Db2cert2v8 LTR
Db2cert2v8 LTR
Db2cert2v8 LTR
Table of Contents
If you're viewing this document online, you can click any of the topics below to link directly to that section.
1. Introduction.............................................................. 2
2. DB2 security............................................................. 4
3. DB2 authentication..................................................... 6
4. DB2 authorities ......................................................... 11
5. DB2 privileges .......................................................... 16
6. Summary, resources, and feedback ................................ 21
Section 1. Introduction
This tutorial is the second in a series of six tutorials you can use to help prepare for the
DB2 UDB V8.1 Family Fundamentals Certification (Exam 700). The material in this
tutorial primarily covers the objectives in Section 2 of the test, which is entitled
"Security." You can view these objectives at
http://www.ibm.com/certify/tests/obj700.shtml.
DB2 installation is not covered in this tutorial. If you haven't already done so, we
strongly recommend that you download and install a copy of IBM DB2 Universal
Database, Enterprise Server Edition. Installing DB2 will help you understand many of
the concepts that are tested on the DB2 UDB V8.1 Family Fundamentals Certification
exam. The installation process is documented in the Quick Beginnings books, which
can be found at the DB2 Technical Support Web site under the Technical Information
heading.
In this tutorial, you'll learn about DB2 security features, including DB2 authentication,
authorization, and privileges.
Pre-tutorial setup
The examples in this tutorial are specific to DB2 running on a Windows operating
system (with native security features). However, the concepts and information provided
are relevant to DB2 running on any distributed platform.
In order to work through the examples in this tutorial, the user should have:
Authentication is the first security feature you'll encounter when you attempt to access
a DB2 instance or database. DB2 authentication works closely with the security
features of the underlying operating system to verify user IDs and passwords. DB2 can
also work with security protocols like Kerberos to authenticate users.
Authorization involves determining the operations that users and/or groups can
perform, and the data objects that they may access. A user's ability to perform
high-level database and instance management operations is determined by the
authorities that they have been assigned. The five different authority levels within DB2
are SYSADM, SYSCTRL, SYSMAINT, DBADM, and LOAD.
Privileges are a bit more granular than authorities, and can be assigned to users and/or
groups. Privileges help define the objects that a user can create or drop. They also
define the commands that a user can use to access objects like tables, views, indexes,
and packages.
To prepare for the next section of the tutorial, you will need to create a database within
the db2inst1 instance. Make sure that the db2instance variable is still set to
db2inst1, and then create the sample database using the command db2sampl
drive, using the name of the drive where you want to create the sample. For the
examples in this tutorial, we'll create the sample database on our C drive, as follows:
C:\PROGRA~1\SQLLIB\BIN>db2sampl c:
The database server is the machine (or machines in a partitioned database system) on
which the database physically resides. The DB2 database clients are machines that
are configured to run queries against the database on the server. These clients can be
local (that is, they can reside on the same physical machine as the database server) or
they can be remote (that is, they can reside on separate machines).
It does this with the help of the underlying operating system security features whenever
an attach or connect command is issued. An attach command is used to connect to the
DB2 instance, whereas a connect command is used to connect to a database within a
DB2 instance. The examples below walk you through the different ways that DB2 will
authenticate a user issuing these commands. In these examples, we've used the
default authentication type of SERVER in the database manager configuration file.
Log on to the machine where DB2 is installed, with the user ID you used to create the
db2inst1 instance. Issue the following commands:
Type Description
SERVER Authentication takes place on the server.
SERVER_ENCRYPT Authentication takes place on the server. Passwords are encrypted at the client
machine before being sent to the server.
CLIENT Authentication takes place on the client machine (see Dealing with untrusted
clients on page 9 for exceptions).
*KERBEROS Authentication is performed by the Kerberos security software.
*KRB_SERVER_ENCRYPT Authentication is performed by Kerberos security software if the client setting is
KERBEROS. Otherwise, SERVER_ENCRYPT is used.
*These settings are valid only for Windows 2000 operating systems.
C:\PROGRA~1\SQLLIB\BIN>db2stop
C:\PROGRA~1\SQLLIB\BIN>db2start
To set the gateway authentication type to SERVER, you would issue the following
command on the gateway machine:
Note that authentication is never performed on the gateway itself. In DB2 Version 8,
authentication must always occur at either the client or the host database server.
Let's assume the server authentication type is set to SERVER. The following
command would then be issued to catalog the server database named sample:
If the authentication type is not specified, the client will try to use SERVER_ENCRYPT
by default.
• Client connecting to a host database: Let's assume that the authentication type on
the gateway is set to SERVER. If an authentication type is not specified, SERVER
authentication is assumed when accessing a database through DB2 Connect.
