SQL DB的包含或受限特权用户
[英]Contained or Limited privilege user for SQL DB
问题描述
I have been lurking back on forth on the Internets trying to find a solution for my problem which is: 
我一直潜伏在互联网上,试图为我的问题找到解决方案:
I have an SQL DB on Azure SQL Server. 我在Azure SQL Server上有一个SQL DB。 In addition to that there is an App talking to this Server and DB in particular. 除此之外,还有一个与此服务器和数据库进行通信的应用程序。
For now I have been using credentials of my master user. 目前,我一直在使用主用户的凭据。 Now I would like to create a 'contained' (my goal) user or just a user with limited privileges (Update, Select, Delete, Insert) only for my current SQL DB. 现在,我只想为我当前的SQL DB创建一个“包含”(我的目标)用户,或者仅创建一个特权受限的用户(更新,选择,删除,插入)。
I executed below lines of code to create a user with read/write privileges only. 我执行以下代码行来创建仅具有读/写权限的用户。
CREATE USER AppUser WITH PASSWORD='123abc';
ALTER ROLE db_datareader ADD MEMBER AppUser;
ALTER ROLE db_datawriter ADD MEMBER AppUser;
After these lines of code were executed fine I went to my App to change connection string but I could not gain access to my DB with this newly created user. 在执行完这些代码行之后,我进入了我的应用程序以更改连接字符串,但是我无法使用该新创建的用户访问我的数据库。
I'm sure I'm missing something but I do not know what it is. 我确定我缺少了一些东西,但我不知道它是什么。
I have spent last few days on Microsoft Docs web-site reading up about this topic but don't seem to find a Solution. 最近几天,我在Microsoft Docs网站上阅读了有关此主题的内容,但似乎找不到解决方案。
EDIT: 编辑:
I have read articles such: https://docs.microsoft.com/en-us/sql/relational-databases/databases/contained-databases?view=sql-server-2017 我已阅读以下文章: https : //docs.microsoft.com/zh-cn/sql/relational-databases/databases/contained-databases?view=sql-server-2017
https://docs.microsoft.com/en-us/sql/relational-databases/security/contained-database-users-making-your-database-portable?view=sql-server-2017 https://docs.microsoft.com/zh-cn/sql/relational-databases/security/contained-database-users-making-your-database-portable?view=sql-server-2017
https://social.msdn.microsoft.com/Forums/en-US/7bea6830-5ce9-4f00-ab1e-355b1476494d/login-failed-contained-database-contained-user?forum=sql14tools https://social.msdn.microsoft.com/Forums/zh-CN/7bea6830-5ce9-4f00-ab1e-355b1476494d/login-failed-contained-database-contained-user?forum=sql14tools
In the above article there was a suggestion that I should "set instance level option" by running: 在以上文章中,有人建议我应该通过运行“设置实例级别选项”:
exec sp_configure 'contained database authentication', 1;
go;
reconfigure;
go;
Im not familiar with these commands and they are not being executed on SQL SM Studio. 我对这些命令不熟悉,并且它们不在SQL SM Studio上执行。 I'm definitely doing something wrong here. 我肯定在这里做错了。
Here is an error message: 这是一条错误消息:
Msg 2812, Level 16, State 62, Line 1
Could not find stored procedure 'sp_configure'.
Same suggestion was found at: 在以下位置发现了相同的建议:
https://www.sqlshack.com/contained-databases-in-sql-server/
But again I could not execute the code provided. 但是同样,我无法执行提供的代码。
I know that my DB is not contained: 我知道我的数据库不包含在内:
select containment,name from sys.databases where name='my_DB';
containment name 0 my_DB 容器名称0 my_DB
Again, Same suggestion was found on this web-site: 同样,在此网站上发现了相同的建议:
https://www.sqlrx.com/contained-databases-pros-and-cons/
And again I could not execute the code for some reason. 同样,由于某种原因,我无法执行代码。
When trying to log in to the SQL Studio with created contained user I get this error message: 尝试使用创建的包含用户登录SQL Studio时,出现以下错误消息:
=================================== ==================================
Cannot connect to my_DB. 无法连接到my_DB。
=================================== ==================================
Login failed for user 'AppUser'. 用户“ AppUser”的登录失败。 (.Net SqlClient Data Provider) (.Net SqlClient数据提供程序)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft%20SQL%20Server&EvtSrc=MSSQLServer&EvtID=18456&LinkId=20476 要获取帮助,请单击: http : //go.microsoft.com/fwlink?ProdName=Microsoft%20SQL%20Server&EvtSrc=MSSQLServer&EvtID=18456&LinkId=20476
Server Name: my_DB Error Number: 18456 Severity: 14 State: 1 Line Number: 65536 服务器名称:my_DB错误号:18456严重性:14状态:1行号:65536
here is the Connection string in my C# app: 这是我的C#应用程序中的Connection字符串:
SqlConnection connection = new
SqlConnection("Server=tcp:my_DB_Server,1433; " +
" Database=my_DB;Persist Security Info=False; " +
" User ID=AppUser;Password=123abc; " +
" MultipleActiveResultSets=False;Encrypt=True; " +
" TrustServerCertificate=False;Connection Timeout=30;");
Which also fails. 这也失败了。
EDIT II: 编辑二:
I guess I need to figure out how to make my_DB contained first of all. 我想我首先需要弄清楚如何使my_DB包含在内。 And then try to use Contained user to log into it. 然后尝试使用“包含的用户”登录。
EDIT III: 编辑三:
Created contained Used is in my Database. 创建的包含的已用在我的数据库中。 I can see it under Security/Users tabs. 我可以在“安全性/用户”选项卡下看到它。
But it is not under the Server/Security/Logins tab. 但是它不在“服务器/安全性/登录”选项卡下。
Do I need to provide my contained user info for the server? 我是否需要提供服务器包含的用户信息? Docs above say: No, I don't have to. 上面的文档说:不,我不必。 Docs say that authentication happens at the DB level not the server ( if i'm correct ) 医生说,验证发生在数据库级别而不是服务器级别(如果我没错的话)
Thank you! 谢谢!
