Search results matching tags 'T-SQL', 'SQL Server 2008 R2', and 'good practices'

Server level permissions for developers–why you should read books

rodak.p@gmail.com — Mon, 02 Jan 2012 03:05:00 GMT

It is quite difficult recently for me to find some time to write a new post, so I don’t seem to be leading the rankings of the most frequent bloggers. I rarely recently have opportunity to lay my hands on the code too, so natural sources of ‘inspiration’ are less often. Hopefully this will change in 2012 and I will have more opportunities to write something useful.

In a big enterprise the roles of server users are usually more distinguished than in smaller companies. You have DBAs, developers and business users. Each of these roles has generally different goals and different rights when it comes to connecting to the database servers. Large organizations tend to implement service oriented approach to processes, which means that various teams are responsible for executing various tasks ordered by other teams. In the case of developers and DBAs, the latter are responsible for all maintenance and management tasks on servers which are ‘owned’ by developers. Such organisation of work often results in sealing off developers from the maintenance related activities, such as creating databases or snapshots, running traces, viewing server state and troubleshooting blocks and deadlocks. This approach unfortunately, while imposes more order to the server utilization and prevents accidental failures, tends to slow down the development process, sometimes preventing any work from being done by significant number of developers for time anything from few minutes to few hours. This is a waste of time and money of course. In my case, development team wanted to have right to kill user sessions on development servers. You know, sometimes there is a process that takes a lot of time and locks, or there is an open transaction keeping schema locks all over the place and and the owner of it is gone for the day without committing it.

Problem is, that to be able to kill a session, you have to be a sysadmin, processadmin, or have ALTER ANY CONNECTION right granted to you at server level. Obviously, in certain environments these permissions are not the ones DBAs want to give to ~~random people~~ developers. If you GRANT ALTER ANY CONNECTION to a login, this login can kill some important sessions, not only the runaway ones. It may break audit, scheduled maintenance, backups, other teams ETL processes – just imagine your mailbox – it ain’t gonna look pretty. It would be much better to be able to grant login right to kill only spids belonging to certain users or working on certain databases. How can you eat the cake and have the cake?

I remembered that I had read about this idea in one of the books, namely Expert SQL Server 2005 Development by Adam Machanic, Lara Rubbelke and Hugo Kornelis. This is an excellent book, you should really read it if you haven’t yet done so. There is a chapter in the book, discussing the security features introduced in SQL Server 2005. These features allow architects to design more versatile and complex applications without jeopardizing security requirements. As you know, the security model in SQL Server 2005 has been completely revamped, for example the notion of the schema was separated from the ownership and database user. There are more features, one of most important probably is the ability to sign stored procedures with certificates and to create logins and users from the certificates. The discussion about security architecture and certificates is huge and going beyond scope of this post. One of the starting points you can check out is the MSDN article "Securing SQL Server”.

In short, if you were to grant server wide elevated rights to certain groups of users, how would you do it? Here’s a little shopping list:

Create a certificate
Create a login from the certificate
Grant ALTER ANY CONNECTION to the login
If you want to have the procedure in database other than master, you must copy the certificate to this database. You do it with backup-restore technique.
Create a user for the login
Create stored procedure that will issue KILL command
Sign the procedure with the certificate
Grant EXECUTE on the procedure to developers.

Here are some highlights of the solution. I attach the testing code at the end of the post as usual.

Sample code for creating certificate and the login is as follows.

 ---create certificate that the procedure will be signed with
create certificate kill_session_certificate
    encryption by password = '1410SomeReallyStrongPassword2011!'
    with subject = 'Enable KILL through procedure'
go
---create login that will be granted right to kill sessions
create login kill_login from certificate kill_session_certificate
go
 
--licence to kill
grant ALTER ANY CONNECTION to kill_login
 

This is the stored procedure developers can call to kill sessions.

 create procedure killsession(@sessionid int)
as
begin
    /* Piotr Rodak: procedure calls KILL command. Must be signed by certificate to work.*/
    print 'killsession: executing as ' + suser_name()
    declare @command varchar(300)
    set @command = 'kill ' + convert(varchar, @sessionid)
    print @command
    ---you can filter only sessions running on certain databases here.. 
    
    exec(@command)
    
    ---you can add logging here.. 
    print 'killed session ' + convert(varchar, @sessionid)
end
 

You can create the procedure in any database, but if you choose a database different than master you have to copy the certificate from master to the target database.

