
EXECUTE AS LOGIN = 'myAppUser';
SELECT SESSION_USER AS [User], ORIGINAL_LOGIN() AS [OriginalLogin];
GO
SELECT * FROM [dbo].[topSecret]; -- error:
-- Msg 229, Level 14, State 5, Line XXXXX
-- The SELECT permission was denied on the object 'topSecret',
-- database 'ChainingSource', schema 'dbo'.
EXEC [dbo].[getSecrets]; -- error:
-- Msg 229, Level 14, State 5, Procedure getSecrets, Line XXXXX
-- The SELECT permission was denied on the object 'topSecret',
-- database 'ChainingDestination', schema 'dbo'.
EXEC [dbo].[getSecretsWithImpersonation]; -- error:
-- Msg 916, Level 14, State 1, Procedure getSecretsWithImpersonation, Line XXXXX
-- The server principal "myAppUserEscalated" is not able to access the database
-- "ChainingDestination" under the current security context.
EXEC [dbo].[getSecretsWithDynamicSqlAndImpersonation]; -- error:
-- Msg 229, Level 14, State 5, Line XXXXX
-- The SELECT permission was denied on the object 'topSecret',
-- database 'ChainingSource', schema 'dbo'.
EXEC [dbo].[getSecretsWithDynamicSql]; -- error:
-- Msg 229, Level 14, State 5, Line XXXXX
-- The SELECT permission was denied on the object 'topSecret',
-- database 'ChainingSource', schema 'dbo'.
REVERT;
SELECT SESSION_USER AS [User], ORIGINAL_LOGIN() AS [OriginalLogin];
GO
/****************** TEST 2 (DB_CHAINING ON ; TRUSTWORTHY OFF) ************************/
ALTER DATABASE [ChainingSource] SET DB_CHAINING ON;
ALTER DATABASE [ChainingDestination] SET DB_CHAINING ON;
ALTER DATABASE [ChainingSource] SET TRUSTWORTHY OFF;
GO
EXECUTE AS LOGIN = 'myAppUser';
SELECT SESSION_USER AS [User], ORIGINAL_LOGIN() AS [OriginalLogin];
GO
SELECT * FROM [dbo].[topSecret]; -- error: same as in Test 1
EXEC [dbo].[getSecretsWithImpersonation]; -- error: same as in Test 1
EXEC [dbo].[getSecretsWithDynamicSql]; -- error: same as in Test 1
EXEC [dbo].[getSecrets]; -- (different) success!
EXEC [dbo].[getSecretsWithDynamicSqlAndImpersonation]; -- (different) error:
-- Msg 916, Level 14, State 1, Line XXXXX
-- The server principal "myAppUserEscalated" is not able to access the database
-- "ChainingDestination" under the current security context.
REVERT;
SELECT SESSION_USER AS [User], ORIGINAL_LOGIN() AS [OriginalLogin];
GO
/****************** TEST 3 (DB_CHAINING OFF ; TRUSTWORTHY ON) **********************/
ALTER DATABASE [ChainingSource] SET DB_CHAINING OFF;
ALTER DATABASE [ChainingDestination] SET DB_CHAINING OFF;
ALTER DATABASE [ChainingSource] SET TRUSTWORTHY ON;
GO
EXECUTE AS LOGIN = 'myAppUser';
SELECT SESSION_USER AS [User], ORIGINAL_LOGIN() AS [OriginalLogin];
GO
SELECT * FROM [dbo].[topSecret]; -- error: same as in Tests 1 and 2
EXEC [dbo].[getSecrets]; -- error: same as in Test 1
EXEC [dbo].[getSecretsWithDynamicSql]; -- error: same as in Tests 1 and 2
EXEC [dbo].[getSecretsWithImpersonation]; -- (different) success!
