Azure AD 组的第二个成员无法在 Azure SQL 数据库中创建架构
Second member of Azure AD group can not create schema in Azure SQL database
我们的 Azure SQL 数据库与 AAD 身份验证有一个奇怪的问题。
我们创建了一个具有所有权限的角色 (dbt_user),并排除了一些模式:
CREATE ROLE dbt_user AUTHORIZATION dbo;
GRANT CREATE SCHEMA, ALTER, DELETE, EXECUTE, INSERT, REFERENCES, SELECT, UPDATE TO dbt_user;
DENY ALTER, DELETE, EXECUTE, INSERT, UPDATE ON SCHEMA :: dbo TO dbt_user;
DENY ALTER, DELETE, EXECUTE, INSERT, UPDATE ON SCHEMA :: schema1 TO dbt_user;
DENY ALTER, DELETE, EXECUTE, INSERT, UPDATE ON SCHEMA :: schema2 TO dbt_user;
然后,我们添加一个 AAD 组 (myAADGroup) 作为用户,并将其添加到上面的角色中:
CREATE USER [myAADGroup] FROM EXTERNAL PROVIDER;
ALTER ROLE dbt_user ADD MEMBER [myAADGroup];
AAD 组有 2 名成员:user1@domain.com 和 user2@domain.com。
第一个用户可以登录,执行以下命令:
CREATE SCHEMA [test_schema_user1];
但是,当user2执行以下命令时,我们得到一个错误:
CREATE SCHEMA [test_schema_user2];
Msg 2760, Level 16, State 1, Line 1
The specified schema name "user2@domain.com" either does not exist or you do not have permission to use it.
Msg 2759, Level 16, State 0, Line 1
CREATE SCHEMA failed due to previous errors.
只有第一个用户才能成功创建架构。
我只在网上发现了 2 个稍微相关的问题,但他们谈论的是 CREATE TABLE,这可以通过明确定义 dbo 作为 table 的模式前缀来规避:
- Microsoft Tech Community
- Azure docs(见第5步末尾的注释)
为了调试,我作为 user2@domain.com 执行的一些事情:
select SCHEMA_NAME()
-- returns dbo
SELECT name, default_schema_name
FROM sys.database_principals
WHERE name = 'myAADGroup'
-- default_schema_name = dbo
SELECT name, default_schema_name
FROM sys.database_principals
WHERE name = 'dbt_user'
-- default_schema_name = null --> a role can not have a default_schema?
谢谢!
假设您拥有 AAD 管理员权限,
当 user1 成为 myAADGroup 组的成员时,登录并尝试创建新的 SCHEMA。将在数据库中创建一个新模式。如果该组中的任何其他成员,比如 user2 尝试创建架构,将显示无效的对象名称错误。此外,对于非 SQL 用户、Windows 用户或应用程序角色类型的主体,default_schema_name 是 Null。
此安全问题已通过为网上论坛分配默认架构得到解决。
USE your_database;
GO
CREATE USER [myAADGroup] FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA = dbo;
或
ALTER USER [myAADGroup] WITH DEFAULT_SCHEMA=[dbo]
但是,请参阅 Remarks section of the CREATE SCHEMA documentation 中的以下说明:
Note: The implicit creation of an Azure Active Directory user is not possible on SQL Database. Since creating an Azure AD user from external provider must check the users status in the AAD, creating the user will fail with error 2760: The specified schema name "<user_name@domain>" either does not exist or you do not have permission to use it. And then error 2759: CREATE SCHEMA failed due to previous errors. To work around these errors, create the Azure AD user from external provider first and then rerun the statement creating the object.
我们的 Azure SQL 数据库与 AAD 身份验证有一个奇怪的问题。
我们创建了一个具有所有权限的角色 (dbt_user),并排除了一些模式:
CREATE ROLE dbt_user AUTHORIZATION dbo;
GRANT CREATE SCHEMA, ALTER, DELETE, EXECUTE, INSERT, REFERENCES, SELECT, UPDATE TO dbt_user;
DENY ALTER, DELETE, EXECUTE, INSERT, UPDATE ON SCHEMA :: dbo TO dbt_user;
DENY ALTER, DELETE, EXECUTE, INSERT, UPDATE ON SCHEMA :: schema1 TO dbt_user;
DENY ALTER, DELETE, EXECUTE, INSERT, UPDATE ON SCHEMA :: schema2 TO dbt_user;
然后,我们添加一个 AAD 组 (myAADGroup) 作为用户,并将其添加到上面的角色中:
CREATE USER [myAADGroup] FROM EXTERNAL PROVIDER;
ALTER ROLE dbt_user ADD MEMBER [myAADGroup];
AAD 组有 2 名成员:user1@domain.com 和 user2@domain.com。
第一个用户可以登录,执行以下命令:
CREATE SCHEMA [test_schema_user1];
但是,当user2执行以下命令时,我们得到一个错误:
CREATE SCHEMA [test_schema_user2];
Msg 2760, Level 16, State 1, Line 1
The specified schema name "user2@domain.com" either does not exist or you do not have permission to use it.
Msg 2759, Level 16, State 0, Line 1
CREATE SCHEMA failed due to previous errors.
只有第一个用户才能成功创建架构。
我只在网上发现了 2 个稍微相关的问题,但他们谈论的是 CREATE TABLE,这可以通过明确定义 dbo 作为 table 的模式前缀来规避:
- Microsoft Tech Community
- Azure docs(见第5步末尾的注释)
为了调试,我作为 user2@domain.com 执行的一些事情:
select SCHEMA_NAME()
-- returns dbo
SELECT name, default_schema_name
FROM sys.database_principals
WHERE name = 'myAADGroup'
-- default_schema_name = dbo
SELECT name, default_schema_name
FROM sys.database_principals
WHERE name = 'dbt_user'
-- default_schema_name = null --> a role can not have a default_schema?
谢谢!
假设您拥有 AAD 管理员权限,
当 user1 成为 myAADGroup 组的成员时,登录并尝试创建新的 SCHEMA。将在数据库中创建一个新模式。如果该组中的任何其他成员,比如 user2 尝试创建架构,将显示无效的对象名称错误。此外,对于非 SQL 用户、Windows 用户或应用程序角色类型的主体,default_schema_name 是 Null。
此安全问题已通过为网上论坛分配默认架构得到解决。
USE your_database;
GO
CREATE USER [myAADGroup] FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA = dbo;
或
ALTER USER [myAADGroup] WITH DEFAULT_SCHEMA=[dbo]
但是,请参阅 Remarks section of the CREATE SCHEMA documentation 中的以下说明:
Note: The implicit creation of an Azure Active Directory user is not possible on SQL Database. Since creating an Azure AD user from external provider must check the users status in the AAD, creating the user will fail with error 2760: The specified schema name "<user_name@domain>" either does not exist or you do not have permission to use it. And then error 2759: CREATE SCHEMA failed due to previous errors. To work around these errors, create the Azure AD user from external provider first and then rerun the statement creating the object.