Authentication will take place on the host database server. The following command
issued from the client will cause the password to be encrypted on the client before
being sent to the gateway:
There are two additional parameters in the DBM CFG file used to determine where
authentication should take place when the server or gateway authentication method is
set to CLIENT and untrusted clients are attempting to connect to the database or
attach to the DB2 instance. These are the TRUST_ALLCLNTS and
TRUST_CLNTAUTH parameters.
When the server or gateway authentication type is CLIENT, there are two other factors
that come into play in addition to the TRUST_ALLCLNTS and TRUST_CLNTAUTH
parameters. The first is whether a user ID and password were explicitly supplied and
the second is the type of client connecting. The three DB2 clients are:
Supplied?
No Yes CLIENT CLIENT
No Yes SERVER CLIENT
No No CLIENT SERVER
No No SERVER SERVER
No DRDAONLY CLIENT SERVER
No DRDAONLY SERVER SERVER
Yes Yes CLIENT CLIENT
Yes Yes SERVER SERVER
Yes No CLIENT SERVER
Yes No SERVER SERVER
Yes DRDAONLY CLIENT SERVER
Yes DRDAONLY SERVER SERVER
DRDAONLY refers to host clients only, despite the fact that DB2 Version 8 clients
connect using DRDA as well.
The examples below illustrate setting authentication types and parameters on the
server and client:
If the command db2 connect to sample is issued from any client, authentication
takes place on the client. If the command db2 connect to sample user tst1
using mypass is issued from any client, authentication takes place on the server.
Introduction to authorities
DB2 authorities control the following aspects of a database security plan:
The DBADM and LOAD authorities are assigned to a user or group for a particular
database. This can be done explicitly using the GRANT command.
The following panels describe how each authority is assigned and what commands
users with that authority are allowed to perform. Note that any reference to group
membership implies that the user and group names have already been defined at the
operating system level.
Users can determine what authorities and database-level privileges they have by
issuing the following command:
SYSADM authority is controlled in the DBM CFG file via the SYSADM_GROUP
parameter. When the instance is created, this parameter is set to Administrator on
Windows (although it appears blank if you issue the command db2 get dbm cfg).
On UNIX, it is set to the primary group of the user who created the instance.
Since SYSADM users are the only users allowed to update the DBM CFG, they are
also the only ones allowed to grant any of the SYS* authorities to other groups. The
following example illustrates how to grant SYSADM authority to the group grp1:
db2 update dbm cfg using SYSADM_GROUP grp1
Remember, this change will not take effect until the instance is stopped and then
restarted. Also, keep in mind that if you are not currently logged in as a member of
grp1, you may not have authority to restart the instance! You would have to log out and
log back in with an ID in the correct group, or add your current ID to grp1.
• db2start/db2stop
• db2 create/drop database
• db2 create/drop tablespace
• db2 backup/restore/rollforward database
• db2 runstats (against any table)
• db2 update db cfg for database dbname
A user with SYSADM authority can assign SYSCTRL to a group using the following
command:
• db2start/db2stop
• db2 backup/restore/rollforward database
• db2 runstats (against any table)
• db2 update db cfg for database dbname
Notice that users with SYSMAINT cannot create or drop databases or tablespaces.
They also cannot access any data within the databases unless they are granted the
privileges required to do so.
If you have SYSADM authority, you can assign SYSMAINT authority to a group using
the following command:
• drop database
• drop/create tablespace
• backup/restore database
• update db cfg for database db name
DBADM users are also automatically granted all privileges to the database objects and
their contents. Since DBADM authority is a database-level authority, it can be assigned
to both users and groups. The following commands illustrate different ways in which
you can give DBADM authority.
Only users with either SYSADM or DBADM authority are permitted to grant or revoke
LOAD authority to users or groups. The following examples illustrate how LOAD
authority can allow our user to LOAD data into a table called sales. Assume that the
command db2 connect to sample has already been issued.
LOAD RESTART, or TERMINATE after a LOAD INSERT against the sales table.
Database objects include tables, views, indexes, schemas, and packages. Fortunately,
most of the object-level privileges are self explanatory. The following table summarizes
these privileges.
statement.
REFERENCES Table Provides the ability to create or drop foreign
object.
BIND Package Allows users to rebind existing packages.
EXECUTE Package, Procedure, Function, Method Allows users to execute packages and rout
ALTERIN Schema Allows users to modify definitions of objects
CREATEIN Schema Allows users to create objects within the sc
DROPIN Schema Allows users to drop objects within the sche
Information on object-level privileges is stored in the system catalog views. The view
names are syscat.tabauth, syscat.colauth, syscat.indexauth,
syscat.schemaauth, syscat.routineauth, and syscat.packageauth.