EXEC [dbo].[getSecretsWithDynamicSqlAndImpersonation]; -- (different) success:
REVERT;
SELECT SESSION_USER AS [User], ORIGINAL_LOGIN() AS [OriginalLogin];
GO
/****************** TEST 4 (both DB_CHAINING and TRUSTWORTHY ON) *********************/
ALTER DATABASE [ChainingSource] SET DB_CHAINING ON;
ALTER DATABASE [ChainingDestination] SET DB_CHAINING ON;
ALTER DATABASE [ChainingSource] SET TRUSTWORTHY ON;
GO
EXECUTE AS LOGIN = 'myAppUser';
SELECT SESSION_USER AS [User], ORIGINAL_LOGIN() AS [OriginalLogin];
GO
SELECT * FROM [dbo].[topSecret]; -- error: same as in Tests 1, 2, and 3
EXEC [dbo].[getSecretsWithDynamicSql]; -- error: same as in Tests 1, 2, and 3
EXEC [dbo].[getSecrets]; -- success: same as in Test 2
EXEC [dbo].[getSecretsWithImpersonation]; -- success: same as in Test 3
EXEC [dbo].[getSecretsWithDynamicSqlAndImpersonation]; -- success: same as in Test 3
REVERT;
SELECT SESSION_USER AS [User], ORIGINAL_LOGIN() AS [OriginalLogin];
GO
/*********************************************************************/
/* BEGIN: set up Certificate and cert-based Users for module signing */
/*********************************************************************/
USE [ChainingDestination];
CREATE MASTER KEY ENCRYPTION BY PASSWORD = N'f00bar!23';
CREATE CERTIFICATE [myAppCert]
AUTHORIZATION [dbo]
FROM BINARY = 0x\
308201BD30820126A003020102021061AF3EB269776BB74629F44629EF9216300D06092A864886F70D01\
01050500301C311A301806035504031311436F6465205369676E696E6720436572743020170D31363130\
32303232303932335A180F32303939303130313030303030305A301C311A301806035504031311436F64\
65205369676E696E67204365727430819F300D06092A864886F70D010101050003818D00308189028181\
00BCCA7DC1CF2F4874F341AF3C586F0B023CAAD16986ADDAC2F7BFB3BCE590F2A952218F51298067CE3B\
E9ED695A229DADD029510F0927F30484A587024E0F58EC83924BE49D227D2FE1FCCA0C682528D6A0658A\
AA6CA5D9F2405AB6950B7D5BA672BB971910D71CEE3B77FF0A4EF59F010AAB445FD127944966C141F7CF\
C3D5790203010001300D06092A864886F70D010105050003818100011525EDD191767041659701F13F43\
70F803E6C981A6E33D68863FDACADE709926AB7E3BC8D618EDD07FC52058EFE42D96CA49961CF2936F44\
6EDC4B7D55725FF2F1B37B326D564941CF6A7424551828FE198335AEFA0C892B375D3B676F35B708A48C\
67F80714643A34050CF9C557FBDD01274BC1ACCCA9A7AD3EC37DD2DA31;
-- no need for private key: nothing being signed in Destination
CREATE USER [myAppCert] FROM CERTIFICATE [myAppCert];
GRANT SELECT ON [dbo].[topSecret] TO [myAppCert];
GO
USE [ChainingSource];
CREATE MASTER KEY ENCRYPTION BY PASSWORD = N'f00bar!23';
CREATE CERTIFICATE [myAppCert]
AUTHORIZATION [dbo]
FROM BINARY = 0x\
308201BD30820126A003020102021061AF3EB269776BB74629F44629EF9216300D06092A864886F70D01\
01050500301C311A301806035504031311436F6465205369676E696E6720436572743020170D31363130\
32303232303932335A180F32303939303130313030303030305A301C311A301806035504031311436F64\
65205369676E696E67204365727430819F300D06092A864886F70D010101050003818D00308189028181\
00BCCA7DC1CF2F4874F341AF3C586F0B023CAAD16986ADDAC2F7BFB3BCE590F2A952218F51298067CE3B\
E9ED695A229DADD029510F0927F30484A587024E0F58EC83924BE49D227D2FE1FCCA0C682528D6A0658A\
AA6CA5D9F2405AB6950B7D5BA672BB971910D71CEE3B77FF0A4EF59F010AAB445FD127944966C141F7CF\
C3D5790203010001300D06092A864886F70D010105050003818100011525EDD191767041659701F13F43\
70F803E6C981A6E33D68863FDACADE709926AB7E3BC8D618EDD07FC52058EFE42D96CA49961CF2936F44\
6EDC4B7D55725FF2F1B37B326D564941CF6A7424551828FE198335AEFA0C892B375D3B676F35B708A48C\
67F80714643A34050CF9C557FBDD01274BC1ACCCA9A7AD3EC37DD2DA31
WITH PRIVATE KEY (
BINARY = 0x\
