Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SqlDatabasePermission: Cannot grant or remove connect permission to the guest user #1134

Closed
imarambiocatan opened this issue Jun 5, 2018 · 4 comments · Fixed by #1556
Closed

SqlDatabasePermission: Cannot grant or remove connect permission to the guest user #1134

imarambiocatan opened this issue Jun 5, 2018 · 4 comments · Fixed by #1556
Labels
breaking change When used on an issue, the issue has been determined to be a breaking change. bug The issue is a bug.

Comments

@imarambiocatan
Copy link

imarambiocatan commented Jun 5, 2018
edited by johlju

I'm probably doing something that i should not. I am dynamically generating a number of mof files based on my current environment to test a few controls with DSCEA but in any case the mof file that gets generated for my server has a section that looks like the following

instance of MSFT_SqlDatabasePermission as $MSFT_SqlDatabasePermission1ref
{
ResourceID = "[SqlDatabasePermission]RevokeGrant_guest_model";
 Permissions = {
    "Connect"
};
 ServerName = "<edited>";
 InstanceName = "MSSQLSERVER";
 Ensure = "Absent";
 SourceInfo = "<edited>";
 Name = "guest";
 ModuleName = "SqlServerDsc";
 PermissionState = "Grant";
 ModuleVersion = "11.2.0.0";
 Database = "model";

 ConfigurationName = "SQL_config";
};

using dscea against my server results in something like

WARNING: PowerShell DSC resource MSFT_SqlDatabasePermission failed to execute Test-TargetResource functionality with error message: Login 'guest' does not exist on SQ
L server 'abbsus201\MSSQLSERVER'.

But it clearly does
PS > ($(Get-SqlInstance -ServerInstance localhost).Databases | where-object { $.name -notin @("master",
"msdb", "tempdb") -and "guest" -in $.users.name }).name
model
ReportServer
ReportServerTempDB
SUSDB
@johlju
Copy link
Member

johlju commented Jun 6, 2018
edited

We should be able to grant or revoke connect permission as per Best Practices Recommendations. But because this resource wrongly handles logins (which I think only SqlServerLogin should do), that was raised in issue #848 too. This resource can't handle the guest user because their will never be an accompanying login for that user.

@johlju johlju changed the title SqlDatabasePermission does deal with the guest user SqlDatabasePermission: Cannot grant or remove connect permission to the guest user Jun 6, 2018
@johlju
Copy link
Member

johlju commented Jun 6, 2018

I will label this as a bug and help wanted so that someone in the community can run with this.

@johlju johlju closed this as completed Jun 6, 2018
@johlju johlju added bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. breaking change When used on an issue, the issue has been determined to be a breaking change. labels Jun 6, 2018
@johlju
Copy link
Member

johlju commented Jun 6, 2018

Oops, wrongly closed the issue. Sorry about that. Reopened.

@johlju johlju reopened this Jun 6, 2018
@SteveL-MSFT SteveL-MSFT added this to Help Wanted in powershell/dscresources May 14, 2019
@SteveL-MSFT SteveL-MSFT removed this from Help Wanted in powershell/dscresources Nov 27, 2019
johlju added a commit to johlju/SqlServerDsc that referenced this issue May 24, 2020
@johlju
Add regression test for issue dsccommunity#1134
4c6408e
@johlju johlju mentioned this issue May 24, 2020
Merged
9 tasks
@johlju johlju added in progress The issue is being actively worked on by someone. and removed help wanted The issue is up for grabs for anyone in the community. labels May 24, 2020
johlju added a commit that referenced this issue May 25, 2020
@johlju
BREAKING CHANGE: SqlDatabasePermission: Remove create user (#1556)
e711c4a 
- SqlDatabasePermission
  - BREAKING CHANGE: The resource no longer create the database user if
    it does not exist. Use the resource _SqlDatabaseUser_ to enforce that
    the database user exist in the database prior to setting permissions
    using this resource (issue #848).
  - BREAKING CHANGE: The resource no longer checks if a login exist so that
    it is possible to set permissions for database users that does not
    have a login, e.g. the database user 'guest' (issue #1134).
  - Updated examples.
  - Added integration tests (issue #741).
  - Get-TargetResource will no longer throw an exception if the database
    does not exist.
@johlju
Copy link
Member

johlju commented May 25, 2020

This will be fixed in the next release.

@johlju johlju removed the in progress The issue is being actively worked on by someone. label May 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
breaking change When used on an issue, the issue has been determined to be a breaking change. bug The issue is a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

BREAKING CHANGE: SqlDatabasePermission: Remove create user johlju/SqlServerDsc
2 participants
@johlju @imarambiocatan