Re: ACL with roles.

From: BicycleRepairman <engel.kevin_at_gmail.com>
Date: Fri, 24 Oct 2008 07:19:39 -0700 (PDT)
Message-ID: <d6cb16be-5548-4ed8-bfb8-18afb6e2744d@j68g2000hsf.googlegroups.com>


On Oct 24, 5:53 am, "Preston" <dontwant..._at_nowhere.invalid> wrote:
> Vladimir M. Zakharychev wrote:
> > On Oct 23, 7:10 pm, "Preston" <dontwant..._at_nowhere.invalid> wrote:
> > > gazzag wrote:
> > > > On 23 Oct, 15:31, "Preston" <dontwant..._at_nowhere.invalid> wrote:
> > > > > 11.1.0.6.0 on Vista 64 Ultimate.
>
> > > > > I've created a new ACL, assigned a host & added a privilege for
> > > > > a role, and can now do a utl_http.request when logged in as a
> > > > > user with that role. However if I put the utl_http.request in a
> > > > > procedure & try to run that, it fails with ORA-24247: network
> > > > > access denied by access control list (ACL).
>
> > > > > If I add a privilige for the user to the ACL, it works. Anyone
> > > > > know where I'm going wrong?
>
> > > > > --
> > > > > Preston
>
> > > > Privileges to run stored procedures have to be explicitly granted
> > > > to the individual users, not roles.
>
> > > The user owns the procedure so that's not the issue. Or are you
> > > saying that specifically the ACL privilige has to be granted to
> > > individual users to run stored procedures?
>
> > > --
> > > Preston
>
> > AUTHID DEFINER (default) stored procedures are executed in environment
> > equivalent to the one you get after SET ROLE NONE. In other words,
> > roles are disabled for PL/SQL and any privileges granted via roles do
> > not apply unless you created the procedure with AUTHID CURRENT_USER,
> > in which case role privileges do apply (but executing such procedures
> > is a bit more expensive because Oracle has to evaluate the privileges
> > on every call.)
>
> So the ability to add a role with dbms_network_acl_admin.add_privilege
> is completely pointless, & likely to cause much confusion as it will
> never work?
>
> Paging Oracle - sort the docs[1] out will you...
>
> [1]http://download.oracle.com/docs/cd/B28359_01/appdev.111/b28419/d_network
> acl_adm.htm#BABHJEHG
>
> --
> Preston

I *think* that what is happening is that, within the context of your stored procedure, you do not have the role assigned that you think you have.
That is, you can think of what's going on this way.... 1. user connects to db.
2. User has access to mydefined_acl role (the acl role you've defined to grant access)
3. user calls my_get_htttp_request() stored procedure 4. oracle, behind the scenes, sets your role to NONE within the context of the procedure
5. the sp calls utl_http.request(URL)
6. your ACL is checked --> within the context of the call, you do not have the mydefined_acl role.
7. ORA-24247 is returned.
So, there are several ways to test/fix this, based on your overall security requirements. The easiest way is to define your my_get_http_request() procedure with invoker's rights (that is create procedure my_get_http_request AUTHID CURRENT_USER as....). Received on Fri Oct 24 2008 - 09:19:39 CDT

Original text of this message