| René Nyffenegger's collection of things on the web | |
|
René Nyffenegger on Oracle - Most wanted - Feedback
|
authid current_user vs pragma authid Definer | ||
drop function f_authid_cu; drop function f_authid_d; drop procedure p_authid_cu; drop procedure p_authid_d; drop package c_authid_cu; drop package c_authid_d; drop type t_audhid_cu; drop type t_audhid_d; create function f_authid_cu return number authid current_user as begin return 0; end f_authid_cu; / create function f_authid_d return number authid definer as begin return 0; end f_authid_d; / create procedure p_authid_cu authid current_user as begin null; end p_authid_cu; / create procedure p_authid_d authid definer as begin null; end p_authid_d; / create package c_authid_cu authid current_user as end c_authid_cu; / create package c_authid_d authid definer as end c_authid_d; / create type t_audhid_cu authid current_user as object ( dummy number ); / create type t_audhid_d authid definer as object ( dummy number ); /
A stored procedure runs either with the rights of the caller (authid current_user) or with the rights
of the procedure's owner (authid definer). This behaviour is specified with the
authid clause. This authid clause immediatly follows the
create procedure, create function, create package or
create type statement. It can be ommited, in which case
the default authid definer is taken.
The authid clause has implications, for example, on how objects are resolved within a procedure. This is demonstrated in the following.
First, two users are created, one named a and one named b. Some needed
privileges are granted to these users as well.
create user a identified by a default tablespace data quota unlimited on data; create user b identified by b default tablespace data quota unlimited on data; grant create session, create procedure, create table to a; grant create session, create procedure, create table to b;
Now, user a creates tow tables named t and u and fills them with
this is a's table. User u
is allowed to read t.
connect a/a; create table t (d varchar2(40)); insert into t values ('this is a''s table'); commit; create table u (d varchar2(40)); insert into u values ('this is a''s table'); grant select on t to b; -- no grant on u
User a also creates a procedure (named pt) with
authid current_user that just reads what was filled into table t:
create procedure pt authid current_user as v_d t.d%type; begin select d into v_d from t; dbms_output.put_line(v_d); end; /
User a then creates a procedure (pu) that reads from table u:
create procedure pu authid definer as v_d t.d%type; begin select d into v_d from u; dbms_output.put_line(v_d); end; /
User b should be allowed to execute both procedures:
grant execute on pt to b; grant execute on pu to b;
Now, it's user b's turn to do something. He, as well, creates two tables t and u and fills them with
this is b's table:
connect b/b; create table t (d varchar2(40)); insert into t values ('this is b''s table'); create table u (d varchar2(40)); insert into u values ('this is b''s table'); commit;
Now, he executes user a's procedure pt:
set serveroutput on begin a.pt; end; /
The output is:
this is b's table
Then, he executes
a.pu:
begin a.pu; end; /
This time, the output is:
this is a's table
This demonstrates that a procedure is run in the context of the caller if has
authid current_user and in the context of the owner
if the procedure has authid definer
Effects on roles
A procedure with
authid definer disables all roles that are granted
to the caller. This can lead to ora-00942 errors.
If the procedure is created with
authid current_user, the roles of the caller are enabled when the procedure is executed.
However, in order to compile the procedures, the privileges still need to be granted directly.
|