Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SqlAGDatabase: Impersonate permission incorrectly checked on SQL 2012 #1237

Closed
codykonior opened this issue Oct 8, 2018 · 0 comments · Fixed by #1295
Closed

SqlAGDatabase: Impersonate permission incorrectly checked on SQL 2012 #1237

codykonior opened this issue Oct 8, 2018 · 0 comments · Fixed by #1295
Labels
bug The issue is a bug.

Comments

@codykonior
Copy link
Contributor

codykonior commented Oct 8, 2018
edited
Loading

Details of the scenario you tried and the problem that is occurring

When running SqlAGDatabase with the MatchDatabaseOwner option Test-ImpersonatePermissions gets called. This dumps the fn_my_permissions for the user and checks for IMPERSONATE ANY LOGIN.

That permission does not exist on SQL 2012 and was only introduced in SQL 2014. This causes the test to fail even when equivalent permissions exist.

Verbose logs showing the problem

PowerShell DSC resource MSFT_SqlAGDatabase  failed to execute Set-TargetResource functionality with error message: The
login 'LAB\LocalAdministrator' is missing impersonate permissions in the instances 'DAC1N1, SEC1N2, DAC1N2, SEC1N3'.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : SEC1N1

Suggested solution to the issue

  • Check for CONTROL SERVER permission. This is given directly or through sysadmin, and grants an implicit IMPERSONATE ANY LOGIN permission.
  • Check for IMPERSONATE LOGIN permission for each database owner.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

                        SqlAGDatabase "AddDatabaseTo$($node.Role.AvailabilityGroup.Name)"
                        {
                            AvailabilityGroupName   = $node.Role.AvailabilityGroup.Name
                            BackupPath              = '\\CHDC1\Temp' # TODO: Remove this
                            DatabaseName            = "Dummy$($node.Role.AvailabilityGroup.Name)"
                            ServerName              = $node.NodeName
                            InstanceName            = $node.Role.SQLServer.InstanceName
                            Ensure                  = 'Present'
                            PsDscRunAsCredential    = $localAdministrator
                            MatchDatabaseOwner = $true # EXECUTE AS
                            DependsOn = '[WaitForAll]WaitForAllAGReplicas'
                        }

SQL Server edition and version the target node is running

SQL 2012

SQL Server PowerShell modules present on the target node

SqlServer, SQLPS

The operating system the target node is running

Windows Server 2012

Version and build of PowerShell the target node is running

5.1

Version of the DSC module that was used ('dev' if using current dev branch)

dev
@codykonior codykonior mentioned this issue Oct 9, 2018
Closed
9 tasks
@johlju johlju added bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. in progress The issue is being actively worked on by someone. and removed help wanted The issue is up for grabs for anyone in the community. labels Oct 10, 2018
@codykonior codykonior mentioned this issue Feb 27, 2019
Merged
9 tasks
@johlju johlju removed the in progress The issue is being actively worked on by someone. label Apr 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug The issue is a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

SqlAGDatabase: Fix impersonate permission test
SqlAGDatabase: Fix impersonate permission test
2 participants
@johlju @codykonior