Security execution context for a database management system
First Claim
Patent Images
1. A system that provides a secure context within a multi-domain database management system, comprising:
- at least one processor coupled to memory that executes;
a caller'"'"'s stored procedure to access at least one resource contained in a disparate domain, wherein the stored procedure is annotated with an execute as clause to impersonate a principal of the disparate domain other than the caller of the stored procedure, wherein the execute as clause identifies the impersonated principal, and that when the execute as clause is executed, a security context for the impersonated principle is implemented by pushing the security context for the impersonated principle into a stack of execution contexts and popping the security context from the stack of execution contexts when the stored procedure terminates irrespective of the principal actually calling the stored procedure, enabling the caller to operate in a security context different from that of the caller;
an access component that validates an identity of the impersonated principal in the disparate domain and controls access to the resources of the disparate domain based at least in part on the privileges of an authenticator, wherein the authenticator'"'"'s privileges are assigned by an administrator of the disparate domain; and
a mapping component that maps a security context to an identity provisioned in the disparate domain if the authenticator'"'"'s credentials are determined to be trusted.
2 Assignments
0 Petitions
Accused Products
Abstract
A database management system that supports multiple databases in an instance with controlled sharing between the databases. The invention can also support execution of procedures and other modules in the context of any principal possibly different from that of the caller. Trusted certificates can be employed to permit access to procedures (or other modules). The security context of the invention can enable the building blocks of building a pure trusted sub-system model of authorization.
28 Citations
18 Claims
-
1. A system that provides a secure context within a multi-domain database management system, comprising:
at least one processor coupled to memory that executes; a caller'"'"'s stored procedure to access at least one resource contained in a disparate domain, wherein the stored procedure is annotated with an execute as clause to impersonate a principal of the disparate domain other than the caller of the stored procedure, wherein the execute as clause identifies the impersonated principal, and that when the execute as clause is executed, a security context for the impersonated principle is implemented by pushing the security context for the impersonated principle into a stack of execution contexts and popping the security context from the stack of execution contexts when the stored procedure terminates irrespective of the principal actually calling the stored procedure, enabling the caller to operate in a security context different from that of the caller; an access component that validates an identity of the impersonated principal in the disparate domain and controls access to the resources of the disparate domain based at least in part on the privileges of an authenticator, wherein the authenticator'"'"'s privileges are assigned by an administrator of the disparate domain; and a mapping component that maps a security context to an identity provisioned in the disparate domain if the authenticator'"'"'s credentials are determined to be trusted. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
10. A method for providing secure interaction between databases, comprising:
-
employing a processor executing computer executable instructions stored on a computer readable storage medium to implement the following acts; determining at least one of a first database or an owner of the first database is trusted to access at least one resource in a second database; providing a caller context established within the first database with a mapping context to access the resource in the second database; invoking from a first identity associated with the owner of the first database, a stored procedure in the first database to access the resource in the second database, and executing the stored procedure using a second identity residing in the second database that is the not the first identity of the invoker of the stored procedure, but whereafter the stored procedure is executed using the second identity in a security context for the second identity by pushing the security context for the second identity into a stack of execution contexts and popping the security context from the stack of execution contexts when the stored procedure terminates irrespective of the identity actually calling the stored procedure, enabling the first identity to operate in a security context different from that of the first identity; validating an identity of the impersonated principal in the disparate domain and controls access to the resources of the disparate domain based at least in part on the privileges of an authenticator, wherein the authenticator'"'"'s privileges are assigned by an administrator of the disparate domain; and mapping a security context to an identity provisioned in the disparate domain if the authenticator'"'"'s credentials are determined to be trusted. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A computer implemented system that implements authentication between domains, comprising:
-
at least one processor coupled to memory that retains instructions for; a context of execution for an owner of a first domain, the context specifies a set of privileges for the owner of the first domain within a second domain; a stored procedure in the first domain that attempts to access resources in the second domain, wherein the stored procedure executes as a first principal maintained in the second domain who is not the caller of the stored procedure; an access component that validates the identity and privileges of the first principal under which the stored procedure is attempting to execute in the second domain; a grant component that conveys a statement expressed in a declarative language that indicates at least one of the owner of the first domain is trusted to access the second domain, or a certificate is trusted in a manner that contexts established within a signed code that corresponds to the certificate facilitates access to the second domain, and that pushes a security context for the first principle onto a stack of execution contexts at the second domain, allowing the procedure in the first domain to execute in the second domain so long as the security context is in the stack, and pops the security context from the stack when the stored procedure terminates; and an identity component that marks the first domain as trustworthy to the second domain, the grant component provides at least one of a calling context that is established and authenticated by the owner of the first domain with access to the second domain when the owner of the first domain is declared trusted by the second domain or a calling context that is established within the signed code that facilitates access to the second domain when the certificate is trusted by the owner of the second domain. - View Dependent Claims (16, 17, 18)
-
Specification