On 2/9/21 7:01 PM, Mark Rotteveel wrote:
On 09-02-2021 16:23, Mark Rotteveel wrote:
In other words, does my confusion derive from the fact the Firebird 3
release notes say that CREATE MAPPING ... TO ROLE ... updates the
CURRENT_ROLE, while in fact it does no such thing?
Having done some further tests, a mapping will actually set
CURRENT_ROLE if no explicit role was specified, but you can then use
SET TRUSTED ROLE to update the CURRENT_ROLE to that mapped role.
In addition SET TRUSTED ROLE can even be used if the user has not been
explicitly granted the role.
For example
create mapping test_mark1_testrole using plugin srp from user mark1 to
role testrole;
connect 'database' user mark1 password 'mark1' role none;
select current_role from rdb$database;
ROLE
===============================
NONE
set role testrole;
Statement failed, SQLSTATE = 0P000
Role TESTROLE is invalid or unavailable
set trusted role;
select current_role from rdb$database;
ROLE
===============================
TESTROLE
I do wonder about this case. Specifically, why am I not able to
execute SET ROLE TESTROLE in this case? According to the mapping I'm
allowed to use this role.
According to SQL specification set role shall fail if user is not
granted the role. And allowed to use due to mapping and granted are
different things. That's the second reason to have such form of
statement at all, first - to help not think about what particular role
became available due to mapping. In such scenario:
set role special_role;
-- perform some action that require special_role
-- need to restore originak trusted role
set trusted role;
If I have to summarize this feature, it is "allows the user to assume
the mapped role, even when they connected with a different role".
Would that be accurate?
May be more accurate 'set current_role = trusted(mapped) role', no
matter why curent_role differs.
Would SET MAPPED ROLE have been a better name for this feature?
Trusted here means that it comes from plugin to which database trusts
enough (via mappings) to make that role available even if it was not
explicitly granted.
As I understand it, trusted roles are a subset of mapped roles (e.g. a
mapped role is any role assigned by a MAPPING rule, while a trusted
role is a mapped role which has not been explicitly granted to the user).
Never thought this way :-)
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
