DB2 - Problem description
Problem IT37184 | Status: Closed |
WHEN TRUSTED CONTEXT IS DROPPED, SETSESSIONUSER PRIVILEGES ARE ALSO DELETED | |
product: | |
DB2 FOR LUW / DB2FORLUW / B50 - DB2 | |
Problem description: | |
When you drop trusted context, it will remove all rows in syscat.surrogateauthids where trustedid is the "context name" created. It doesn't check the trustedidtype. It means that if you give grant to a user with the same context name (setsessionuser privilege has nothing to do with a trusted context), when you drop the TC, all rows are removed, and only should be the rows with trustedidtype='C'. ie.-e: db2 "CREATE TRUSTED CONTEXT TEST1 BASED UPON CONNECTION USING SYSTEM AUTHID TEST1 ENABLE ATTRIBUTES (ADDRESS 'X.XX.XXXX.XXXX') WITH USE FOR PUBLIC WITHOUT AUTHENTICATION" db2 grant setsessionuser on user XXXX to user TEST1 db2 "select TRUSTEDIDTYPE, SURROGATEAUTHID from syscat.surrogateauthids where trustedid='TEST1'" TRUSTEDIDTYPE SURROGATEAUTHID ------------- ---------------------------------------------------------------- ---------------------------------------------------------------- C PUBLIC U XXXX db2 drop trusted context TEST1 db2 "select TRUSTEDIDTYPE, SURROGATEAUTHID from syscat.surrogateauthids where trustedid='TEST1'" TRUSTEDIDTYPE SURROGATEAUTHID ------------- ---------------------------------------------------------------- ---------------------------------------------------------------- 0 record(s) selected. | |
Problem Summary: | |
**************************************************************** * USERS AFFECTED: * * All * **************************************************************** * PROBLEM DESCRIPTION: * * When you drop trusted context, it will remove all rows in * * syscat.surrogateauthids where trustedid is the "context * * name" * * created. It doesn't check the trustedidtype. * * It means that if you give grant to a user with the same * * context * * name (setsessionuser privilege has nothing to do with a * * trusted * * context), when you drop the TC, all rows are removed, and * * only * * should be the rows with trustedidtype='C'. * * * * ie.-e: * * * * db2 "CREATE TRUSTED CONTEXT TEST1 BASED UPON CONNECTION * * USING * * SYSTEM AUTHID TEST1 ENABLE ATTRIBUTES (ADDRESS * * 'X.XX.XXXX.XXXX') * * WITH USE FOR PUBLIC WITHOUT AUTHENTICATION" * * db2 grant setsessionuser on user XXXX to user TEST1 * * db2 "select TRUSTEDIDTYPE, SURROGATEAUTHID from * * syscat.surrogateauthids where trustedid='TEST1'" * * TRUSTEDIDTYPE SURROGATEAUTHID * * * * ------------- * * ------------------------------------------------------------ * * ---- * * ------------------------------------------------------------ * * ---- * * C PUBLIC * * * * U XXXX * * * * * * * * db2 drop trusted context TEST1 * * * * db2 "select TRUSTEDIDTYPE, SURROGATEAUTHID from * * syscat.surrogateauthids where trustedid='TEST1'" * * TRUSTEDIDTYPE SURROGATEAUTHID * * * * ------------- * * ------------------------------------------------------------ * * ---- * * ------------------------------------------------------------ * * ---- * * * * 0 record(s) selected. * **************************************************************** * RECOMMENDATION: * * Upgrading to 11.5 Fixpack 7 or Higher * **************************************************************** | |
Local Fix: | |
Solution | |
Workaround | |
**************************************************************** * USERS AFFECTED: * * All * **************************************************************** * PROBLEM DESCRIPTION: * * When you drop trusted context, it will remove all rows in * * syscat.surrogateauthids where trustedid is the "context * * name" * * created. It doesn't check the trustedidtype. * * It means that if you give grant to a user with the same * * context * * name (setsessionuser privilege has nothing to do with a * * trusted * * context), when you drop the TC, all rows are removed, and * * only * * should be the rows with trustedidtype='C'. * * * * ie.-e: * * * * db2 "CREATE TRUSTED CONTEXT TEST1 BASED UPON CONNECTION * * USING * * SYSTEM AUTHID TEST1 ENABLE ATTRIBUTES (ADDRESS * * 'X.XX.XXXX.XXXX') * * WITH USE FOR PUBLIC WITHOUT AUTHENTICATION" * * db2 grant setsessionuser on user XXXX to user TEST1 * * db2 "select TRUSTEDIDTYPE, SURROGATEAUTHID from * * syscat.surrogateauthids where trustedid='TEST1'" * * TRUSTEDIDTYPE SURROGATEAUTHID * * * * ------------- * * ------------------------------------------------------------ * * ---- * * ------------------------------------------------------------ * * ---- * * C PUBLIC * * * * U XXXX * * * * * * * * db2 drop trusted context TEST1 * * * * db2 "select TRUSTEDIDTYPE, SURROGATEAUTHID from * * syscat.surrogateauthids where trustedid='TEST1'" * * TRUSTEDIDTYPE SURROGATEAUTHID * * * * ------------- * * ------------------------------------------------------------ * * ---- * * ------------------------------------------------------------ * * ---- * * * * 0 record(s) selected. * **************************************************************** * RECOMMENDATION: * * Upgrading to 11.5 Fixpack 7 or Higher * **************************************************************** | |
Timestamps | |
Date - problem reported : Date - problem closed : Date - last modified : | 09.06.2021 01.12.2021 01.12.2021 |
Problem solved at the following versions (IBM BugInfos) | |
Problem solved according to the fixlist(s) of the following version(s) |