1EF1B5B00000000001000000010000001000000054020000CF21B85A9464B60CDAB9F2E419B341490702\
000000A4000002E67BDF3CE02406E4D69A760D519B3BB6DA77FAFA7D710936EAE5267F072F98A1F75211\
10EB03955427B79FA386F7D70EDF6E977E92E59761DE0EB186F895AD975CE63C4D8A8B67BA487B9807ED\
B8B33C7C08EABCCD716E9505170A9729B6E165CE0ED0CA35B5C62D548367FEFC2C694060184D91853314\
66A0C64A9CB7BF8CA7AC0946A54091A4626978320C7290A784C6147BAF23FD866D9D1D4D1D79DA1B4D2D\
E213D11299F1417D8C421CC25A2E851FF9CEFA0ECA2006186C787692FDC28F2E702FCC7E76AFBEB95B95\
4B50AA3697E60FC6928392664CE0EDB794AA392C1CC6326102B7CE8A02B367D2F416269DBBF4C16F0967\
80517D32B4653E94DE5C24CE9D39EBC8E6A4EF1B9217F1B4F098F4F77F88CC11C40DDB312BE87CC1430C\
16AED8773E7691ADE8472BFC02B458B09B40404F61D2E02746AE576582DEE3EC5C09077E127BB4E996A9\
C4A840E6E0F59D85A3FC4E2844679927DBA6A571927A1F1C938716B8FC922B1D77FAA90BDBA49D108408\
1E4198A50506C5F6FE87F81B759EE0688428ABA7B2E8CC7D96AC6409DAE41937DB9C1E1CACCD7AE86A8F\
161316A07B05D523A116AB87022978312EE9853AE9FFA44FFF52114D084934D86D0FFD2D47B974769812\
BF0F4FE8276FD0DCE4069F11EC3915A68F4454166E3ABAAB9539530117597EE52213FEC7C87254634F10\
062C5C1D97CE5FEABB13252B22E210F56DB281FC1CE5432A7144FB4B89D00B4F8BC876C8C0F397DB9D22\
E15E2B07FBB44ADDDFBB6A75728917AC330E3A9F978847AC2D27913B3B6CBF54F1BAEF06072D15050ED1\
CA7BF9C5763A,
DECRYPTION BY PASSWORD = N'f00bar!23');
CREATE USER [myAppCert] FROM CERTIFICATE [myAppCert];
GRANT SELECT ON [dbo].[topSecret] TO [myAppCert];
GO
/*********************************************************************/
/* END: set up Certificate and cert-based Users for module signing */
/*********************************************************************/
-- Sign the two stored procedures that are NOT using Impersonation.
-- Ignore the two stored procedures that ARE using Impersonation.
ADD SIGNATURE TO [dbo].[getSecrets]
BY CERTIFICATE [myAppCert];
ADD SIGNATURE TO [dbo].[getSecretsWithDynamicSql]
BY CERTIFICATE [myAppCert];
GO
/****************** TEST 5 (both DB_CHAINING and TRUSTWORTHY OFF) ********************/
ALTER DATABASE [ChainingSource] SET DB_CHAINING OFF;
ALTER DATABASE [ChainingDestination] SET DB_CHAINING OFF;
-- Trustworthy? We don't need no stinkin' trustworthy ;-)
ALTER DATABASE [ChainingSource] SET TRUSTWORTHY OFF;
GO
EXECUTE AS LOGIN = N'myAppUser';
SELECT SESSION_USER AS [User], ORIGINAL_LOGIN() AS [OriginalLogin];
GO
SELECT * FROM [dbo].[topSecret]; -- error: same as in Tests 1, 2, 3, and 4
EXEC [dbo].[getSecrets]; -- SUCCESS!!!
EXEC [dbo].[getSecretsWithDynamicSql]; -- SUCCESS!!!
GO
REVERT;
SELECT SESSION_USER AS [User], ORIGINAL_LOGIN() AS [OriginalLogin];
GO
/************************ TEST 6 *************************************/
-- REMOVE Login/User: [myAppUserEscalated]
EXEC(N'
USE [ChainingSource];
IF (OBJECT_ID(N''[dbo].[getSecretsWithDynamicSqlAndImpersonation]'') IS NOT NULL)
BEGIN
DROP PROCEDURE [dbo].[getSecretsWithDynamicSqlAndImpersonation]
END;
IF (OBJECT_ID(N''[dbo].[getSecretsWithImpersonation]'') IS NOT NULL)
BEGIN
DROP PROCEDURE [dbo].[getSecretsWithImpersonation]
END;
IF (SUSER_ID(N''myAppUserEscalated'') IS NOT NULL)
BEGIN
DROP USER [myAppUserEscalated];
END;
USE [ChainingDestination];
IF (SUSER_ID(N''myAppUserEscalated'') IS NOT NULL)
BEGIN
DROP USER [myAppUserEscalated];
END;
USE [master];
IF (SUSER_ID(N''myAppUserEscalated'') IS NOT NULL)
BEGIN
DROP LOGIN [myAppUserEscalated];
END;
');
GO
-- Now, re-run Test 5, just to be sure that it is only the module-signing that matters
--========================================
模拟与模块签名
我不明白的部分是为什么在模拟下运行时,模块签名不起作用。...模拟使模块签名上下文更改为“仅拒绝”怎么样?
