Re: [Firebird-devel] WITH CALLER PRIVILEGES propagation
21.04.2022 13:38, Jiří Činčura wrote: Hi, Can propagate the privileges down into the call stack when using WITH CALLER PRIVILEGES? For example: CREATE TABLE T_TEST (ID INTEGER NOT NULL, CONSTRAINT PK_TEST PRIMARY KEY (ID)); /* Package header: PKG_TEST, Owner: SYSDBA */ CREATE PACKAGE PKG_TEST AS begin procedure test returns (i int); end^ /* Package header: PKG_TEST_LIMITED, Owner: SYSDBA */ CREATE PACKAGE PKG_TEST_LIMITED AS begin procedure test returns (i int); end^ /* Package body: PKG_TEST, Owner: SYSDBA */ CREATE PACKAGE BODY PKG_TEST AS begin procedure test returns (i int) as begin for select id from t_test into :i do begin suspend; end end end^ /* Package body: PKG_TEST_LIMITED, Owner: SYSDBA */ CREATE PACKAGE BODY PKG_TEST_LIMITED AS begin procedure test returns (i int) as begin for execute statement 'select i from pkg_test.test' with caller privileges into :i do begin suspend; end end end^ /* Grant permissions for this database */ GRANT SELECT ON T_TEST TO PACKAGE PKG_TEST_LIMITED; GRANT EXECUTE ON PACKAGE PKG_TEST_LIMITED TO USER LIMITED; Now if I do, under LIMITED user, `select * from pkg_test_limited.test;` is will end up with `no permission for SELECT access to TABLE T_TEST`. Here user LIMITED executes PKG_TEST_LIMITED.TEST (which it have explicit grant to do, see 2nd GRANT statement) and than going to execute procedure from package PKG_TEST which nor user LIMITED nor package PKG_TEST_LIMITED is not granted to do. Error message is misleading here, btw. If you GRANT SELECT ON T_TEST TO PACKAGE PKG_TEST and run select * from pkg_test_limited.test then you'll see more correct error: no permission for EXECUTE access to PACKAGE PKG_TEST Then add missing GRANT EXECUTE ON PACKAGE PKG_TEST TO PACKAGE PKG_TEST_LIMITED and query will run successfully. But if I change the execute statement into `for execute statement 'select id t_test' with caller privileges into :i do` everything is fine. Sure, because package PKG_TEST_LIMITED granted to do it (your 1st GRANS statement) and caller privileges is effective. I guess the "caller privileges" is propagated only into `pkg_test_limited.test` when calling, but not further into `t_test`. > > Can I somewhat make it work/propagate? Or did I misunderstood the feature? Hope it is clear now. Regards, Vlad Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] WITH CALLER PRIVILEGES propagation
My script uses packages (and I grant to package). That's not going to fly on 2.5. :( -- Mgr. Jiří Činčura https://www.tabsoverspaces.com/ On Fri, Apr 22, 2022, at 17:23, Alex Peshkoff via Firebird-devel wrote: > On 22.04.2022 18:07, Jiří Činčura wrote: >> Yes. Fails. >> >> Do you want me to create script for testing? >> > > Can you please check your script on some old version? Like 2.5. > > May be I miss something. > > > > Firebird-Devel mailing list, web interface at > https://lists.sourceforge.net/lists/listinfo/firebird-devel Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Firebird and DSQL Scrollable Cursors
22.04.2022 14:49, Mark Rotteveel wrote: 28.11.2021 14:45, Mark Rotteveel wrote: 3) "row count" makes it possible to know the position after fetchLast() and everything else could be calculated locally by the client library, thus making the server-supported "current position" totally unnecessary. Do I miss anything? Could we agree on having only "row count" returned via op_info_cursor and leaving "cursor position" (getRow() in Java API) up the connectivity library developers? I was wondering if this - fetching rowcount of a scrollable cursor - was already implemented. If so, how do I get it? And if not, when can I expect it to be implemented? PR #7083, was left for review but not merged yet. I see it has conflicts now, I will address them tomorrow and then merge the PR. Dmitry Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] WITH CALLER PRIVILEGES propagation
On 22.04.2022 18:07, Jiří Činčura wrote: Yes. Fails. Do you want me to create script for testing? Can you please check your script on some old version? Like 2.5. May be I miss something. Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] WITH CALLER PRIVILEGES propagation
Yes. Fails. Do you want me to create script for testing? -- Mgr. Jiří Činčura https://www.tabsoverspaces.com/ On Fri, Apr 22, 2022, at 10:19, Alex Peshkoff via Firebird-devel wrote: > On 22.04.2022 08:20, Jiří Činčura wrote: >> Without it, it obviously fail. Because the "limited" user does not have >> permissions. That's what I'm trying go around thru the permissions of >> calling object. >> > > Fails w/o execute statement ? Just using select from procedure instead? > Very strange - this always worked with caller privileges. > > > > > Firebird-Devel mailing list, web interface at > https://lists.sourceforge.net/lists/listinfo/firebird-devel Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Firebird and DSQL Scrollable Cursors
On 08-12-2021 10:13, Dmitry Yemanov wrote: 28.11.2021 14:45, Mark Rotteveel wrote: 3) "row count" makes it possible to know the position after fetchLast() and everything else could be calculated locally by the client library, thus making the server-supported "current position" totally unnecessary. Do I miss anything? Could we agree on having only "row count" returned via op_info_cursor and leaving "cursor position" (getRow() in Java API) up the connectivity library developers? I was wondering if this - fetching rowcount of a scrollable cursor - was already implemented. If so, how do I get it? And if not, when can I expect it to be implemented? Mark -- Mark Rotteveel Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] WITH CALLER PRIVILEGES propagation
On 22.04.2022 08:20, Jiří Činčura wrote: Without it, it obviously fail. Because the "limited" user does not have permissions. That's what I'm trying go around thru the permissions of calling object. Fails w/o execute statement ? Just using select from procedure instead? Very strange - this always worked with caller privileges. Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel