[英]SQL CLR Rights: Call Stored Procedure in CLR Procedure
I have written a (private) stored procedure in T-SQL that is not visible for the user. 我在T-SQL中写了一个(私有)存储过程,该过程对用户不可见。 He has no execute permissions.
他没有执行权限。
CREATE PROCEDURE [dbo].[GetEntries]
AS
BEGIN
SELECT * FROM sometable
END
Then I wrote a CLR stored procedure, for which the user has the execute permissions. 然后,我编写了一个CLR存储过程,该用户具有执行权限。 This stored procedure calls my private procedure.
此存储过程称为我的私有过程。
using (SqlConnection conn = new SqlConnection())
{
conn.ConnectionString = "context connection=true";
conn.Open();
SqlCommand command = new SqlCommand("exec dbo.[GetEntries] ", conn);
...
If I call the public CLR stored procedure, an error occured that I have no rights to call the private stored procedure. 如果我调用公共CLR存储过程,则会发生错误,我无权调用私有存储过程。 I think this is because my connection string is "context connection=true" so the stored procedure is in the user context (user connection).
我认为这是因为我的连接字符串为“ context connection = true”,所以存储过程位于用户上下文(用户连接)中。
When I write a public (user visible) T-SQL stored procedure, which calls the private stored procedure, I can execute this stored procedure. 当我编写一个公共的(用户可见的)T-SQL存储过程来调用私有存储过程时,我可以执行该存储过程。
CREATE PROCEDURE [dbo].TSQLPublicSP
AS
BEGIN
Exec dbo.[GetEntries]
END
So my question is, how can I set the connection string in the SQL-CLR stored procedure like the connection it is from the T-SQL stored procedure. 所以我的问题是,如何像在T-SQL存储过程中进行的连接那样在SQL-CLR存储过程中设置连接字符串。 I don't want to set the databasename in the SQL-CLR connection string.
我不想在SQL-CLR连接字符串中设置数据库名称。 It would be ok for me if I could get the database name form the
SqlContext
: 如果我可以从
SqlContext
获取数据库名称,那对我来说可以:
SqlConnection("server=LOCALHOST;integrated security=yes;database=" &
SqlContext.???CurrentDatabase???)
Yes, the Context Connection
is in the security context of the caller (or of the User specified in the EXECUTE AS
clause of the CREATE PROCEDURE
statement, but the default is EXECUTE AS CALLER
). 是的,
Context Connection
位于调用者(或CREATE PROCEDURE
语句的EXECUTE AS
子句中指定的用户的安全上下文中,但默认值为EXECUTE AS CALLER
)。
The reason that the behavior is different between the SQLCLR stored procedure and the T-SQL stored procedure is: 该行为在SQLCLR存储过程和T-SQL存储过程之间不同的原因是:
The T-SQL stored procedure is making use of ownership chaining to imply permissions on related objects of the same owner as the code being executed. T-SQL存储过程正在使用所有权链来暗含对与正在执行的代码相同所有者的相关对象的许可。
The SQLCLR stored procedure is effectively submitting Dynamic SQL (as there is no way to pre-compile code within SQLCLR objects) which breaks ownership chaining. SQLCLR存储过程正在有效地提交动态SQL(因为无法在SQLCLR对象中预编译代码),这会破坏所有权链。
If you want special permissions, then you need to use module signing as follows: 如果需要特殊权限,则需要使用模块签名,如下所示:
EXECUTE
permission on the "hidden" stored procedure to the Cert-based or Key-based User EXECUTE
权限 ADD SIGNATURE
. ADD SIGNATURE
签署非“隐藏”存储过程(无论可见的存储过程是T-SQL还是SQLCLR都不重要)。 ADD SIGNATURE
ADD SIGNATURE
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.