[英]Do I need SQL Server db_ddladmin rights for a Entity Framework Code-First Approach and is it a security issue?
we have an external project that has been developed using C# & Entity Framework 6 Code First together with SQL Server 2014. It has a web site and a wcf service. 我们有一个外部项目,它使用C#和Entity Framework 6 Code First与SQL Server 2014一起开发。它有一个网站和一个wcf服务。
Now, for deployment the project-contractor stated that the IIS APPOOL user under which the web site runs will need membership to db_datareader, db_datawriter and db_ddladmin for it to work and indeed without giving those rights it did not work. 现在,对于部署,项目承包商声明运行网站的IIS APPOOL用户需要成员资格db_datareader,db_datawriter和db_ddladmin才能使用它,并且实际上没有赋予它们不起作用的权限。
I have certain problems with that because without being a SQL-Guru I feel that a deployment should not need db_ddladmin rights while the contractor says thats perfectly normal with EF Code First and does not see a problem. 我有一些问题因为没有成为SQL-Guru我觉得部署不应该需要db_ddladmin权限,而承包商说这与EF Code First完全正常并且没有看到问题。 A search on the net also seems to reveal that those rights can be problematic ( http://akawn.com/blog/2012/02/why-you-should-be-cautious-with-the-dbo_owner-role/ ) which would also indicate to me that it would be a bit insane that EF framework Code First really would need those rights...
在网上搜索也似乎表明这些权利可能存在问题( http://akawn.com/blog/2012/02/why-you-should-be-cautious-with-the-dbo_owner-role/ )还会告诉我,EF框架Code First确实需要这些权利会有点疯狂......
So do I need db_ddladmin for EF Code First? 所以我需要db_ddladmin用于EF Code First吗? And is it problematic that a deployed web project needs database access rights of db_ddladmin?
部署的Web项目是否需要db_ddladmin的数据库访问权限?
Thanks in advance! 提前致谢!
This is indeed a possible pain point. 这确实是一个可能的痛点。 Entity Framework does assume that you have
db_ddladmin
rights for migrations . 实体框架确实假定您具有
db_ddladmin
权限以进行迁移 。 It does not require this permission at any other stage. 它在任何其他阶段都不需要此权限。
There are a few ways to handle this. 有几种方法可以解决这个问题。 You can either give the permissions, run the migrations, then remove the permission, or you can export a SQL script and run it against your server, like so:
Update-Database -Script -SourceMigration:0
(script from beginning to current state). 您可以提供权限,运行迁移,然后删除权限,也可以导出SQL脚本并针对您的服务器运行它,如下所示:
Update-Database -Script -SourceMigration:0
(脚本从开始到当前状态) 。 Any future migration deployments would require you to take the same steps, starting from the server's current migration value, or adding/removing the permission. 任何未来的迁移部署都需要您从服务器的当前迁移值开始,或者添加/删除权限,采取相同的步骤。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.