我正在尝试构建一个控制台应用程序,用于从 LDAP 检索用户,在 Teradata 中创建相同的用户,并根据这些用户的组成员身份向这些用户授予权限。
我的应用程序运行良好,但我遇到了问题。当我为用户分配角色时,用户必须登录 Teradata,然后手动执行一次
SET ROLE ldapUser;
。我想在我的代码中自动执行此过程,以便用户不必自己登录并激活角色。
不幸的是,我无法完成这个任务。
我做了什么: 这些是我授予权限和创建的代码。
string connectionString = "DataSource=123.123.123.123;Database=dbc;User ID=dbc;Password=dbc;SslMode=Disable";
using (TdConnection connection = new TdConnection(connectionString))
{
try
{
connection.Open();
Console.WriteLine("Connection to Teradata established successfully");
// Step 1: Create users for the ones not present in Teradata
foreach (UserDetail userDetail in newDataToProcess)
{
string checkUserExistsSQL = $"SELECT UserName FROM DBC.Users WHERE UserName = '{userDetail.Username}';";
using (TdCommand checkUserExistsCommand = new TdCommand(checkUserExistsSQL, connection))
{
object result = checkUserExistsCommand.ExecuteScalar();
if (result == null || result == DBNull.Value)
{
// User does not exist, create the user
string createUserSQL = $"CREATE USER {userDetail.Username} FROM dbc AS PERMANENT = 1000000, SPOOL = 1000000, TEMPORARY = 1000000, PROFILE = {userDetail.OU}, ACCOUNT = 'tauqer_account', PASSWORD = Mypassword;";
using (TdCommand createUserCommand = new TdCommand(createUserSQL, connection))
{
createUserCommand.ExecuteNonQuery();
Console.WriteLine($"User '{userDetail.Username}' created successfully");
string grantLogonSQL = $"GRANT LOGON ON ALL TO {userDetail.Username} WITH NULL PASSWORD;";
using (TdCommand grantLogonCommand = new TdCommand(grantLogonSQL, connection))
{
grantLogonCommand.ExecuteNonQuery();
}
foreach (string cn in userDetail.CNs)
{
string grantRoleSQL = $"GRANT {cn} TO {userDetail.Username};";
//string grantRoleSQL = $"GRANT {cn.Trim()} TO {userDetail.Username};"; // Trim to remove any leading/trailing spaces
// using (TdCommand grantRoleCommand = new TdCommand(setRoleSQL, connection))
using (TdCommand grantRoleCommand = new TdCommand(grantRoleSQL, connection))
{
grantRoleCommand.ExecuteNonQuery();
Console.WriteLine($"Granted role '{cn}' to user '{userDetail.Username}'");
// grantRoleCommand.ExecuteNonQuery();
// Console.WriteLine($"User '{userDetail.Username}' granted the privilege '{cn.Trim()}'");
}
if (cn.Equals("LDAP_Admin", StringComparison.OrdinalIgnoreCase))
{
string setDefaultRoleSQL = $"GRANT {cn} TO {userDetail.Username} AS DEFAULT;";
using (TdCommand setDefaultRoleCommand = new TdCommand(setDefaultRoleSQL, connection))
{
setDefaultRoleCommand.ExecuteNonQuery();
Console.WriteLine($"Set role '{cn}' as default for user '{userDetail.Username}'");
}
}
}
}
}
else
{
Console.WriteLine($"User '{userDetail.Username}' already exists in Teradata. Moving to the next user.");
}
}
}
// Step 2: Delete users from Teradata that are not present in newDataToProcess
string selectExistingUsersSQL = "SELECT UserName FROM DBC.Users;";
List<string> existingUsernames = new List<string>();
using (TdCommand selectExistingUsersCommand = new TdCommand(selectExistingUsersSQL, connection))
{
using (TdDataReader reader = selectExistingUsersCommand.ExecuteReader())
{
while (reader.Read())
{
string username = reader.GetString(0);
if (!newDataToProcess.Any(userDetail => userDetail.Username == username))
{
existingUsernames.Add(username);
}
}
}
}
foreach (UserDetail existingUsername in uniqueInListLDAP)
{
string checkProfileSQL = $"SELECT UserName FROM DBC.Users WHERE UserName = '{existingUsername}' AND ProfileName='TDLDAP';";
using (TdCommand checkProfileCommand = new TdCommand(checkProfileSQL, connection))
{
//object result = checkProfileCommand.ExecuteScalar();
// if (result != null && result != DBNull.Value)
{
string deleteUserSQL = $"DROP USER {existingUsername.Username};";
try
{
using (TdCommand deleteUserCommand = new TdCommand(deleteUserSQL, connection))
{
deleteUserCommand.ExecuteNonQuery();
Console.WriteLine($"User '{existingUsername.Username}' deleted successfully from Teradata.");
}
}
catch (TdException ex)
{
Console.WriteLine($"Failed to delete user '{existingUsername}' from Teradata: {ex.Message}");
}
}
}
}
connection.Close();
}
catch (TdException ex)
{
Console.WriteLine("Error: " + ex.Message);
}
}
}
}
} 我已经尝试了我能想到的所有选项,但无论如何,我都必须使用新创建的用户登录一次才能设置角色,以便用户可以查看授权数据。您能告诉我如何强制执行此操作并使用 dbc 用户设置/激活用户的角色吗?
这将是一个很大的帮助。
在
DEFAULT ROLE =
或 CREATE USER
SQL 语句中使用 MODIFY USER
子句。您可以指定角色名称或关键字 ALL
,它断言所有授予角色的权限联合。当给出特定的角色名称时,MODIFY USER
要求用户已经被授予该角色; CREATE USER
将为您做GRANT
。