On 09-02-2021 16:23, Mark Rotteveel wrote:
In other words, does my confusion derive from the fact the Firebird 3
release notes say that CREATE MAPPING ... TO ROLE ... updates the
CURRENT_ROLE, while in fact it does no such thing?
Having done some further tests, a mapping will actually set CURRENT_ROLE
if no explicit role was specified, but you can then use SET TRUSTED ROLE
to update the CURRENT_ROLE to that mapped role.
In addition SET TRUSTED ROLE can even be used if the user has not been
explicitly granted the role.
For example
create mapping test_mark1_testrole using plugin srp from user mark1 to
role testrole;
connect 'database' user mark1 password 'mark1' role none;
select current_role from rdb$database;
ROLE
===============================
NONE
set role testrole;
Statement failed, SQLSTATE = 0P000
Role TESTROLE is invalid or unavailable
set trusted role;
select current_role from rdb$database;
ROLE
===============================
TESTROLE
I do wonder about this case. Specifically, why am I not able to execute
SET ROLE TESTROLE in this case? According to the mapping I'm allowed to
use this role.
If I have to summarize this feature, it is "allows the user to assume
the mapped role, even when they connected with a different role". Would
that be accurate?
Would SET MAPPED ROLE have been a better name for this feature? As I
understand it, trusted roles are a subset of mapped roles (e.g. a mapped
role is any role assigned by a MAPPING rule, while a trusted role is a
mapped role which has not been explicitly granted to the user).
Mark
--
Mark Rotteveel
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel