Re: [Firebird-devel] What does SET TRUSTED ROLE do?

Tue, 09 Feb 2021 07:24:35 -0800 

On 09-02-2021 15:52, Alex Peshkoff via Firebird-devel wrote:

On 2/9/21 5:42 PM, Mark Rotteveel wrote:
I'm working on the Firebird 3 Language Reference, and I'm currently writing documentation for SET TRUSTED ROLE. I have tried reading the Firebird 3 release notes, and a Google-translated version of the Russian Firebird 3 Language Reference, but the meaning and intent of this feature is unclear to me. 




Please first of all read (in doc/sql.extensions/) README.mapping.html & 
README.set_role.
They contain answers to your questions, but if something remains unclear 
anyway, I'll be glad to answer.



README.set_role.txt is not helpful. The README.mapping.html is also not 
really explicit about trusted roles, the only mention of trusted roles 
is this example:


"""
Map windows group to trusted firebird role:


CREATE MAPPING WINGROUP1 USING PLUGIN WIN_SSPI FROM GROUP GROUP_NAME TO 
ROLE ROLE_NAME;

"""

Exactly what makes this a trusted role?


If I read between the lines, this would indicate that mapping TO ROLE 
_role_name_ is what defines a "trusted role", which would mean it does 
not actually update CURRENT_ROLE, which would contradict what is 
documented in the Firebird 3 release notes:


"""

The single solution for all such cases is mapping the login information 
assigned to a user when it connects to a Firebird server to internal 
security objects in a database — CURRENT_USER and CURRENT_ROLE.

"""


It also seems to contradict documentation in the Russian Firebird 3 
Language Reference (page 508), which indicates that ALTER ROLE RDB$ADMIN 
SET AUTO ADMIN MAPPING is a equivalent to:


```
CREATE MAPPING WIN_ADMINS
  USING PLUGIN WIN_SSPI
  FROM Predefined_Group DOMAIN_ANY_RID_ADMINS
  TO ROLE RDB$ADMIN
```


While SET AUTO ADMIN MAPPING will apply RDB$ADMIN automatically if no 
explicit role is specified on connect.



In other words, does my confusion derive from the fact the Firebird 3 
release notes say that CREATE MAPPING ... TO ROLE ... updates the 
CURRENT_ROLE, while in fact it does no such thing?


Mark
--
Mark Rotteveel


Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel






















					Reply via email to