And here’s code to sign the procedure:

 ---sign the procedure with the certificate
add signature to killsession by certificate kill_session_certificate
with password ='1410SomeReallyStrongPassword2011!'
 

Since you are executing the command wrapped into a stored procedure, you have potential to implement additional audit, like grab execution plan or some other performance indicators of the server at the moment when the command is issued. This can be extremely helpful for troubleshooting reasons. I think this is pretty cool.

Here’s the testing script.

Enjoy.

Security – how to assign rights to database objects

rodak.p@gmail.com — Sun, 10 Apr 2011 09:23:00 GMT

A few days ago my team mate asked me to check out why one of the logins doesn’t have right to execute to a few stored procedures. Allegedly it had the right before. After a few minutes of digging in the source control it turned out that these procedures were scripted with explicit EXECUTE rights to them. However, some later updates to the code did not contain the rights scripted. Developers rarely pay too much attention to the security design of the code they write. It is not common that the code is implemented with least possible access level in mind. A classic example of this is TRUNCATE TABLE. While this is very handy command and can be very useful in certain scenarios, developers don’t realize that the user account executing it has to have some elevated rights.

I have seen many databases which implement explicit rights to objects. This is to some degree a legacy issue, as in SQL Server 2000 and before security model was completely different and more difficult to manage. The common practice at the time was to script rights to objects, and to make things simple everyone who had right to connect to database could do everything in it. Even recently I saw a table with explicit rights like this:

 create table dbo.sometable
(
    column1 int,
    columnt2 char(1),
    column3 varchar(255)
)
go
 
grant select on dbo.sometable to [public]
grant delete on dbo.sometable to [public]
grant insert on dbo.sometable to [public]
grant update on dbo.sometable to [public]
 
go
 

This is definitely a bad practice.

Let’s examine slightly different scenario, the one that I mentioned at the beginning of this post. Let’s analyse what options you have when you need to give user rights to execute a stored procedure but do don’t want to give rights to public role:

Assign explicit rights for the user to the procedure.
Assign explicit rights to a role and assign user to that role
Create the procedure within a separate schema, assign user to specific role and assign rights for the schema to the role.

The above three options have their pros and cons. The first option is in most cases an aftermath of legacy design and while it is most granular, it is also hardest to manage and monitor.

Second option is also very granular, the only difference is after all that the rights are assigned to a database role. Main advantage of this solution is that you can assign more than one user to the database role and they will be automatically granted required access to the objects.

The third option requires some consideration regarding design of the database. You may need to change some code calling the procedures. You may still want to create a database role and assign rights for the schema to the role. This gives you best flexibility.

Let’s examine some of the effects each of these options brings in when implemented. I created script file that examines six scenarios you may come across in your database. This is definitely not a complete list, bear in mind.

First, let’s create test database and login that we will use to test the solutions. I will also create a sample table and stored procedure in the database.

 use master
go
create login RemoteLogin with password='Str()ngPwd', check_policy=off
go
create database testExecRights
go
use testExecRights
go
create user [RemoteUser] from login [RemoteLogin]
go
create table dbo.tTest(a int, b int)
go
create procedure dbo.pTestInsert(@a int, @b int)
as
begin
    insert dbo.tTest(a, b) values(@a, @b)
end
go
 

The first scenario shows what happens when you create an user in the database, but you don’t assign any specific rights for it.

 ---Scenario 1: user has public right to the database
execute as login='RemoteLogin'
select suser_name()
go
 
    begin try
        ---should fail
        exec dbo.pTestInsert 1, 1
        return;
    end try
    begin catch
        declare @errormsg nvarchar(2000)
        set @errormsg = N'Scenario 1: Exception occured in ' + error_procedure() + 
            N': ' + error_message() + N' (' + convert(nvarchar, error_number()) + N')'
        raiserror(@errormsg, 16, 1)
    end catch
 

This code throws an exception, as expected:

Msg 50000, Level 16, State 1, Line 10
 Scenario 1: Exception occured in pTestInsert: The EXECUTE permission was denied on the object 'pTestInsert', database 'testExecRights', schema 'dbo'. (229)

Let’s have a look what we’ll get when we assign the right to execute the stored procedure explicitly:

 ---Scenario 2: user has explicit right to execute the procedure
---this is executed at sa/dbo level
grant execute on dbo.pTestInsert to [RemoteUser]
go
execute as login='RemoteLogin'
select suser_name()
go
    begin try
        ---should succeed
        exec dbo.pTestInsert 1, 1
        return;
    end try
    begin catch
        declare @errormsg nvarchar(2000)
        set @errormsg = N'Scenario 2: Exception occured in ' + error_procedure() + N': ' + error_message() + N' (' + convert(nvarchar, error_number()) + N')'
        raiserror(@errormsg, 16, 1)
    end catch
go
revert
select suser_name()
--revoke granted right
revoke execute on dbo.pTestInsert to [RemoteUser]
go
 

In line 3 in the above snippet you see the command to grant execute right on the stored procedure to the RemoteUser. Please note that the user still has no other rights – he can’t insert rows to the tTest table directly, he even can’t select from the table. Since the above snippet is part of the bigger script, at the end of it, in line 22 you can see command 'REVOKE’ to – revoke the right granted in the line 3. So, how the above code works? Yes, it works OK. It doesn’t throw exception because the permissions are right.

As I mentioned before, there were procedures which the remote login mysteriously lost ability to call. In my case, the issue was caused by a release script, which did not re-establish appropriate rights to them. There are two ways you can modify a procedure during release. One is obviously ALTER PROCEDURE, which does not change the security configuration of the procedure, the other is a sequence of DROP and CREATE statements. Scenarios 3 and 4 are shown in the below scripts.

 ---Scenario 3: user has explicit right to execute the procedure but the stored procedure is ALTERED
--- in subsequent release
go
---this is executed at sa/dbo level
grant execute on dbo.pTestInsert to [RemoteUser]
go
go
---now ALTER the procedure
alter procedure dbo.pTestInsert (@a int, @b int)
as 
begin
    insert dbo.tTest(a, b) values (@a, @a * @b)
end
go
execute as login='RemoteLogin'
select suser_name()
go
    begin try
        ---should succeed
        exec dbo.pTestInsert 1, 1
        return;
    end try
    begin catch
        declare @errormsg nvarchar(2000)
        set @errormsg = N'Scenario 3: Exception occured in ' + error_procedure() + N': ' + error_message() + N' (' + convert(nvarchar, error_number()) + N')'
        raiserror(@errormsg, 16, 1)
    end catch
go
revert
select suser_name()
 
go
--revoke granted right
revoke execute on dbo.pTestInsert to [RemoteUser]
go
 

 ---Scenario 4: user has explicit right to execute the procedure but the stored procedure is 
---DROPPED an CREATED in subsequent release
go
---this is executed at sa/dbo level
grant execute on dbo.pTestInsert to [RemoteUser]
go
go
---now DROP and CREATE the procedure
drop procedure dbo.pTestInsert 
go
create procedure dbo.pTestInsert (@a int, @b int)
as 
begin
    insert dbo.tTest(a, b) values (@a, @a * @b)
end
go
execute as login='RemoteLogin'
select suser_name()
go
    begin try
        ---should fail
        exec dbo.pTestInsert 1, 1
        return;
    end try
    begin catch
        declare @errormsg nvarchar(2000)
        set @errormsg = N'Scenario 4: Exception occured in ' + error_procedure() + N': ' + error_message() + N' (' + convert(nvarchar, error_number()) + N')'
        raiserror(@errormsg, 16, 1)
    end catch
go
revert
select suser_name()
 

Scenario 4 throws an exception as expected:

Msg 50000, Level 16, State 1, Line 9
 Scenario 4: Exception occured in pTestInsert: The EXECUTE permission was denied on the object 'pTestInsert', database 'testExecRights', schema 'dbo'. (229)

Obviously there is an issue here. The release process must take care of the proper assignment of the rights. The problem is if the script consists of smaller parts prepared by developers, it may be virtually impossible to verify if the rights are scripted correctly in the release script. One can script all explicit permissions to objects before the release and then reconcile them with the permissions existing after the release. This also can be tricky, as sometimes the rights have to change, sometimes new objects don’t have properly scripted permissions etc. What if you have may users that need to perform certain operations on tables and views? In general, it looks like the idea of assigning rights one by one for all users and objects is bad in most scenarios. Imagine the amount of failure points if you have 3000+ objects in database and you change, say, a few hundred of them within the release. What can you do about it?

