-
Notifications
You must be signed in to change notification settings - Fork 15
Expand file tree
/
Copy pathUseAppRoleToViewServerInfo.sql
More file actions
155 lines (112 loc) · 3.92 KB
/
UseAppRoleToViewServerInfo.sql
File metadata and controls
155 lines (112 loc) · 3.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
-- ============================================================================
-- - Application role access to server information - UseAppRoleToViewServerInfo.sql
--
--
-- This code is companion code that shows an example of application role access
-- to server information by using a certificate-signed procedure.
--
-- ============================================================================
USE master
GO
CREATE DATABASE approle_db ;
GO
CREATE LOGIN some_login WITH PASSWORD = 'SomePa$$word!' ;
GO
USE approle_db
GO
CREATE USER some_user FOR LOGIN some_login
GO
CREATE APPLICATION ROLE an_approle WITH PASSWORD = 'SomeAppRolePa$$word!' ;
GO
---------------------------------------------------------------------
-- This section shows how to use a certificate to authenticate
-- a signed stored procedure.
---------------------------------------------------------------------
CREATE LOGIN execute_as_login WITH PASSWORD = 'SomePa$$word!' ;
GO
USE master
GO
GRANT VIEW ANY DEFINITION TO execute_as_login ;
GRANT VIEW SERVER STATE TO execute_as_login ;
GO
USE approle_db
GO
CREATE USER execute_as_user FOR LOGIN execute_as_login ;
GO
--
-- You must use EXECUTE AS 'execute_as_user' here because the application role
-- does not have a server identity. The application role cannot use
-- the certificate permissions on the server. Therefore, you
-- need a new execution context to which you can grant
-- the needed VIEW* permissions.
--
CREATE PROC usp_access_server_system_tables
WITH EXECUTE AS 'execute_as_user'
AS
SELECT * FROM master.dbo.syslogins ;
SELECT * FROM master.dbo.sysprocesses ;
GO
GRANT EXECUTE ON usp_access_server_system_tables TO an_approle ;
GO
CREATE CERTIFICATE signing_cert ENCRYPTION BY PASSWORD = 'SomeCertPa$$word'
WITH SUBJECT = 'Signing Cert' ;
GO
BACKUP CERTIFICATE signing_cert TO FILE = 'signing_cert.cer' ;
GO
ADD SIGNATURE TO usp_access_server_system_tables
BY CERTIFICATE signing_cert WITH PASSWORD = 'SomeCertPa$$word' ;
GO
---------------------------------------------------------------------
-- We must create a copy of the signing certificate in the target
-- database. In this case, the target database is the master database.
-- This copy of the signing certificate can vouch
-- for the execution contexts that enter this database from the
-- signed procedure.
---------------------------------------------------------------------
USE master
GO
CREATE CERTIFICATE signing_cert FROM FILE = 'signing_cert.cer' ;
GO
--
-- Because the VIEW* permissions in question are server-level permissions,
-- we need an AUTHENTICATE SERVER on a login-mapped certificate.
--
CREATE LOGIN signing_cert_login FROM CERTIFICATE signing_cert ;
GO
GRANT AUTHENTICATE SERVER TO signing_cert_login
GO
---------------------------------------------------------------------
-- Now you can open a new connection as "some_login" and
-- set the application role. Then, call the "usp_access_server_system_tables"
-- procedure, and obtain verification that you can access server-level information
-- when the application role-based application runs.
--------------------------------------------------
-- Connect as some_login (open a new connection)
--------------------------------------------------
USE approle_db
GO
EXEC sp_setapprole 'an_approle', 'SomeAppRolePa$$word!'
GO
EXEC usp_access_server_system_tables
GO
---------------------------------------------------------------------
---------------------------------------------------------------------
-- Go back to original connection to ...
-- Clean up after the procedure.
---------------------------------------------------------------------
USE master
GO
DROP DATABASE approle_db ;
GO
DROP LOGIN some_login;
GO
DROP LOGIN execute_as_login;
GO
DROP LOGIN signing_cert_login ;
GO
DROP CERTIFICATE signing_cert;
GO
--
-- Make sure to delete the certificate file. For example, delete
-- C:\Program Files\Microsoft SQL Server\MSSQL.<some_instance>\MSSQL\Data\signing_cert.cer
--