I've instantiated a SQL Server database using Amazon's RDS tool.
What I want to to generally, is to bulk insert some csv files.
When I connect with the masteruser, I have almost no permissions (e.g no permissions to grant permissions in the database server)
SQL Error [15247] [S0001]: User does not have permission to perform
this action. com.microsoft.sqlserver.jdbc.SQLServerException: User
does not have permission to perform this action.
When I run select current-user I get GUEST.
How can I change to admin?
Related
We are trying to run Bulk insert in SSMS by logging local SQL Server accounts, But we are getting below error while running the query.
Error:
Msg 4861, Level 16, State 1
Line 1 Cannot bulk load because the file "\\AppserverIpAddress\SharedPath\Insert.TXT"could not be opened. Operating system error code 1326 (the user name or password is incorrect.).
Query:
BULK INSERT TABLENAME
FROM '\\AppserverIpAddress\SharedPath\Insert.TXT'
WITH
(
FIELDTERMINATOR = '|',
ROWTERMINATOR = '\n'
);
Observations:
The query is running successfully if I am logged in SSMS with Windows authentication (local Windows server administrator account and it has sysadmin privilege)
Query is throwing error when logged in with SQL Server user account such as SA (default sysadmin account) or other SQL Server account.
SQL Server Service is running under local Windows server administrator account (.\administrator)
Shared folder resides on the application server and has full control for account "Everyone".
Can anyone suggest a possible reason for this behavior?
That's the documnted behavior:
Security Account Delegation (Impersonation)
If a user uses a SQL
Server login, the security profile of the SQL Server process account
is used. A login using SQL Server authentication cannot be
authenticated outside of the Database Engine. Therefore, when a BULK
INSERT command is initiated by a login using SQL Server
authentication, the connection to the data is made using the security
context of the SQL Server process account (the account used by the SQL
Server Database Engine service). To successfully read the source data
you must grant the account used by the SQL Server Database Engine,
access to the source data. In contrast, if a SQL Server user logs on
by using Windows Authentication, the user can read only those files
that can be accessed by the user account, regardless of the security
profile of the SQL Server process.
BULK INSERT
SQL Server Service is running under local windows server administrator account
That's a bad idea, and you should change that anyway. Switch to a domain account that has access to the share, or switch back to the default virtual account and grant share access to the machine account eg MyDomain\MyServer$.
In the past, when using SQL Server login, this could be accomplished by below steps:
Run GRANT VIEW SERVER STATE TO /*server_login */ in the master database
Then run select * from sys.dm_exec_sessions as "server_login".
It would get all the connections, including all connections to my target database.
Now migrating to a "contained user" for a "contained database", I tried this:
Run GRANT VIEW DATABASE STATE TO /*contained_user */ in my target database
Then run select * from sys.dm_exec_sessions as "contained user"
It would only see myself, not other active connections to this target database.
The database in SQL Server 2019. What options do I have to allow a contained user to view all active connections to this database?
For SQL server, the permission VIEW SERVER STATE is still needed.
Azure Database is different. I set up Azure Database today to verify that VIEW DATABASE STATE is sufficient.
I need to create a login on a server that will have access to all databases on this server.
I have two azure servers: production and stage. I make a copy of a database from prod server on stage server. Then I need to do insert some test data in this new copied database.
The copying process is made on runbooks in azure automation account so every time I want to execute SQL script on a database I need to provide a login&password to a server.
If I create a login TestLogin on stage server and then copy database from prod server to stage, then this login does not have access to a new db. Thus, I need to login as administrator and create a TestUser in this new database for TestLogin.
This does not work for Azure:
GRANT CONTROL SERVER TO TestLogin;
Is there any way I can grant a TestLogin all rights so that it can have access to all the databases on server?
When you create a login in one instance of SQL Server and assign any roles to this user on a specific database, and then copy the database to another SQL Server instance, you have this user in the database, but no login for that user in the second SQL Server. This is also called an "orphaned user". Here is an article that describes how to fix that.
This does not work on Azure. You have to use ALTER USER instead.
As you said in comment, you must login with admin, then you have the permission to alter the new user in master DB, set the user as DB manager or db_owner.
If you only create new login or user and don't give it more permission, this login/user only and login the Database but can't access no database.
Fore details, please see Controlling and granting database access to SQL Database and SQL Data Warehouse.
Hope this helps.
I am trying to grant a user access to export data from SQL Server into an Excel file using OPENROWSET.
The user is getting the following error:
Cannot initialize the data source object of OLE DB provider
"Microsoft.ACE.OLEDB.12.0" for linked server "(null)".
We can reproduce the issue running the following block of code, which I can run successfully and the user cannot:
INSERT INTO OPENROWSET('Microsoft.ACE.OLEDB.12.0', 'Excel 12.0 Xml; HDR=YES;IMEX=0; Database=\\servername\exportdirectory\exportfile.xlsx', 'Select ExcelColumn from [TabName$]')
SELECT TOP 1 SQLColumn FROM SQLTable
The only difference I can see between the users is that those who can successfully run this command and get the data into Excel are admins on the Windows server hosting both the SQL instance and the target directory.