First thing that you should do is to break explicit relationship of users and objects. You can do this by creating a database role which will serve as single point of security assignments. By having several roles in the database, you can tune the security fairly easily without having to rescript permissions for all users each time you need to make a change. Scenario 5 shows such database role example:

 ---Scenario 5: belongs to DATABASE ROLE with explicit right to execute the procedure 
---and the stored procedure is DROPPED an CREATED in subsequent release
go
---this is executed at sa/dbo level
create role [pTestExecRightRole]
go
grant execute on dbo.pTestInsert to [pTestExecRightRole]
go
exec sp_addrolemember 'pTestExecRightRole', 'RemoteUser'
go
---now DROP and CREATE the procedure
drop procedure dbo.pTestInsert 
go
create procedure dbo.pTestInsert (@a int, @b int)
as 
begin
    insert dbo.tTest(a, b) values (@a, @a * @b)
end
go
execute as login='RemoteLogin'
select suser_name()
go
    begin try
        ---should succeed
        exec dbo.pTestInsert 1, 1
        return;
    end try
    begin catch
        declare @errormsg nvarchar(2000)
        set @errormsg = N'Scenario 5: Exception occured in ' + error_procedure() + N': ' + error_message() + N' (' + convert(nvarchar, error_number()) + N')'
        raiserror(@errormsg, 16, 1)
    end catch
go
revert
select suser_name()
go
exec sp_droprolemember 'pTestExecRightRole', 'RemoteUser'
go
drop role [pTestExecRightRole]
go
 

The issue with the above is that still, when an object is dropped and recreated, the rights assigned to it are lost. The script above throws the same exception again:

Msg 50000, Level 16, State 1, Line 9
 Scenario 5: Exception occured in pTestInsert: The EXECUTE permission was denied on the object 'pTestInsert', database 'testExecRights', schema 'dbo'. (229)

To solve this you have to group objects in a similar way you do it with users. While database role is used as a container for usSers, schema serves the same purpose for database objects. Scenario 6 shows this approach.

 ---Scenario 6: user belongs to DATABASE ROLE with explicit right to execute on the SCHEMA
---and the stored procedure is DROPPED an CREATED in subsequent release
go
---this is executed at sa/dbo level
create role [pTestExecRightRole]
go
create schema RemoteExec authorization dbo
go
grant execute on schema::RemoteExec to [pTestExecRightRole]
go
exec sp_addrolemember 'pTestExecRightRole', 'RemoteUser'
go
---now DROP and CREATE the procedure
drop procedure dbo.pTestInsert 
go
create procedure RemoteExec.pTestInsert (@a int, @b int)
as 
begin
    insert dbo.tTest(a, b) values (@a, @a * @b)
end
go
execute as login='RemoteLogin'
select suser_name()
go
    begin try
        ---should succeed
        exec RemoteExec.pTestInsert 1, 1
        return;
    end try
    begin catch
        declare @errormsg nvarchar(2000)
        set @errormsg = N'Scenario 6: Exception occured in ' + error_procedure() + N': ' + error_message() + N' (' + convert(nvarchar, error_number()) + N')'
        raiserror(@errormsg, 16, 1)
    end catch
go
revert
select suser_name()
 
go
 

As you see, I created schema RemoteExec in line 7. I granted explicit right to execute on all objects belonging to the schema to the database role pTestExecRightRole. Subsequently I simulate release process by dropping existing procedure dbo.pTestInsert and creating it in the schema RemoteExec. As you see, I don’t apply any explicit rights to the stored procedure. The fact that it belongs to the RemoteExec schema is sufficient for it to be callable by the user belonging to pTestExecRightRole. You can easily add and remove procedures from the RemoteExec schema and they will automatically inherit any rights you have chosen to assign to them, without any manual coding. More importantly, the rights are not tied to the objects, so you will not loose required functionality after making changes to the objects.

As I said before, this approach has its consequences. You may need to modify some of the code that calls the stored procedures to explicitly reference schema, in some cases you need to modify the code of the stored procedures. If you work with older code the most likely schema it references is an implicit dbo – object names are used without any schema part. This may be OK and resolve at runtime, but in some cases it won’t especially if you move the procedure to a different schema. It is a good practice to explicitly reference schemas in your code to avoid any confusion and problems.

You can download the test script with all scenarios and cleanup code from this location. Enjoy.

Technorati Tags: SQL Server 2008,T-SQL,programming,database design