How to Take Advantage of Contained Databases in SQL Server 2012

advertisement
How to Take Advantage of
Contained Databases in SQL
Server 2012
Steve Jones
SQLServerCentral
Red Gate Software
Agenda
• What is a contained database?
• Contained Databases in SQL Server 2012
• Looking Forward
Databases in SQL Server
tables,
views
procedures
usersDB1
Instance
tables,
views
procedures
usersDB1
tables,
views
procedures
usersDB1
Other RDBMS Platforms
tables,
views
procedures
usersDB1
Instance
tables,
views
procedures
usersDB1
Instance
tables,
views
procedures
usersDB1
Instance
Databases in SQL Server
Packages/Plans
Logins
Instance
Linked Servers
tables,
views
procedures
User
usersDB1
tables,
views
procedures
usersDB1
Jobs
Contained Databases
• Databases in SQL Server
Packages
Logins
tables,
views
procedures
DB1
Jobs
Linked Servers
tables,
views
procedures
DB1
Moving Databases
• When do we move database?
–
–
–
–
–
Testing
DR
Hardware upgrades
Scalability
Azure
Virtualization
• Moving VMs
Azure
Contained Database
• A contained database is a concept in which a
database includes all the settings and metadata
required to define the database and has no
configuration dependencies on the instance of
the SQL Server Database Engine where the
database is installed.
From Partially Contained Databases
Terms
•
•
•
•
•
Application Boundary (Database Boundary)
Contained
Uncontained
Application Model (Database Model)
Management Model
SQL Server 2012
• Partially contained databases
– Users authenticate inside the database
– Collation resolution
– Can include non-contained objects
– No replication
– No Change Tracking
– No CDC
– No file activity (Filestream/FileTable)
– Various other restrictions (see BOL)
SQL Server 2012
• Create CDB Demo
Security
• User with password
– Authentication Type = 2
– Password complexity rules apply on create/alter
• Windows Principal
– No login in master
Security
Contained Databases
• Security Demo
– Users
– certficates
Migration
• set partial containment
• migrate users
Collation
• Collation conflicts between a user database
and tempdb are handled
• Collation set when the batch begins
• Collation Demo
Partial Containment Issues
• sys.dm_db_uncontained_entities – DMV to
find objects that are not contained.
• Cdb_uncontained_usage Event – Xevent fired
when an uncontained entity is used. (run-time)
• Collation – determined at batch start time. Can
cause issues if you have USE statements.
• Duplicate logins
• RAISERROR/THROW
Containment Security Issues
• ALTER ANY USER (db_owner or
db_securityadmin) users can create users
without the server admin’s knowledge
• Guest accounts break containment. Contained
users can exploit this.
• Sysadmin – never use initial catalog, always
use server level authentication.
Containment Security Issues
• Dbcreator role – Can change containment
status (possible users created without
knowledge)
• Attaching databases does not check user
passwords.
• Passwords stored in the CDB (dictionary
attack issues)
The Future
• What might be coming
– Linked servers
– Service Broker
– Maintenance Plans
– Jobs
–?
The End
•
•
•
•
•
•
Questions?
Don’t forget to fill out your evaluations
Resources at the end of the PPT
www.sqlservercentral.com/forums
www.voiceofthedba.com/talks/
Enjoy DevConnections
References
•
•
•
•
•
•
•
Partially Contained Databases - http://technet.microsoft.com/enus/library/ff929071%28v=SQL.110%29.aspx
Threats Against Contained Databases - http://msdn.microsoft.com/enus/library/ff929055%28v=sql.110%29.aspx
sys.dm_db_uncontained_entities
Contained Databases overview http://sqlblog.com/blogs/aaron_bertrand/archive/2010/11/16/sql-server-v-nextdenali-contained-databases.aspx
Database Shuffle - http://blogs.msdn.com/b/isaac/archive/2011/04/20/the-databaseshuffle.aspx
Collation Hell -http://blogs.msdn.com/b/isaac/archive/2011/05/05/collationhell.aspx
Features within the Application Model - http://msdn.microsoft.com/enus/library/ff929188%28v=SQL.110%29.aspx
References
•
•
•
•
•
•
Features Outside of the Application Model - http://msdn.microsoft.com/enus/library/ff929118(v=sql.110).aspx
http://blogs.msdn.com/b/sqlsecurity/archive/2010/12/03/contained-databaseauthentication-introduction.aspx
http://blogs.msdn.com/b/sqlsecurity/archive/2010/12/08/contained-databaseauthentication-in-depth.aspx
http://blogs.msdn.com/b/sqlsecurity/archive/2010/12/04/contained-databaseauthentication-monitoring-and-controlling-contained-users.aspx
http://blogs.msdn.com/b/sqlsecurity/archive/2010/12/06/contained-databaseauthentication-how-to-control-which-databases-are-allowed-to-authenticate-usersusing-logon-triggers.aspx
Azure - http://social.technet.microsoft.com/wiki/cfsfile.ashx/__key/communityserver-wikis-components-files/00-00-00-0005/2671.figure1.jpg
Images
•
•
•
•
Sword - http://www.flickr.com/photos/8765199@N07/2639252064/
Knife - http://www.flickr.com/photos/marxfoods/3555089558/
Login Logic - http://blogs.msdn.com/resizedimage.ashx/__size/550x0/__key/CommunityServer-Blogs-ComponentsWeblogFiles/00-00-00-92-93/8130.alg.jpg
vMotion - http://www.atlantavdi.com/wp-content/uploads/2010/10/vmotion1.gif
Download