EDIT III: 编辑三:
So, After some more search I think I figured it out. 因此,经过更多搜索之后,我想我已经知道了。 I'm not sure If I would be able to edit this answer later on but here we go. 我不确定是否以后可以编辑此答案,但是我们继续。
1st -- I had to verify that my DB is set to Mixed mode. 1-我必须验证我的数据库是否设置为混合模式。
SELECT SERVERPROPERTY('IsIntegratedSecurityOnly')
here are few article that were helpful in my search: https://stackoverflow.com/a/1601275/9698341 https://stackoverflow.com/a/1134357 以下是对我的搜索有用的一些文章: https : //stackoverflow.com/a/1601275/9698341 https://stackoverflow.com/a/1134357
0 - Mixed Mode, 1 - Windows Authentication Mode 0-混合模式,1-Windows身份验证模式
2nd -- I had to create a Login before creating a user. 第二-在创建用户之前,我必须先创建一个登录名。
CREATE LOGIN AppUserLogin WITH PASSWORD=N'1234abcd'; <-- On master database
(And I guess at this point I'm not sure if that applies to the Contained Users or not, but it should do if you would like to create a user with few privileges and not whole access to the DB or the Server.) (而且我想在这一点上,我不确定这是否适用于“包含的用户”,但是如果您想创建一个特权少而又不能完全访问数据库或服务器的用户,则应该这样做。)
Connect to your DB, in this case it is my_DB and run line below. 连接到您的数据库,在本例中为my_DB并在下面运行。
USE my_DB;
Above line of code selects your target Database for user creation ( If I'm correct) 上面的代码行选择了用于创建用户的目标数据库(如果我正确的话)
3rd -- Creating User from above Login 第三-从上面的登录名创建用户
CREATE USER AppUser FROM LOGIN AppUserLogin;
Above line of code might be creating user that is not being authenticated at the the database level. 上面的代码行可能正在创建未在数据库级别进行身份验证的用户。
Helpful Links: https://docs.microsoft.com/en-us/sql/t-sql/statements/create-user-transact-sql?view=sql-server-2017 有用的链接: https : //docs.microsoft.com/zh-cn/sql/t-sql/statements/create-user-transact-sql? view = sql-server-2017
https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/create-a-database-user?view=sql-server-2017 https://docs.microsoft.com/zh-cn/sql/relational-databases/security/authentication-access/create-a-database-user?view=sql-server-2017
4th -- Grant Read/Write privileges to the AppUser 第四-向AppUser授予读/写权限
ALTER ROLE db_datareader ADD MEMBER AppUser;
ALTER ROLE db_datawriter ADD MEMBER AppUser;
and another one: https://stackoverflow.com/a/3998649/9698341 另一个: https : //stackoverflow.com/a/3998649/9698341
at this point I was able to login to my SQL Server and DB through SQL SMStudio but not throught my C# connection string: 此时,我能够通过SQL SMStudio登录到我的SQL Server和数据库,但无法通过我的C#连接字符串登录:
SqlConnection connection = new SqlConnection("Server=tcp:my_Server,1433; " +
" Database=my_DB;Persist Security Info=False; " +
" User ID=AppUserLogin;Password=1234abcd " +
" ultipleActiveResultSets=False;Encrypt=True; " + TrustServerCertificate=False;Connection Timeout=30;");
After tinkering with my C# app I found out that certain fields are encrypted. 修改了C#应用程序后,我发现某些字段已加密。 I might be doing it backwards but I was comparing A password to a password field in one table. 我可能向后这样做,但是我正在将一个密码与一个表中的密码字段进行比较。 And I found out that the result returned was masked like so: 'xxxx' 我发现返回的结果被屏蔽为:“ xxxx”
this line of code solves unmasking: 这行代码解决了隐藏问题:
GRANT UNMASK TO AppUser;
Which means that the Login and User created is functioning. 这意味着登录名和创建的用户正在运行。
Another mistake that I found is in this line of code: 我发现的另一个错误是在以下代码行中:
User ID=AppUserLogin;Password=1234abcd
Instead of 代替
AppUserLogin
I originally had 我原来有
AppUser
Now I have an access to my DB with a newly created user which has limited privileges. 现在,我可以使用权限有限的新创建用户访问数据库。 Database is not Contained nor the User ( Please correct me if I'm wrong " But it will do for now. 数据库既不包含用户,也不包含用户(如果我输入错误,请更正我,但是现在可以。
