From 928242e54dc4a096ea7707d9535fce3ca706c42c Mon Sep 17 00:00:00 2001 From: AlexPeshkoff Date: Mon, 13 Apr 2020 14:20:53 +0300 Subject: [PATCH] Misc docs --- doc/sql.extensions/README.mapping.html | 81 ++++++++++++-------------- 1 file changed, 37 insertions(+), 44 deletions(-) diff --git a/doc/sql.extensions/README.mapping.html b/doc/sql.extensions/README.mapping.html index cbbd26a36c..094ab3ecf7 100644 --- a/doc/sql.extensions/README.mapping.html +++ b/doc/sql.extensions/README.mapping.html @@ -3,19 +3,19 @@ - + - + - -

SQL -Language Extension: CREATE/ALTER/CREATE_OR_ALTER/DROP MAPPING

+

+SQL Language Extension: +CREATE/ALTER/CREATE_OR_ALTER/DROP MAPPING


@@ -67,20 +67,16 @@ objects in database – current_user and current_role. Mapping rule contains 4 parts of information:

Here @@ -100,19 +96,15 @@ databases - not all of them need/use windows trusted authentication.

'From' part of mapping has 4 items:

    -
  • -

    authentication +

  • authentication source (plugin name or result of mapping in other database or use of serverwide authentication or any method),

    -
  • -

    name +

  • name of database where authentication succeeded,

    -
  • -

    name +

  • name from which mapping is performed,

    -
  • -

    type +

  • type of that name (username, role, OS group – this depends upon plugin which added that name during authentication).

@@ -125,11 +117,9 @@ definitely bad idea to mix different types of security objects.

'To' part has 2 items:

    -
  • -

    name +

  • name to which mapping is performed,

    -
  • -

    type +

  • type of that name (only USER/ROLE are accepted here).


@@ -289,35 +279,38 @@ DOMAIN\GROUP.

Notice:

+

- +Global mapping works best if firebird 3 or higher version database is +used as security database. If you plan to use other database as +security one (using for example your own provider) please create in +it table RDB$AUTH_MAPPING with structure repeating one in firebird 3 +database, public read access and SYSDBA-only write access.

+

- +Mappings +work only with information, coming from authentication plugins or +previously done mapping. Information present in DPB (particular SQL +role name) is not affected by mappings and can not be changed using +them.


-

Global -mapping works best if firebird 3 or higher version database is used -as security database. If you plan to use other database as security -one (using for example your own provider) please create in it table -RDB$AUTH_MAPPING with structure repeating one in firebird 3 database, -public read access and SYSDBA-only write access.

-


+


-


- -

-

Tip:

-

It’s +

Tip:

+

It’s relatively easy to accidentally make a database remotely inaccessible -using CREATE MAPPING statement. For example: +using CREATE MAPPING statement. For example:

-

CREATE -MAPPING BREAK_DB_1 USING * FROM ANY USER TO ROLE ROLE1;

-

CREATE -MAPPING BREAK_DB_2 USING * FROM ANY USER TO ROLE ROLE2;

-

This +

CREATE +MAPPING BREAK_DB_1 USING * FROM ANY USER TO ROLE ROLE1;

+

CREATE +MAPPING BREAK_DB_2 USING * FROM ANY USER TO ROLE ROLE2;

+

This will disallow any user (including SYSDBA) to connect. Luckily mappings are not processed when database is used in embedded mode, i.e. in such a case one should attach to database using embedded -access and fix bad mappings.

+access and fix bad mappings.