问题是这些问题的框架不正确。除了 Impersonation 之外,不应使用模块签名,而是作为它的替代品;它们不是免费的功能。这里的问题不是模拟如何影响模块签名,而是模拟一般如何工作。原始测试脚本(在问题中)的结构基于这种对模拟和模块签名之间关系的误解。它包括过早的模块签名,以至于无法清楚地看到 Impersonation 的行为本身,从而导致误导性的影响。
如果通过测试脚本上面贴运行,你应该看到的是,当模拟使用本身(即TRUSTWORTHY设置为OFF-测试1和2),那么服务器级别的“使用”是DENY ONLY。含义:当您使用数据库级模拟时,默认情况下,安全上下文被隔离到该特定数据库。不允许上到服务器级别,也不允许获取关联登录的服务器级别权限,也不允许下回另一个数据库。
这与模块签名无关,因为证书、登录名和用户尚未创建(假设您正在按顺序逐步完成示例)。并且模块签名——它确实添加了权限,并且可以允许跨数据库访问——不能覆盖DENY因为DENY权限总是优先于GRANT权限。这DENY只能由被规避TRUSTWORTHY ON。
可以删除服务器级别的唯一的事情DENY在使用模拟是设置权限TRUSTWORTHY,以ON对源数据库。测试 3 和 4 表明,一旦TRUSTWORTHY启用,就允许模拟在数据库之间交叉。同样,这与模块签名无关,因为直到测试 4 之后才会设置。模块签名不是让整个场景工作所必需的;您所需要的只是模拟和 TRUSTWORTHY ON. 但是,如果您不想启用TRUSTWORTHY,则需要模块签名,在这种情况下,它取代了对模拟的需要。
下图显示了各种场景及其要求:
Scenario --> Requirements A XOR Requirements B
---------- --------------------------------- | --------------
Scope Dynamic SQL --> DB_CHAINING Impersonation TRUSTWORTHY XOR Module Signing
Local No No No No | No
Local YES No YES No | YES
Cross-DB No YES No No | YES
Cross-DB YES No YES YES | YES
希望这显然模块签名可以完全替代的需要DB_CHAINING ON,Impersonation和TRUSTWORTHY ON。鉴于同时具有跨数据库功能和一些涉及动态 SQL 的功能,您的选择是:
设置DB_CHAINING ON和TRUSTWORTHY ON:
这将允许您不使用模拟,除非由于使用动态 SQL 而需要它。因此只有一些模块得到EXECUTE AS子句。
仅设置TRUSTWORTHY ON:
这要求所有模块都使用 Impersonation(即具有EXECUTE AS子句)。但是,您可以设置DB_CHAINING为OFF.
仅使用模块签名:
这需要在两个数据库中创建证书和用户,并且源数据库中的所有跨数据库模块都得到签名。但是,你可以同时设置DB_CHAINING 和 TRUSTWORTHY对OFF!并且不需要 Impersonation,即使对于本地动态 SQL。此选项可以更干净、更安全地处理所有事情。
来自微软的确认
动态 SQL
除非两个数据库中存在相同的用户,否则在执行动态创建的 SQL 语句的情况下,跨数据库所有权链接不起作用。您可以在 SQL Server 中通过创建访问另一个数据库中的数据的存储过程并使用两个数据库中都存在的证书对该过程进行签名来解决此问题。这使用户可以访问过程使用的数据库资源,而无需授予他们数据库访问权限或权限。
了解模拟范围
...
但是,当使用 EXECUTE AS USER 语句模拟主体时,或使用 EXECUTE AS 子句模拟数据库范围的模块时,默认情况下模拟范围仅限于数据库。这意味着对数据库范围之外的对象的引用将返回错误。
此外,“Extending D