How to Take Advantage of Contained Databases in SQL

Server 2012 Steve Jones

SQLServerCentral

Red Gate Software

AgendaAgenda

• What is a contained database?

• Contained Databases in SQL Server 2012

• Looking Forward

Instance

DB1

tables,viewsproceduresusers

Databases in SQL ServerDatabases in SQL Server

DB1

tables,viewsproceduresusers

DB1

tables,viewsproceduresusers

Instance

Other RDBMS PlatformsOther RDBMS Platforms

DB1

tables,viewsproceduresusers

Instance

DB1

tables,viewsproceduresusers

Instance

DB1

tables,viewsproceduresusers

Instance

DB1

tables,viewsproceduresusers

Databases in SQL ServerDatabases in SQL Server

DB1User

tables,viewsproceduresusers

Logins

Linked Servers

Jobs

Packages/Plans

DB1

tables,viewsprocedures

Contained DatabasesContained Databases

• Databases in SQL Server

DB1

tables,viewsprocedures

Logins

Linked Servers

Jobs

Packages

Moving DatabasesMoving Databases

• When do we move database?– Testing

– DR

– Hardware upgrades

– Scalability

– Azure

Virtualization Virtualization

• Moving VMs

AzureAzure

Contained DatabaseContained Database

• A contained database is a concept in which a database includes all the settings and metadata required to define the database and has no configuration dependencies on the instance of the SQL Server Database Engine where the database is installed.

From Partially Contained Databases

TermsTerms

• Application Boundary (Database Boundary)

• Contained

• Uncontained

• Application Model (Database Model)

• Management Model

SQL Server 2012SQL Server 2012• Partially contained databases

– Users authenticate inside the database

– Collation resolution

– Can include non-contained objects

– No replication

– No Change Tracking

– No CDC

– No file activity (Filestream/FileTable)

– Various other restrictions (see BOL)

SQL Server 2012SQL Server 2012

• Create CDB Demo

SecuritySecurity

• User with password– Authentication Type = 2

– Password complexity rules apply on create/alter

• Windows Principal– No login in master

SecuritySecurity

Contained DatabasesContained Databases

• Security Demo– Users

– certficates

MigrationMigration

• set partial containment

• migrate users

CollationCollation

• Collation conflicts between a user database and tempdb are handled

• Collation set when the batch begins

• Collation Demo

Partial Containment IssuesPartial Containment Issues

• sys.dm_db_uncontained_entities – DMV to find objects that are not contained.

• Cdb_uncontained_usage Event – Xevent fired when an uncontained entity is used. (run-time)

• Collation – determined at batch start time. Can cause issues if you have USE statements.

• Duplicate logins

• RAISERROR/THROW

Containment Security IssuesContainment Security Issues

• ALTER ANY USER (db_owner or db_securityadmin) users can create users without the server admin’s knowledge

• Guest accounts break containment. Contained users can exploit this.

• Sysadmin – never use initial catalog, always use server level authentication.

Containment Security IssuesContainment Security Issues

• Dbcreator role – Can change containment status (possible users created without knowledge)

• Attaching databases does not check user passwords.

• Passwords stored in the CDB (dictionary attack issues)

The FutureThe Future

• What might be coming– Linked servers

– Service Broker

– Maintenance Plans

– Jobs

– ?

The EndThe End

• Questions?

• Don’t forget to fill out your evaluations

• Resources at the end of the PPT

• www.sqlservercentral.com/forums

• www.voiceofthedba.com/talks/

• Enjoy DevConnections

ReferencesReferences

• Partially Contained Databases - http://technet.microsoft.com/en-us/library/ff929071%28v=SQL.110%29.aspx

• Threats Against Contained Databases - http://msdn.microsoft.com/en-us/library/ff929055%28v=sql.110%29.aspx

• sys.dm_db_uncontained_entities

• Contained Databases overview - http://sqlblog.com/blogs/aaron_bertrand/archive/2010/11/16/sql-server-v-next-denali-contained-databases.aspx

• Database Shuffle - http://blogs.msdn.com/b/isaac/archive/2011/04/20/the-database-shuffle.aspx

• Collation Hell -http://blogs.msdn.com/b/isaac/archive/2011/05/05/collation-hell.aspx

• Features within the Application Model - http://msdn.microsoft.com/en-us/library/ff929188%28v=SQL.110%29.aspx

ReferencesReferences

• Features Outside of the Application Model - http://msdn.microsoft.com/en-us/library/ff929118(v=sql.110).aspx

• http://blogs.msdn.com/b/sqlsecurity/archive/2010/12/03/contained-database-authentication-introduction.aspx

• http://blogs.msdn.com/b/sqlsecurity/archive/2010/12/08/contained-database-authentication-in-depth.aspx

• http://blogs.msdn.com/b/sqlsecurity/archive/2010/12/04/contained-database-authentication-monitoring-and-controlling-contained-users.aspx

• http://blogs.msdn.com/b/sqlsecurity/archive/2010/12/06/contained-database-authentication-how-to-control-which-databases-are-allowed-to-authenticate-users-using-logon-triggers.aspx

• Azure - http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/2671.figure1.jpg

ImagesImages

• Sword - http://www.flickr.com/photos/8765199@N07/2639252064/

• Knife - http://www.flickr.com/photos/marxfoods/3555089558/

• Login Logic - http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-92-93/8130.alg.jpg

• vMotion - http://www.atlantavdi.com/wp-content/uploads/2010/10/vmotion1.gif