If I do get my_DB into containment I will get back to you. 如果确实将my_DB包含在内,我会尽快与您联系。
1 个解决方案
解决方案1
0 已采纳 2018-04-26 19:27:07
1st -- I had to verify that my DB is set to Mixed mode. 1-我必须验证我的数据库是否设置为混合模式。
SELECT SERVERPROPERTY('IsIntegratedSecurityOnly')
here are few article that were helpful in my search: https://stackoverflow.com/a/1601275/9698341 https://stackoverflow.com/a/1134357 以下是对我的搜索有用的一些文章: https : //stackoverflow.com/a/1601275/9698341 https://stackoverflow.com/a/1134357
0 - Mixed Mode, 1 - Windows Authentication Mode 0-混合模式,1-Windows身份验证模式
2nd -- I had to create a Login before creating a user. 第二-在创建用户之前,我必须先创建一个登录名。
CREATE LOGIN AppUserLogin WITH PASSWORD=N'1234abcd'; <-- On master database
(And I guess at this point I'm not sure if that applies to the Contained Users or not, but it should do if you would like to create a user with few privileges and not whole access to the DB or the Server.) (而且我想在这一点上,我不确定这是否适用于“包含的用户”,但是如果您想创建一个特权少而又不能完全访问数据库或服务器的用户,则应该这样做。)
Connect to your DB, in this case it is my_DB and run line below. 连接到您的数据库,在本例中为my_DB并在下面运行。
USE my_DB;
Above line of code selects your target Database for user creation ( If I'm correct) 上面的代码行选择了用于创建用户的目标数据库(如果我正确的话)
3rd -- Creating User from above Login 第三-从上面的登录名创建用户
CREATE USER AppUser FROM LOGIN AppUserLogin;
Above line of code might be creating user that is not being authenticated at the the database level. 上面的代码行可能正在创建未在数据库级别进行身份验证的用户。
Helpful Links: https://docs.microsoft.com/en-us/sql/t-sql/statements/create-user-transact-sql?view=sql-server-2017 有用的链接: https : //docs.microsoft.com/zh-cn/sql/t-sql/statements/create-user-transact-sql? view = sql-server-2017
https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/create-a-database-user?view=sql-server-2017 https://docs.microsoft.com/zh-cn/sql/relational-databases/security/authentication-access/create-a-database-user?view=sql-server-2017
4th -- Grant Read/Write privileges to the AppUser 第四-向AppUser授予读/写权限
ALTER ROLE db_datareader ADD MEMBER AppUser;
ALTER ROLE db_datawriter ADD MEMBER AppUser;
and another one: https://stackoverflow.com/a/3998649/9698341 另一个: https : //stackoverflow.com/a/3998649/9698341
at this point I was able to login to my SQL Server and DB through SQL SMStudio but not throught my C# connection string: 此时,我能够通过SQL SMStudio登录到我的SQL Server和数据库,但无法通过我的C#连接字符串登录:
SqlConnection connection = new SqlConnection("Server=tcp:my_Server,1433; " +
" Database=my_DB;Persist Security Info=False; " +
" User ID=AppUserLogin;Password=1234abcd " +
" ultipleActiveResultSets=False;Encrypt=True; " + TrustServerCertificate=False;Connection Timeout=30;");
After tinkering with my C# app I found out that certain fields are encrypted. 修改了C#应用程序后,我发现某些字段已加密。 I might be doing it backwards but I was comparing A password to a password field in one table. 我可能向后这样做,但是我正在将一个密码与一个表中的密码字段进行比较。 And I found out that the result returned was masked like so: 'xxxx' 我发现返回的结果被屏蔽为:“ xxxx”
this line of code solves unmasking: 这行代码解决了隐藏问题:
GRANT UNMASK TO AppUser; 向AppUser授予UNMASK; Which means that the Login and User created is functioning. 这意味着登录名和创建的用户正在运行。
Another mistake that I found is in this line of code: 我发现的另一个错误是在以下代码行中:
User ID=AppUserLogin;Password=1234abcd
Instead of 代替
AppUserLogin
I originally had 我原来有
AppUser
So, here we go. 所以,我们开始。 Limited privilege user is created and it is functioning. 受限特权用户已创建且正在运行。 Plus I can access my DB via C# w/ newly created user. 另外,我可以通过带有新创建用户的C#访问我的数据库。
Cheers! 干杯!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.