在 SQL Server 2017 中部署 CLR UDF:过程
[英]Deploy CLR UDF in SQL Server 2017: procedure
问题描述
I am trying to deploy a CLR assembly in a SQL Server 2017 DB, following the procedure described at https://sqlquantumleap.com/2017/08/09/sqlclr-vs-sql-server-2017-part-2-clr-strict-security-solution-1/ .
我正在尝试按照https://sqlquantumleap.com/2017/08/09/sqlclr-vs-sql-server-2017-part-2-clr- 中描述的过程在 SQL Server 2017 DB 中部署 CLR 程序集严格安全解决方案1/ 。 Basically, for testing purposes I'm just including an assembly with a couple of Regex-based functions:基本上,出于测试目的,我只包含一个带有几个基于正则表达式的函数的程序集:
public class TextUdf
{
[SqlFunction(Name = "RegexIsMatch", IsDeterministic = true, IsPrecise = true)]
public static SqlBoolean RegexIsMatch(SqlString text, SqlString pattern,
SqlInt32 options)
{
if (text.IsNull) return SqlBoolean.Null;
if (pattern.IsNull) pattern = "";
return Regex.IsMatch((string)text,
(string)pattern,
options.IsNull? RegexOptions.None : (RegexOptions)options.Value,
new TimeSpan(0, 0, 10))
? SqlBoolean.True
: SqlBoolean.False;
}
[SqlFunction(Name = "RegexReplace", IsDeterministic = true, IsPrecise = true)]
public static SqlString RegexReplace(SqlString text, SqlString pattern,
SqlString replacement, SqlInt32 options)
{
if (text.IsNull || pattern.IsNull) return text;
return Regex.Replace((string)text, (string)pattern,
(string)replacement,
options.IsNull ? RegexOptions.None : (RegexOptions)options.Value);
}
}
I have created a full repro solution at https://github.com/Myrmex/sqlclr .我在https://github.com/Myrmex/sqlclr创建了一个完整的重现解决方案。 I can follow the whole procedure described there (readme) up to the point where I have to assign the PFX certificate to the CLR assembly to be deployed.我可以按照那里描述的整个过程(自述文件)直到我必须将 PFX 证书分配给要部署的 CLR 程序集。 At this point, I get this error:此时,我收到此错误:
MSB3325: Cannot import the following key file: pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: ...
Following the error message guidance, I then found that I could solve this by installing the PFX with sn , so that I can enter the password manually when prompted (see Cannot import the keyfile 'blah.pfx' - error 'The keyfile may be password protected' ).按照错误消息的指导,我发现我可以通过使用sn安装 PFX 来解决这个问题,这样我就可以在出现提示时手动输入密码(请参阅无法导入密钥文件 'blah.pfx' - 错误'密钥文件可能是密码受保护' )。
Once done this, I could compile my CLR assembly with the UDF functions.完成此操作后,我可以使用 UDF 函数编译我的 CLR 程序集。 Now, when I try to install it in a test database (just an empty database created for this purpose), via CREATE ASSEMBLY [SqlServerUdf] FROM 0x...binary stuff... , I get this error:现在,当我尝试将它安装在测试数据库(只是为此目的创建的空数据库)中时,通过CREATE ASSEMBLY [SqlServerUdf] FROM 0x...binary stuff... ,我收到此错误:
CREATE or ALTER ASSEMBLY for assembly 'SqlServerUdf' with the SAFE or EXTERNAL_ACCESS option failed because the 'clr strict security' option of sp_configure is set to 1. Microsoft recommends that you sign the assembly with a certificate or asymmetric key that has a corresponding login with UNSAFE ASSEMBLY permission. Alternatively, you can trust the assembly using sp_add_trusted_assembly.
which just defeats the purpose of the long procedure I had to follow in order to let SQL Server accept my CLR without dropping strict security.这违背了我为了让 SQL Server 接受我的 CLR 而不会降低严格的安全性而必须遵循的漫长过程的目的。
Clearly I'm missing something, but I'm not sure about many details of the tricky procedure so it would be a hard guesswork.显然我遗漏了一些东西,但我不确定这个棘手程序的许多细节,所以这将是一个艰难的猜测。 Could anyone suggest we what's wrong with the procedure, so that we can have a quick and dirty step-by-step reference on how to insert a CLR assembly in SQL Server?任何人都可以建议我们该过程有什么问题,以便我们可以快速而肮脏地逐步参考如何在 SQL Server 中插入 CLR 程序集? This simple task seems to have become very hard with the latest version...这个简单的任务似乎在最新版本中变得非常困难......
1 个解决方案
解决方案1
2 已采纳 2019-03-28 15:58:19
Based on what I see in the GitHub repository, there seems to be some steps that you skipped:根据我在 GitHub 存储库中看到的内容,您似乎跳过了一些步骤:
You did not set a password on the original SQL2017_KeyAsm project.