Explicit privileges
Privileges can be explicitly granted and revoked to users or groups using the GRANT
and REVOKE commands. Let's take a look at how you could use these commands on
various objects.
While logged in as a user with Administrator authority on Windows, bring up two DB2
command windows. Make sure that the db2instance variable is set to db2inst1 in
both windows!
Remember, the commands in Window 1 are being issued by a user with SYSADM
authority. The commands in Window 2 are being issued by tst1, a user with no specific
authority or privileges on the sample database. Note that the schema name associated
with the tables in your sample database will be the name of the user that issued the
db2sampl command. In these examples, that user is LISAC.
SQL0551N "TST1" does not have the privilege to perform operation "SELECT" on object "LISA
Now our earlier command will succeed! Next, let's issue a more ambitious command
from Window 2:
SQL0551N "TST1" does not have the privilege to perform operation "INSERT" on object "LIS
Our earlier failed INSERT command should now complete successfully, because tst1 is
a member of group grp1.
SQL0551N "TST1" does not have the privilege to perform operation "DROP TABLE" on object "
So, we'll have the grant that privilege. Enter the following from Window 1:
Now that we've finished our example, let's revoke all the privileges we just granted. Do
so by issuing the following commands from Window 1:
Note that revoking privileges from a group does not necessarily revoke it from all
members of that group. For example, the following command could have been used to
revoke all privileges (except CONTROL) from grp1 on the table lisac.org:
db2 revoke all on table lisac.org from group grp1
However, the user tst1 (who is a member of grp1) would have kept the select privileges
on that table, since he or she had been granted that privilege directly.
Implicit privileges
DB2 may grant privileges automatically when certain commands are issued, without
the need for an explicit GRANT statement to be issued, as you saw in the previous
panel. The table below summarizes some commands that result in privileges being
implicitly granted by the database manager. Note that these privileges are implicitly
revoked when the object created is dropped. They are not, however, revoked when
higher-level privileges are explicitly revoked.
*When a user creates a database, that user is implicitly granted DBADM authority on
that database. With DBADM authority comes implicit CONNECT, CREATETAB,
BINDADD, IMPLICIT_SCHEMA, and CREATE_NOT_FENCED privileges. These
privileges will remain with the user even if the DBADM authority is revoked.
**PUBLIC is a special DB2 group that includes all users of a particular database. Unlike
the other groups we've discussed thus far, PUBLIC does not have to be defined at the
operating system level. There are some privileges granted to PUBLIC by default. For
example, this group receives CONNECT privilege on the database and SELECT
privilege on the catalog tables automatically. GRANT and REVOKE commands can be
issued against the PUBLIC group, like so:
Indirect privileges
Privileges can be obtained indirectly when packages are executed by the database
manager. A package contains one or more SQL statements that have been converted
into a format that DB2 uses internally to execute them. In other words, a package
contains multiple SQL statements in an executable format. If all the statements in the
package are static, a user would only require EXECUTE privilege on the package to
successfully execute the statements in the package.
For example, assume db2package1 executes the following static SQL statements:
Summary
Now that you've completed this tutorial, you should have a fundamental understanding
of the following topics:
Elements of a DB2 security plan: You should understand the structure of the entire
DB2 environment, which includes client, servers, gateways, and hosts. You should also
understand authentication, authorization, and privileges.
DB2 authentication types: You should know how to set authentication types using the
db2 update dbm cfg using authentication type command on the server,
and using the db2 catalog database command on the gateway and client.
DB2 authorities: You should understand the basics of the SYSADM, SYSCTRL, and
SYSMAINT authorities, which are set in the DBM CFG file, and DBADM and LOAD
authorities, which are set via the GRANT command and revoked using the REVOKE
command. You should definitely know what command each authority is allowed to run.
DB2 privileges: You should have an understanding of the different types of privileges
and what they allow a user to do. Examples are CONTROL, INSERT, DELETE,
CREATEIN, DROPIN, REFERENCES, and SELECT. You should also know how a
privilege is obtained/revoked explicitly (GRANT/REVOKE commands), implicitly, or (for
packages only) indirectly.
Resources
You can learn more about DB2 instances from the following resources:
Check out the other parts of the DB2 V8.1 Family Fundamentals Certification Prep
tutorials:
Feedback
Colophon
This tutorial was written entirely in XML, using the developerWorks Toot-O-Matic tutorial
generator. The open source Toot-O-Matic tool is an XSLT style sheet and several XSLT
extension functions that convert an XML file into a number of HTML pages, a zip file, JPEG
heading graphics, and two PDF files. Our ability to generate multiple text and binary formats
from a single source file illustrates the power and flexibility of XML. (It also saves our
production team a great deal of time and effort.)