SQL CLR权限:CLR过程中的调用存储过程
[英]SQL CLR Rights: Call Stored Procedure in CLR Procedure
问题描述
I have written a (private) stored procedure in T-SQL that is not visible for the user. 
我在T-SQL中写了一个(私有)存储过程,该过程对用户不可见。 He has no execute permissions. 他没有执行权限。
CREATE PROCEDURE [dbo].[GetEntries]
AS
BEGIN
SELECT * FROM sometable
END
Then I wrote a CLR stored procedure, for which the user has the execute permissions. 然后,我编写了一个CLR存储过程,该用户具有执行权限。 This stored procedure calls my private procedure. 此存储过程称为我的私有过程。
using (SqlConnection conn = new SqlConnection())
{
conn.ConnectionString = "context connection=true";
conn.Open();
SqlCommand command = new SqlCommand("exec dbo.[GetEntries] ", conn);
...
If I call the public CLR stored procedure, an error occured that I have no rights to call the private stored procedure. 如果我调用公共CLR存储过程,则会发生错误,我无权调用私有存储过程。 I think this is because my connection string is "context connection=true" so the stored procedure is in the user context (user connection). 我认为这是因为我的连接字符串为“ context connection = true”,所以存储过程位于用户上下文(用户连接)中。
When I write a public (user visible) T-SQL stored procedure, which calls the private stored procedure, I can execute this stored procedure. 当我编写一个公共的(用户可见的)T-SQL存储过程来调用私有存储过程时,我可以执行该存储过程。
CREATE PROCEDURE [dbo].TSQLPublicSP
AS
BEGIN
Exec dbo.[GetEntries]
END
So my question is, how can I set the connection string in the SQL-CLR stored procedure like the connection it is from the T-SQL stored procedure. 所以我的问题是,如何像在T-SQL存储过程中进行的连接那样在SQL-CLR存储过程中设置连接字符串。 I don't want to set the databasename in the SQL-CLR connection string. 我不想在SQL-CLR连接字符串中设置数据库名称。 It would be ok for me if I could get the database name form the SqlContext : 如果我可以从SqlContext获取数据库名称,那对我来说可以:
SqlConnection("server=LOCALHOST;integrated security=yes;database=" &
SqlContext.???CurrentDatabase???)
1 个解决方案
解决方案1
1 2017-03-29 12:32:11
Yes, the Context Connection is in the security context of the caller (or of the User specified in the EXECUTE AS clause of the CREATE PROCEDURE statement, but the default is EXECUTE AS CALLER ). 是的, Context Connection位于调用者(或CREATE PROCEDURE语句的EXECUTE AS子句中指定的用户的安全上下文中,但默认值为EXECUTE AS CALLER )。
The reason that the behavior is different between the SQLCLR stored procedure and the T-SQL stored procedure is: 该行为在SQLCLR存储过程和T-SQL存储过程之间不同的原因是:
The T-SQL stored procedure is making use of ownership chaining to imply permissions on related objects of the same owner as the code being executed.
T-SQL存储过程正在使用所有权链来暗含对与正在执行的代码相同所有者的相关对象的许可。 The SQLCLR stored procedure is effectively submitting Dynamic SQL (as there is no way to pre-compile code within SQLCLR objects) which breaks ownership chaining.
SQLCLR存储过程正在有效地提交动态SQL(因为无法在SQLCLR对象中预编译代码),这会破坏所有权链。
If you want special permissions, then you need to use module signing as follows: 如果需要特殊权限,则需要使用模块签名,如下所示:
- Create a Certificate or Asymmetric Key in this Database 在此数据库中创建证书或非对称密钥
- Create a User from the Certificate or Asymmetric Key 从证书或非对称密钥创建用户
- Grant
EXECUTEpermission on the "hidden" stored procedure to the Cert-based or Key-based User向基于证书或基于密钥的用户授予对“隐藏”存储过程的EXECUTE权限 - Sign the non-"hidden" stored procedure (doesn't matter if the visible one is T-SQL or SQLCLR) using
ADD SIGNATURE.使用ADD SIGNATURE签署非“隐藏”存储过程(无论可见的存储过程是T-SQL还是SQLCLR都不重要)。 - If you ever make any changes to the Assembly that contains the method for this SQLCLR stored procedure, you will need to re-apply the
ADD SIGNATURE如果曾经对包含此SQLCLR存储过程方法的Assembly进行了任何更改,则将需要重新应用ADD SIGNATURE
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.