On 09-02-2021 16:23, Mark Rotteveel wrote:
In other words, does my confusion derive from the fact the Firebird 3 release notes say that CREATE MAPPING ... TO ROLE ... updates the CURRENT_ROLE, while in fact it does no such thing?

Having done some further tests, a mapping will actually set CURRENT_ROLE if no explicit role was specified, but you can then use SET TRUSTED ROLE to update the CURRENT_ROLE to that mapped role.

In addition SET TRUSTED ROLE can even be used if the user has not been explicitly granted the role.

For example

create mapping test_mark1_testrole using plugin srp from user mark1 to role testrole;
connect 'database' user mark1 password 'mark1' role none;
select current_role from rdb$database;

ROLE
===============================
NONE

set role testrole;
Statement failed, SQLSTATE = 0P000
Role TESTROLE is invalid or unavailable

set trusted role;
select current_role from rdb$database;

ROLE
===============================
TESTROLE

I do wonder about this case. Specifically, why am I not able to execute SET ROLE TESTROLE in this case? According to the mapping I'm allowed to use this role.

If I have to summarize this feature, it is "allows the user to assume the mapped role, even when they connected with a different role". Would that be accurate?

Would SET MAPPED ROLE have been a better name for this feature? As I understand it, trusted roles are a subset of mapped roles (e.g. a mapped role is any role assigned by a MAPPING rule, while a trusted role is a mapped role which has not been explicitly granted to the user).

Mark
--
Mark Rotteveel


Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Reply via email to