Enjoy Every Sandwich

Thoughts on SQL, XML, .NET and sometimes beer.

<September 2008>
SuMoTuWeThFrSa
31123456
78910111213
14151617181920
21222324252627
2829301234
567891011

Navigation

Tools

List O'Links

Kent's Other Stuff

Subscriptions

News

Please read these
Notices and Disclamiers

Post Categories

Article Categories



A kinder, lighter Safety Dance for the SQLCLR

A few months ago, I published a step-by-step procedure for using certificate to sign an assembly so an external access or unsafe assembly could be run without having to set the hosting database to trustworthy. The major problem with that process was its weight: a lot of steps and some still requirements in terms of certificate management. Turns out that yes, there is an easier way to make it work.

Part one -- preparing the master database 

  1. As needed, start a series of queries against the MASTER database.  
  2. Create the target database (meaning execute a CREATE DATABASE query).
  3. Code and compile the assembly you want to deploy. Make sure you sign the assembly with a strong name key file. This can be done with a PFX file generated by Visual Studio.
  4. Create an asymmetric key from from the compiled assembly using a statement like this: create asymmetric key <key_name> from executable file = '<path_to_dll_file>'
  5. Create a login based on that asymmetric key using a statement like this: create login <login_name> from asymmetric key <key_name>
  6. Grant that login the right to create either or both an unsafe or external access assembly (as needed) using: grant unsafe assembly to <login_name>

Part two -- preparing the hosting database

  1. As needed, start a series of queries against the desired user database.
  2. Create a user in that database mapped to the login created in part, step 5. (e.g. create user <db_user> from login <login_name>)
  3. Give that user the right to catalog an assembly, e.g.: grant create assembly to <db_user>
  4. Catalog the desired assembly using the now trusted asymmetric key with a statement like: create assembly <assembly_name> authorization <db_user> from '<path_to_dll_file>' with permission_set = unsafe

From there on, its just a matter of mapping your methods and classes to the desired T-SQL objects.

Note: the following is just to help Google find this post.

is not authorized for PERMISSION_SET = UNSAFE. The assembly is authorized when either of the following is true: the database owner (DBO) has UNSAFE ASSEMBLY permission and the database has the TRUSTWORTHY database property on; or the assembly is signed with a certificate or an asymmetric key that has a corresponding login with UNSAFE ASSEMBLY permission. RegistryReader

posted on Monday, August 14, 2006 7:39 AM by ktegels




Powered by Dot Net Junkies, by Telligent Systems