Details

    Description

      SET USER privilege gives the ability to specify an arbitrary definer for views and stored routines. That basically means that a SET USER user can execute commands as any other user.

      To make this functionality more convenient to use, the server could allow SET USER user to "sudo" directly into any other user without authentication.

      We'll implement a standard SET SESSION AUTHORIZATION statement that will do that. It should allow everything that is achievable in SP with an arbitrary definer. In particular, it'll bypass account lock, expired password, authentication, REQUIRE SSL checks, etc.

      The standard syntax is:

      <set session user identifier statement> ::=
              SET SESSION AUTHORIZATION <value specification>
      

      The important part of the specs is

      1) If a <set session user identifier statement> is executed and an SQL-transaction is currently active, then an exception condition is raised: invalid transaction state — active SQL-transaction.

      (it's sqlstate 25001), and

      4) If V is not equal to the current value of the SQL-session user identifier of the current SQL-session context, then the restrictions on the permissible values for V are implementation-defined.

      That is, one can always set session authorization to themselves, and it's implementation-defined when one can change to another user. We'll define it as "if granted SET USER privilege"

      It won't work inside transactions (standard specs), won't work in PS and in SP (because changing the user resets all PS and SP in the connection, so none can survive this statement)

      Attachments

        Issue Links

          Activity

            People

              serg Sergei Golubchik
              serg Sergei Golubchik
              Votes:
              3 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.