1

I am working with Firebird 2.5.8, ODS Version 11.2, connecting via Firebird ADO.NET v6.6 (in C# using Visual Studio). I have built a database management tool for configuring our tables, as well as performing some basic Firebird user management operations. The database has different roles (MyRoleX and MyRoleY) defined to give/restrict access.

User management operations include granting/revoking these roles to different users. When logged into the tool, the connection uses the RDB$ADMIN ROLE and the connected user has been created with the ADMIN ROLE. Lastly, there may be more than one Firebird user of the tool (e.g. Mgr1 and Mgr2).

Ok, so Mgr1 CREATEs a new user, along with:

GRANT MyRoleX TO UserA;
GRANT MyRoleY TO UserA;

Mgr1 then is off shift/vacation/unavailable, and Mgr2 realizes UserA should not have been granted MyRoleY. But when Mgr2 logs in and tries to run the command:

REVOKE MyRoleY FROM UserA;

the error message is given:

unsuccessful metadata update
Mgr2 is not grantor of Role on MyRoleY to UserA.

and if the command is changed to:

REVOKE MyRoleY FROM UserA GRANTED BY Mgr1;

then an error message is given:

unsuccessful metadata update
Only SYSDBA or database owner can use GRANTED BY clause.

While the 2nd message is explicitly clear, why, if both Mgr1 and Mgr2 are connected using ROLE=RDB$ADMIN (and of course these users are granted ADMIN ROLE), can they NOT perform this operation?

From Statements for Revoking Privileges , under the heading 'Revoking Privileges That Were GRANTED BY' it states:

the current user must be logged in either with full administrative privileges

If logged in under under RDB$ADMIN, is that not full admin privileges?

At the top of the link under the heading 'RDB$ADMIN Role', it also states:

Assigning the RDB$ADMIN role to a regular user in a database grants that user the privileges of the SYSDBA.

So why then does Mgr2 have privilege like SYSDBA?

Some questions seeking answers:

  1. Am I doing anything wrong here? Is there a way to connect or allow Mgr2 to REVOKE GRANTs to ROLEs made by Mgr1?

  2. We do NOT want to be sharing the SYSDBA nor database owner credentials to perform these operations, so any other solutions?

David Carr
  • 400
  • 4
  • 7
  • I have removed your third question as it expands the scope too much into 'too broad' territory. Normally a question should only contain a single question, but the remaining two are so closely related, they are essentially a single question. – Mark Rotteveel Aug 15 '19 at 07:10
  • 1
    try `select CURRENT_ROLE from rdb$database` immediately before revoking - does the connection REALLY gets the role you think it gets ? – Arioch 'The Aug 15 '19 at 09:52
  • Thanks @Arioch'The for pointing me to this (and your response below). I created a new post on this specific issue of CURRENT_ROLE: https://stackoverflow.com/questions/57514744/why-does-firebird-2-5-8-returns-none-on-select-current-role – David Carr Aug 15 '19 at 19:16
  • 1
    try to redo my experiment by your tools. Install FB 2.5.9 (you would not get any fixes in 2.5.8 anyway, if it will turn out to be server bug, anyway), then reproduce, using your programming language and your programming database libraries, the three steps sequence of my experiment. By the result we can focus on spotting differences - either ones between your and our environments, or between this correctly working 3-connections actions sequence and some different sequence that your programs do when they fail. You need to compare etalon with your programs and eliminate differences. – Arioch 'The Aug 16 '19 at 08:03

1 Answers1

2

Since Firebird 2.5.9 Release Notes do not mention any user grant related bugfixes, I think you mistook something, probably you just did not invoke the RDB$ADMIN when you logged in with Mgr2. Try querying the active role just before trying to revoke.

Just tried this in Firebird 2.5.9 Win64 using IBExpert suite.

First session:

/*** connected as SYSDBA with no role specified ***/
GRANT RDB$ADMIN TO ADM_1;
GRANT RDB$ADMIN TO ADM_2;
CREATE ROLE USER_ROLE;

Second session:

/*****  ADM_1 with RDB$ADMIN role specified *****/
select current_role, current_user from rdb$database;
-- ROLE         USER
-- RDB$ADMIN    ADM_1

grant user_role to user_1;
grant user_role to user_2 granted by sysdba;

Third session:

/*****  ADM_2 with RDB$ADMIN role specified *****/
select current_role, current_user from rdb$database;
-- ROLE         USER
-- RDB$ADMIN    ADM_2

revoke user_role from user_2 granted by sysdba;
-- OK

revoke user_role from user_1;
-- This operation is not defined for system tables.
-- unsuccessful metadata update.
-- ADM_2 is not grantor of Role on USER_ROLE to USER_1.

revoke user_role from user_1 granted by adm_1;
-- OK

So, at least in 2.5.9 SuperServer with a single connection to the database - it just works.

P.S. since you can have many more admins than just two, and since SEVERAL admins may grant a role to the user, and then EACH of those grants would have to be found and revoked one by one, so I suggest for your scenario you have a dedicated user then, with all grants being given in his name, like I did with SYSDBA in my second session.

Arioch 'The
  • 15,799
  • 35
  • 62