差异 EXECUTE AS 目标
Difference EXECUTE AS targets
我不太清楚 SQL 服务器中不同 EXECUTE AS 目标之间的区别:CALLER、SELF 和 OWNER,特别是在最后两个。
我的理解是 CALLER 是 Execute/Call 程序的执行者。
自己是 the specified user is the person creating or altering the module
所有者是 the current owner of the module
你能解释一下谁是 the person creating/modifying 和 the owner of the module 吗? 'module' 是存储的 procedure/function 还是会话或数据库?包含 SELF 用户的示例会很棒。
说起来很简单,SELF 将您模拟为上次实际执行 create / alter procedure 的数据库用户。它并不总是必须是模式所有者,正如您可以想象的那样,它可以是任何具有足以创建/修改给定对象的权限的人。
OWNER 模式将您模拟为过程/函数所属架构的所有者。
如果您想更深入地挖掘(在这种情况下,总会有挖掘的空间),下面是一个(相对)简单的示例,可以向您展示这里的工作原理。有一些特定于 SQL 服务器的快捷方式和含义,我故意省略了它们,否则写起来太多了。不过,您始终可以阅读文档。
use master;
go
if db_id('TestDB') is not null
drop database TestDB;
go
create database TestDB;
go
use TestDB;
go
-- Just for the sake of example, so that everyone can create procs
grant create procedure to public;
go
-- Schema owner
create user [SomeUser] without login;
go
create schema [s1] authorization [SomeUser];
go
-- An ordinary user
create user [AnotherUser] without login;
go
grant execute on schema::s1 to AnotherUser as [SomeUser];
go
-- Database administrator
create user [DBA] without login;
go
alter role [db_owner] add member [DBA];
go
-- Although it's SomeUser that owns the schema, DBA creates objects in it
execute as user = 'DBA';
go
create procedure s1.SpCaller
as
select user_name() as [s1_caller];
return;
go
create procedure s1.SpSelf
with execute as self as
select user_name() as [s1_self];
return;
go
create procedure s1.SpOwner
with execute as owner as
select user_name() as [s1_owner];
return;
go
revert;
go
-- You can play with actual impersonation and look at results
execute as user = 'AnotherUser';
go
exec s1.SpCaller;
go
exec s1.SpSelf;
go
exec s1.SpOwner;
go
revert;
go
我不太清楚 SQL 服务器中不同 EXECUTE AS 目标之间的区别:CALLER、SELF 和 OWNER,特别是在最后两个。
我的理解是 CALLER 是 Execute/Call 程序的执行者。
自己是 the specified user is the person creating or altering the module
所有者是 the current owner of the module
你能解释一下谁是 the person creating/modifying 和 the owner of the module 吗? 'module' 是存储的 procedure/function 还是会话或数据库?包含 SELF 用户的示例会很棒。
说起来很简单,SELF 将您模拟为上次实际执行 create / alter procedure 的数据库用户。它并不总是必须是模式所有者,正如您可以想象的那样,它可以是任何具有足以创建/修改给定对象的权限的人。
OWNER 模式将您模拟为过程/函数所属架构的所有者。
如果您想更深入地挖掘(在这种情况下,总会有挖掘的空间),下面是一个(相对)简单的示例,可以向您展示这里的工作原理。有一些特定于 SQL 服务器的快捷方式和含义,我故意省略了它们,否则写起来太多了。不过,您始终可以阅读文档。
use master;
go
if db_id('TestDB') is not null
drop database TestDB;
go
create database TestDB;
go
use TestDB;
go
-- Just for the sake of example, so that everyone can create procs
grant create procedure to public;
go
-- Schema owner
create user [SomeUser] without login;
go
create schema [s1] authorization [SomeUser];
go
-- An ordinary user
create user [AnotherUser] without login;
go
grant execute on schema::s1 to AnotherUser as [SomeUser];
go
-- Database administrator
create user [DBA] without login;
go
alter role [db_owner] add member [DBA];
go
-- Although it's SomeUser that owns the schema, DBA creates objects in it
execute as user = 'DBA';
go
create procedure s1.SpCaller
as
select user_name() as [s1_caller];
return;
go
create procedure s1.SpSelf
with execute as self as
select user_name() as [s1_self];
return;
go
create procedure s1.SpOwner
with execute as owner as
select user_name() as [s1_owner];
return;
go
revert;
go
-- You can play with actual impersonation and look at results
execute as user = 'AnotherUser';
go
exec s1.SpCaller;
go
exec s1.SpSelf;
go
exec s1.SpOwner;
go
revert;
go