Skip to content
This repository has been archived by the owner on Jan 21, 2022. It is now read-only.

Make default role configurable to db_owner or db_ddladmin #3

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

stefanschneider
Copy link
Contributor

This will create user for a cf binding with a db_ddladmin role and almost full grants for the dbo schema. Previously the binding created a sql user with a db_owner role. This is dangerous because it can create backups (i.e. leak disk resources), drop the database (broker needs extra error and orphan handling), drop other users (i.e. delete cf bindings), etc...

My concern is that this will prevent some apps to work correctly with the db_ddladmin role and dbo schema access. After some testing this access levels where enough for the contoso university sample app and nopCommerce for schema migration/installation and normal operation.

@viovanov / @mihaibuzgau do you have any suggestions? Are there other tests or apps that I could run? Or is it safe for now to stick with the db_owner role to provide maximum compatibility for app?

@stefanschneider stefanschneider changed the title Add binding users to db_ddladmin Replace db_owner with db_ddladmin Mar 18, 2015
@viovanov
Copy link

Agree with @gertd that it should be configurable
Can you test with trying to add the ASP.NET membership metadata?

@stefanschneider
Copy link
Contributor Author

I've tested with this ASP.NET membership metadata ( http://www.asp.net/visual-studio/overview/2013/creating-web-projects-in-visual-studio#indauth ) with is and works good.
Test deployed here: http://ssample.15.126.225.231.xip.io/

@stefanschneider stefanschneider force-pushed the limited_role branch 2 times, most recently from 172a7a0 to 2060461 Compare March 24, 2015 15:35
@stefanschneider stefanschneider changed the title Replace db_owner with db_ddladmin Make default role configurable to db_owner or db_ddladmin Apr 3, 2015
@stefanschneider
Copy link
Contributor Author

There is an extra config parameter 'grantDbOwnerForBindings' that will tell the broker what type of role to role to assign.
The readme has some extra updates.

@hcf-bot
Copy link

hcf-bot commented May 26, 2015

Refer to this link for build results (access rights to CI server needed):
https://jenkins.paas.hpcloud.net/job/als-cf-mssql-broker-babysitter/28/
Test PASSed.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants