安全相关的函数这些可能会有用: CERTENCODED \CERTPRIVATEKEY \LOGINPROPERTY \ORIGINAL_LOGIN \PWDCOMPARE \SESSION_USER \SESSIONPROPERTY \SUSER_ID \SUSER_NAME \SYSTEM_USER \USER_NAME \DATABASE_PRINCIPAL_ID \IS_MEMBER \IS_ROLEMEMBER \IS_SRVROLEMEMBER
用户身份:IS_MEMBER \IS_ROLEMEMBER \IS_SRVROLEMEMBER
IS_MEMBER:可以验证用户是否是某NT工作组或者AD安全组的成员
IS_ROLEMEMBER:可以验证用户是否是某数据库角色成员
IS_SRVROLEMEMBER:可以验证用户是否是某服务器角色成员
证书编码:CERTENCODED \CERTPRIVATEKEY
CERTENCODED:把证书转成二进制编码,例如SELECT CERTENCODED(CERT_ID('证书名称'))
CERTPRIVATEKEY:通常配合CERTENCODED,生成证书的私钥,输出成VARBINARY(MAX),然后可以在通过私钥二进制代码后(像创建程序集一样)在另外一个数据库创建相同的证书。然后再通过ENCRYPTBYCERT和DECRYPTBYCERT进行数据加密和解密。
实际使用场景就是可以把一些敏感数据字段用密钥加密后,到了另外一个数据库用私钥解密,私钥解密指定解密密码达到安全性的要求。
DECLARE @CERTENC VARBINARY(MAX); DECLARE @CERTPVK VARBINARY(MAX); SELECT @CERTENC = CERTENCODED(CERT_ID('SOURCE_CERT')); SELECT @CERTPVK = CERTPRIVATEKEY(CERT_ID('SOURCE_CERT'), 'CertEncryptionPa$$word'); SELECT @CERTENC AS BinaryCertificate; SELECT @CERTPVK AS EncryptedBinaryCertificate; GO
-- Create the duplicate certificate in the TARGET_DB database USE TARGET_DB GO CREATE CERTIFICATE TARGET_CERT FROM BINARY = <insert the binary value of the @CERTENC variable> WITH PRIVATE KEY ( BINARY = <insert the binary value of the @CERTPVK variable> , DECRYPTION BY PASSWORD = 'CertEncryptionPa$$word'); -- Compare the certificates in the two databases -- The two certificates should be the same -- except for name and (possibly) the certificate_id SELECT * FROM SOURCE_DB.sys.certificates UNION SELECT * FROM TARGET_DB.sys.certificates;
USE SOURCE_DB; DECLARE @CLEARTEXT nvarchar(100); DECLARE @CIPHERTEXT varbinary(8000); DECLARE @UNCIPHEREDTEXT_Source nvarchar(100); SET @CLEARTEXT = N'Hello World'; SET @CIPHERTEXT = ENCRYPTBYCERT(CERT_ID('SOURCE_CERT'), @CLEARTEXT); SET @UNCIPHEREDTEXT_Source = DECRYPTBYCERT(CERT_ID('SOURCE_CERT'), @CIPHERTEXT) -- Encryption and decryption result in SOURCE_DB SELECT @CLEARTEXT AS SourceClearText, @CIPHERTEXT AS SourceCipherText, @UNCIPHEREDTEXT_Source AS SourceDecryptedText; -- SWITCH DATABASE USE TARGET_DB; DECLARE @UNCIPHEREDTEXT_Target nvarchar(100); SET @UNCIPHEREDTEXT_Target = DECRYPTBYCERT(CERT_ID('TARGET_CERT'), @CIPHERTEXT); -- Encryption and decryption result in TARGET_DB SELECT @CLEARTEXT AS ClearTextInTarget, @CIPHERTEXT AS CipherTextInTarget, @UNCIPHEREDTEXT_Target AS DecriptedTextInTarget; GO
获取登录用户身份:ORIGINAL_LOGIN \SESSION_USER \SUSER_ID \SUSER_NAME \SYSTEM_USER \USER_NAME \DATABASE_PRINCIPAL
ORIGINAL_LOGIN:因为可以通过EXECUTE AS XXX切换用户身份执行上下文,ORIGINAL_LOGIN的作用就是获取原始登录用户名称的
SESSION_USER:获取会话用户,会话用户是数据库用户,不是登录用户
SUSER_ID\SUSER_NAME:这两个是一样的,一个是获取登录用户ID,一个是获取登录用户名称
SYSTEM_USER:也是获取登录用户,不过这个的作用是用在创建表字段的时候指定默认约束的
USER_NAME\DATABASE_PRINCIPAL_ID:这两个也是一样的,一个获取数据库用户名称,一个获取数据库用户ID