sql-server - SQL Server:表的行级安全性未在另一个谓词函数中强制执行
问题描述
考虑以下情况:有两个表,表 A 和表 B。在表 A 上实施 RLS。
然后,在表 B 上通过内部连接将表 B 链接到表 A 来实现 RLS。猜猜看,在表 B 的谓词函数中,表 A 的 RLS 被忽略了。
看来,您需要在表 B 的谓词函数中重新应用表 A 的 RLS。这是设计使然吗?
在谓词函数中将表 B 链接到表 A 时,是否可以设置一些标志或“with”子句以强制执行现有的 RLS?
难道我做错了什么?
用于创建和填充表的 SQL 脚本。
CREATE TABLE [dbo].[Securities]
(
[SecurityId] [int] NOT NULL,
[Security] [varchar](50) NOT NULL,
[IssueCurrency] [varchar](3) NOT NULL,
CONSTRAINT [PK_Securities]
PRIMARY KEY CLUSTERED ([SecurityId] ASC)
WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF,
IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON,
ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
) ON [PRIMARY]
GO
CREATE TABLE [dbo].[Prices]
(
[SecurityId] [int] NOT NULL,
[PriceDate] [date] NOT NULL,
[Price] [numeric](18, 4) NULL,
CONSTRAINT [PK_Prices]
PRIMARY KEY CLUSTERED ([SecurityId] ASC, [PriceDate] ASC)
WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF,
IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON,
ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
) ON [PRIMARY]
GO
ALTER TABLE [dbo].[Prices] WITH CHECK
ADD CONSTRAINT [FK_Prices_Securities]
FOREIGN KEY([SecurityId]) REFERENCES [dbo].[Securities] ([SecurityId])
GO
ALTER TABLE [dbo].[Prices] CHECK CONSTRAINT [FK_Prices_Securities]
GO
INSERT INTO [dbo].[Securities] ([SecurityId], [Security], [IssueCurrency])
VALUES (1, 'Project Power', 'CAD'), (2, 'Fractured Ltd', 'AUD'),
(5, 'Eddy Security', 'USD'), (6, 'Foxtrot', 'USD')
GO
INSERT INTO Prices ([SecurityId], [PriceDate], [Price])
VALUES (1, '2020-08-05', 13.2500), (1, '2020-08-06', 13.3500), (1, '2020-08-07', 13.0500),
(2, '2020-08-05', 23.9500), (2, '2020-08-06', 24.1500), (2, '2020-08-07', 22.0500),
(5, '2020-08-05', 105.1500), (5, '2020-08-06', 106.3500), (5, '2020-08-07', 105.0500),
(6, '2020-08-05', 36.2500), (6, '2020-08-06', 36.3500), (6, '2020-08-07', 35.0500)
用于创建谓词函数和安全策略的 SQL 脚本。
/*
drop security policy if exists Policy_Securities
go
drop function if exists dbo.rlsSecurities
go
*/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE FUNCTION rlsSecurities (@IssueCurrency varchar(3))
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN
SELECT 1 AS UserAccess
WHERE
(SESSION_CONTEXT(N'UserGroup') = 'Internal') or
(
@IssueCurrency = 'USD' --non-internal group can only view securities where IssueCurrency='USD'
)
go
CREATE SECURITY POLICY Policy_Securities
ADD FILTER PREDICATE dbo.rlsSecurities(IssueCurrency) ON dbo.Securities
WITH(STATE = ON)
go
EXEC sys.sp_set_session_context @key=N'UserGroup', @value='XYZ'
SELECT SESSION_CONTEXT(N'UserGroup')
SELECT * FROM Securities
SELECT s.Security, p.*
FROM Securities s
INNER JOIN Prices p ON s.SecurityId = p.SecurityId --RLS on table Prices is enforced thru inner join.
SELECT * FROM Prices --Currently no RLS on tblComp.
--Now I want to implement RLS on Prices as well.
drop security policy if exists Policy_Prices
go
drop function if exists dbo.rlsPrices
go
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
create FUNCTION rlsPrices (
@SecurityId int)
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN
SELECT 1 as UserAccess
where @SecurityId in (select SecurityId from dbo.Securities) --This doesn't work even though RLS on table Securities already exists.
--where --This works but it requires reapplying RLS on table Securities.
-- (SESSION_CONTEXT(N'UserGroup') = 'Internal') or
-- (
-- @SecurityId In (select SecurityId from dbo.Securities where IssueCurrency = 'USD') --non-internal group can only view securities where IssueCurrency='USD'
-- )
go
CREATE SECURITY POLICY Policy_Prices
ADD FILTER PREDICATE dbo.rlsPrices(SecurityId) ON dbo.Prices
WITH(STATE = ON)
go
exec sys.sp_set_session_context @key=N'UserGroup', @value='XYZ'
select SESSION_CONTEXT(N'UserGroup')
select * from Prices --RLS not enforced
解决方案
你没有做错任何事。
当 tvf 在策略的范围/执行中执行时,似乎 RLS 没有考虑谓词表值函数中引用的表上的任何现有策略。在正常查询中执行时,tvf 工作正常(强制执行 tvf 中引用表 {ie. Securities} 的策略):
--standalone...check the execution plan, predicate of Securities.PK_Securities index scan is the function/policy on currency='USD'
select p.*
from Prices as p
cross apply dbo.rlsPrices(p.SecurityId)
如果您检查执行计划:
--filter policy on Prices
select * from Prices
您只会看到对价格的聚集索引扫描,因为从价格到证券 (SecurityId) 存在一个 FK,因此根本不检查证券表。即使您删除 FK,价格和证券之间的连接也会错过任何关于证券的 RLS 谓词。
简而言之,过滤器策略不是嵌套/继承/级联的,无论是否设计......尚不清楚。
推荐阅读
- multithreading - 引用 Mutex 内部的数据
- angular - 导航到子组件时未调用 ngOnInit(但按预期调用构造函数和 ngOnDestroy)
- javascript - 加载页面显示弹窗时如何使用
- sql-server - User.IsInRole("User") Not working 我的在线服务器,但在使用在线 sql server 数据库两种模式时,它在我的本地系统上工作
- php - 如何在php中获取数据数组的总和
- jquery - 评价哟!- 点击添加禁用
- scala - 使用变量中的类型调用类型类
- matlab - 每次在 MATLAB 中运行代码时,如何更新下一列中我的 Excel 工作表中的计算数据?
- android - 如何使用按钮逐步迭代二维数组?
- javascript - Dygraph Unix 时间戳