您没有在原始SQL2017_KeyAsm项目上设置密码。 That's why it's still an .snk file (ie SQL2017_KeyAsm.snk ) instead of a .pfx file (ie SQL2017_KeyAsm.pfx ).这就是为什么它仍然是.snk文件(即SQL2017_KeyAsm.snk )而不是.pfx文件(即SQL2017_KeyAsm.pfx )的原因。 I am guessing that you un checked the "Protect my key file with a password" checkbox (I think it is checked by default), because you should not have an .snk at all.我猜您没有选中“使用密码保护我的密钥文件”复选框(我认为默认情况下已选中),因为您根本不应该拥有.snk 。 Also, in your SQL2017_KeyAsm.sqlproj file, you currently have:此外,在您的SQL2017_KeyAsm.sqlproj文件中,您目前拥有:<AssemblyOriginatorKeyFile>SQL2017_KeyAsm.snk</AssemblyOriginatorKeyFile>When you should have the following:
当您应该具备以下条件时:<AssemblyOriginatorKeyFile>SQL2017_KeyAsm.pfx</AssemblyOriginatorKeyFile>Although, your instructions in the readme are correct, as you have stated there: "enter in a password".
虽然,您在自述文件中的说明是正确的,正如您在那里所说的:“输入密码”。 Still, this probably explains the password error you got, since there is no password protecting the private key.尽管如此,这可能解释了您遇到的密码错误,因为没有密码保护私钥。 Either that, or the password error is due to using the wrong pfx file (see below).要么,要么密码错误是由于使用了错误的 pfx 文件(见下文)。 I guess try fixing the below items first as it might be possible to get away with a password-less SNK, I've just never tried it.我想试试先固定下面的项目,因为它可能可以摆脱一个密码的SNK,我只是从来没有尝试过。At the end of the One-Time Procedures section, in the last two steps just after the paragraph starting with, "Finally, the following steps...", step 2 is using the wrong .pfx file.
在一次性程序部分的末尾,在以“最后,以下步骤...”开头的段落之后的最后两个步骤中,步骤 2 使用了错误的.pfx文件。 I am guessing that this is a direct result of not having a .pfx file in the previous step (due to not setting a password), so you grabbed the only .pfx file that was there.我猜这是上一步中没有.pfx文件的直接结果(由于没有设置密码),因此您获取了那里唯一的.pfx文件。 This is why you are getting the error when attempting to load the SqlServerUdf assembly: you signed the assembly with the certificate , but that certificate was only used as a mechanism to load the KeyAsm assembly into [master]so that the Asymmetric Key could be extracted from it.这就是您在尝试加载SqlServerUdf程序集时收到错误的原因:您使用证书对程序集进行了签名,但该证书仅用作将KeyAsm程序集加载到[master]一种机制,以便可以提取非对称密钥从中。 After that the certificate is dropped.之后证书被删除。 The Asymmetric Key is the public key of the .snk file that was created when you told Visual Studio that you wanted the SQL2017_KeyAsm project signed.非对称密钥是.snk文件的公钥,该文件是在您告诉 Visual Studio 您希望对SQL2017_KeyAsm项目进行签名时创建的。 And so that .snk file (or .pfx if you protect it with a password) is what you need to select when you are telling Visual Studio to sign the SqlServerUdf project.因此,当您告诉 Visual Studio 签署SqlServerUdf项目时,您需要选择.snk文件(或.pfx,如果您使用密码保护它)。 Doing this will use the same private key to sign both projects / assemblies.这样做将使用相同的私钥对两个项目/程序集进行签名。
So, first thing to do is change the private key used to sign the SqlServerUdf assembly.因此,首先要做的是更改用于签署SqlServerUdf程序集的私钥。 It should not be the certificate .pfx file.它不应该是证书.pfx文件。 It needs to be the same key used to sign the KeyAsm file.它需要与用于签署 KeyAsm 文件的密钥相同。 In your case, this would be SQL2017_KeyAsm.snk .在您的情况下,这将是SQL2017_KeyAsm.snk 。
Try making that one change and see if everything works.尝试进行一项更改,看看是否一切正常。 If not, then go back and add a password to the snk file (via Visual Studio).如果没有,则返回并为 snk 文件添加密码(通过 Visual Studio)。 You shouldn't need to re-generate the Certificate or its .pfx file because the public key should be staying the same, and that's all that gets loaded into [master] anyway.您不需要重新生成证书或其.pfx文件,因为公钥应该保持不变,无论如何,这就是加载到[master]的全部内容。 But, do let me know if this still doesn't work.但是,如果这仍然不起作用,请告诉我。 In the mean time, I will update that post to be more explicit about the password, and about which pfx file to use when.同时,我将更新该帖子,以更明确地说明密码以及何时使用哪个 pfx 文件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.