Upload
colin-hodge
View
224
Download
4
Embed Size (px)
Citation preview
How to Take Advantage of Contained Databases in SQL
Server 2012 Steve Jones
SQLServerCentral
Red Gate Software
AgendaAgenda
• What is a contained database?
• Contained Databases in SQL Server 2012
• Looking Forward
Instance
DB1
tables,viewsproceduresusers
Databases in SQL ServerDatabases in SQL Server
DB1
tables,viewsproceduresusers
DB1
tables,viewsproceduresusers
Instance
Other RDBMS PlatformsOther RDBMS Platforms
DB1
tables,viewsproceduresusers
Instance
DB1
tables,viewsproceduresusers
Instance
DB1
tables,viewsproceduresusers
Instance
DB1
tables,viewsproceduresusers
Databases in SQL ServerDatabases in SQL Server
DB1User
tables,viewsproceduresusers
Logins
Linked Servers
Jobs
Packages/Plans
DB1
tables,viewsprocedures
Contained DatabasesContained Databases
• Databases in SQL Server
DB1
tables,viewsprocedures
Logins
Linked Servers
Jobs
Packages
Moving DatabasesMoving Databases
• When do we move database?– Testing
– DR
– Hardware upgrades
– Scalability
– Azure
Virtualization Virtualization
• Moving VMs
AzureAzure
Contained DatabaseContained Database
• A contained database is a concept in which a database includes all the settings and metadata required to define the database and has no configuration dependencies on the instance of the SQL Server Database Engine where the database is installed.
From Partially Contained Databases
TermsTerms
• Application Boundary (Database Boundary)
• Contained
• Uncontained
• Application Model (Database Model)
• Management Model
SQL Server 2012SQL Server 2012• Partially contained databases
– Users authenticate inside the database
– Collation resolution
– Can include non-contained objects
– No replication
– No Change Tracking
– No CDC
– No file activity (Filestream/FileTable)
– Various other restrictions (see BOL)
SQL Server 2012SQL Server 2012
• Create CDB Demo
SecuritySecurity
• User with password– Authentication Type = 2
– Password complexity rules apply on create/alter
• Windows Principal– No login in master
SecuritySecurity
Contained DatabasesContained Databases
• Security Demo– Users
– certficates
MigrationMigration
• set partial containment
• migrate users
CollationCollation
• Collation conflicts between a user database and tempdb are handled
• Collation set when the batch begins
• Collation Demo
Partial Containment IssuesPartial Containment Issues
• sys.dm_db_uncontained_entities – DMV to find objects that are not contained.
• Cdb_uncontained_usage Event – Xevent fired when an uncontained entity is used. (run-time)
• Collation – determined at batch start time. Can cause issues if you have USE statements.
• Duplicate logins
• RAISERROR/THROW
Containment Security IssuesContainment Security Issues
• ALTER ANY USER (db_owner or db_securityadmin) users can create users without the server admin’s knowledge
• Guest accounts break containment. Contained users can exploit this.
• Sysadmin – never use initial catalog, always use server level authentication.
Containment Security IssuesContainment Security Issues
• Dbcreator role – Can change containment status (possible users created without knowledge)
• Attaching databases does not check user passwords.
• Passwords stored in the CDB (dictionary attack issues)
The FutureThe Future
• What might be coming– Linked servers
– Service Broker
– Maintenance Plans
– Jobs
– ?
The EndThe End
• Questions?
• Don’t forget to fill out your evaluations
• Resources at the end of the PPT
• www.sqlservercentral.com/forums
• www.voiceofthedba.com/talks/
• Enjoy DevConnections
ReferencesReferences
• Partially Contained Databases - http://technet.microsoft.com/en-us/library/ff929071%28v=SQL.110%29.aspx
• Threats Against Contained Databases - http://msdn.microsoft.com/en-us/library/ff929055%28v=sql.110%29.aspx
• sys.dm_db_uncontained_entities
• Contained Databases overview - http://sqlblog.com/blogs/aaron_bertrand/archive/2010/11/16/sql-server-v-next-denali-contained-databases.aspx
• Database Shuffle - http://blogs.msdn.com/b/isaac/archive/2011/04/20/the-database-shuffle.aspx
• Collation Hell -http://blogs.msdn.com/b/isaac/archive/2011/05/05/collation-hell.aspx
• Features within the Application Model - http://msdn.microsoft.com/en-us/library/ff929188%28v=SQL.110%29.aspx
ReferencesReferences
• Features Outside of the Application Model - http://msdn.microsoft.com/en-us/library/ff929118(v=sql.110).aspx
• http://blogs.msdn.com/b/sqlsecurity/archive/2010/12/03/contained-database-authentication-introduction.aspx
• http://blogs.msdn.com/b/sqlsecurity/archive/2010/12/08/contained-database-authentication-in-depth.aspx
• http://blogs.msdn.com/b/sqlsecurity/archive/2010/12/04/contained-database-authentication-monitoring-and-controlling-contained-users.aspx
• http://blogs.msdn.com/b/sqlsecurity/archive/2010/12/06/contained-database-authentication-how-to-control-which-databases-are-allowed-to-authenticate-users-using-logon-triggers.aspx
• Azure - http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/2671.figure1.jpg
ImagesImages
• Sword - http://www.flickr.com/photos/8765199@N07/2639252064/
• Knife - http://www.flickr.com/photos/marxfoods/3555089558/
• Login Logic - http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-92-93/8130.alg.jpg
• vMotion - http://www.atlantavdi.com/wp-content/uploads/2010/10/vmotion1.gif