The user who is unable to run the code has full control permissions on the target file directory where the excel file resides and has sysadmin permissions on the SQL instance.
Is there any way to allow this user to write to this file without granting full server admin rights on the Windows server itself?
According to MS Documentation the user who is executing the command needs Administrator Bulk Operations.
This is a server level permission - bulkadmin. So you have to put any user that is going to do this in this role (at the server level) not necessarily make them a DBA.
https://learn.microsoft.com/en-us/sql/t-sql/functions/openrowset-transact-sql?view=sql-server-2017:
OPENROWSET permissions are determined by the permissions of the user name that is being passed to the OLE DB provider. To use the BULK option requires ADMINISTER BULK OPERATIONS permission.
If you cannot do that (put the user in the BulkAdmin role) you may want to use SSIS to create the spreadsheet.
You are experiencing the "double hop problem". You need to enable impersonation so that the server hosting the share will accept impersonated credentials from the SQL Server. Here is an excerpt from the security considerations section of this page: Import Bulk Data by Using BULK INSERT or OPENROWSET(BULK...) (SQL Server)
SQL Server and Microsoft Windows can be configured to enable an
instance of SQL Server to connect to another instance of SQL Server by
forwarding the credentials of an authenticated Windows user. This
arrangement is known as impersonation or delegation. Understanding how
SQL Server version handle security for user impersonation is important
when you use BULK INSERT or OPENROWSET. User impersonation allows the
data file to reside on a different computer than either the SQL Server
process or the user. For example, if a user on Computer_A has access
to a data file on Computer_B, and the delegation of credentials has
been set appropriately, the user can connect to an instance of SQL
Server that is running on Computer_C, access the data file on
Computer_B, and bulk import data from that file into a table on
Computer_C.
This page might help you get started: Kerberos Constrained Delegation Overview
I'm using the Telegraf input plugin for SQL Server (https://github.com/influxdata/telegraf/tree/master/plugins/inputs/sqlserver) to gather metrics and report to InfluxDB. It works well for SQL Server, but though it supports Azure SQL Database the documentation is a bit sparse.
The database user should be created like this:
CREATE LOGIN [telegraf] WITH PASSWORD = N'password';
GRANT VIEW SERVER STATE TO [telegraf];
GRANT VIEW ANY DEFINITION TO [telegraf];
That works on SQL Server, but in Azure it fails:
Securable class 'server' not supported in this version of SQL Server.
I wonder what I need to grant instead in order to solve this in the best possible way. We have a large number of databases running on the same server in an elastic pool, so if it is possible I would like to use a single user that logs in to the master and collects metrics for all the databases at once (the way it works with SQL Server). If that is impossible I can configure multiple logins and process one database at a time.
Perhaps I can grant VIEW DEFINITION at the database level, but VIEW SERVER STATE does not seem to be supported at all.
So, how should I configure the SQL Database login(s) for Telegraf with the SQL Server plugin to make it work?
EDIT:
Running as the super user for the server works without errors, but only produces metrics for master and tempdb. I need metrics for the many application databases and they are missing. Plus running as the super user is less than ideal.
Running as the super user for the server but connecting to a specific application database (add database in connection string) crashes with a nil pointer dereference and the log complains about VIEW DATABASE STATE permission denied in database master (the super user has access, but apparently not when connecting to a spefic database).
Granting VIEW DATABASE and VIEW DEFINITION to telegraf in an application database and connecting directly to that database as telegraf crashes with a nil pointer dereference and the log says the connection was closed.
EDIT 2:
Created bug report https://github.com/influxdata/telegraf/issues/4222.
EDIT 3:
As of the latest release the plugin works if the server admin account is used, so the issue has been solved. There is still no way to run with a less privileged account in Azure DB.
The answer:
GRANT VIEW SERVER STATE is not supported in Azure SQL Database.
On SQL Database Premium Tiers requires the VIEW DATABASE STATE
permission in the database. Permissions can not be granted in Master,
but the views can be queried in user databases. On SQL Database
Standard and Basic Tiers requires the SQL Database server admin
account due to security requirements following from multi tenancy of
those tiers.
Reason:
SQL Azure SQL is PaaS solution, therefore the most "server" specific features, DMVs, settings are blocked by purpose
References:
Grant View Server State - is it possible for a none SA user to have in Azure SQL?
SQL Azure VIEW DATABASE STATE permission denied in database 'master'
Possible workaround: (which is, anyway does not work in ewramner case)
CREATE LOGIN [telegraf] WITH PASSWORD = N'password';
USE [yourDB]
GRANT VIEW DEFINITION TO [telegraf];
GRANT VIEW DATABASE STATE TO [telegraf];
Therefore, (IMHO), there is no way to make such application working in SQL Azure without changing application code