on 2015 Sep 18 11:22 AM
I have migrated several SQL Remote remote databases to 16.0.0.2158 and 17.0.0.1211. They run fine but I have noticed that they don't call hook procedures while older remotes do.
I have confirmed that the hook procedures are there (it's a sp_hook_dbremote_receive_end() hook in particular) and that they do the desired work when called explicitly.
But why are they ignored by DBREMOTE?
That's what a v16 remote log reveals (no hint to a hook procedure):
I. SQL Remote Message Agent Version 16.0.0.2158 I. I. Copyright © 2015 SAP SE or an SAP affiliate company. I. All rights reserved. I. Use of this software is governed by the Sybase License Agreement. I. Refer to http://www.sybase.com/softwarelicenses. I. I. Received message from "Zentrale" (20-02145857622-02145857622-0)
In contrast, a v12 remote log lists the defined hooks:
I. SQL Remote Message Agent Version 12.0.1.4301 I. I. Copyright © 2001-2015, iAnywhere Solutions, Inc. I. Portions copyright © 1988-2015, Sybase, Inc. All rights reserved. I. Use of this software is governed by the Sybase License Agreement. I. Refer to http://www.sybase.com/softwarelicenses. I. I. Found hook procedures: I. sp_hook_dbremote_receive_end I. Received message from "Zentrale" (3-02132130761-02138560117-0)
Stored procedure owned by dbo were not being recognized as valid hook procedures in v16 and up, even though they satisfied all the requirements.
This will be fixed in v16.0.0 build 2245 and v17.0.0 build 1414.
Reg
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Well, not in this case, the original database schema was developped for MS SQL Server a long time ago, so "dbo" was handy. I guess now I should ask "Why should I not use dbo as owner for my schema?"
Or, as Reg has told me: "Everyone in Waterloo would be much happier if your user objects were NOT owned by a mutable system role (see the documentation for the SYSUSER table)." - another lesson learnt:)
Thanks for the notification, and I guess that's a side-effect that would make you even more "much happier if [my] objects were not...". As stated, I can cope with that issue, as a workaround is available.
I know you will find this hard to believe (I wouldn't believe me), but I was actually running the Mobilink/dbmlsync test suite to verify a change to the database engine needed to implement this fix. I expect the change to be checked into the source code today after I look over the handful of failures from the test stream that ran overnight.
Volker, you have the power to edit questions, answers, even comments, right?
So IMO if you wanted to insert a short Update: ... at the top of Reg's answer, that would be ok... save OPs from having to read further unless they want the details (which are still there).
In other words, be bold 🙂
EDIT: I turned that comment into an answer (though it is none yet) in order to unnest the thread comments.
Reg had previously suggested:
I'd suggest running the v16/v17 dbunload on the database and comparing how your reload.sql is defining permissions versus the way they are done in the reload.sql generated by dbunload.
Well, as stated, I'm not really familiar with that RBAC stuff (and for smaller companies like ours, it just feels like admin overkill) - but I had been quite sure the compatibility mode would work well enough for me (you know, that Golden Watcom rule).
Here are the few statements from the v12 script w.r.t. the user with REMOTE DBA authority (note, "4711_SB1" is the particular publisher of that remote, whereas the "RemUser" is a group and used to run DBREMOTE):
GRANT CONNECT,GROUP,REMOTE DBA TO "RemUser" AT 102 IDENTIFIED BY ENCRYPTED '...'; GRANT MEMBERSHIP IN GROUP "RemUser" TO "4711_SB1"; ... SET OPTION "RemUser"."wait_for_commit"='ON';
In constrast, that's what a v16/v17 unload will create:
GRANT CONNECT TO "RemUser" AT 102 IDENTIFIED BY ENCRYPTED '...'; CREATE ROLE FOR USER "RemUser"; GRANT ROLE "RemUser" TO "4711_SB1"; CREATE OR REPLACE ROLE FOR USER "RemUser" WITH ADMIN ONLY "SYS_MANAGE_ROLES_ROLE"; GRANT ROLE "SYS_RUN_REPLICATION_ROLE" TO "RemUser" WITH NO SYSTEM PRIVILEGE INHERITANCE; ... SET OPTION "RemUser"."wait_for_commit"='ON';
According to the v16 doc, the deprecated REMOTE DBA statement is replaced by granting the SYS_RUN_REPLICATION_ROLE role, and apparently that has been done here.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Just to add:
SYSUSERPERM shows that the according user is the one and only with "remotedbaauth = Y". And everything else around SQL Remote v16/v17 works fine for that user account, i.e. though she has minimal granted permissions she is perfectly capable to apply all DML changes and all DDL changes via passthrough mode inside a DBREMOTE session.
The problem seems only be related to the ignoring of the hook procedures. - And by default that "RemUser" is member of group PUBLIC which in turn is member of dbo so a dbo-owned hook procedure should certainly be "visible" for that user.
I'm really out of my wits here.
Well, surprisingly I cannot make v16/v17 dbunload -ar work for a (strongly encrypted) v12 database whereas the same command runs fine with v12.
When using -ar, I would think I have to specify the current DBKEY in the -c connection string, and the same key will be used for the new database. So I supplied that DBKEY, and v12 certainly can use that to rebuild the database. But v16/v17 still ask me for a DBKEY - and when I supply that by additionally specifying -ep or ek, they report
"Unable to open database file <dbfilepath> - <dbfilepath> no database specified."
As stated, the same runs fine with v12.
So - as a workaround - I did a manual reload with v16 and used the generated reload.sql to build a v16 database - and it still does not call these hooks. And that's not a surprise in the end: The related parts of the v16 reload.sql file are still "old school", i.e. using "GRANT REMOTE DBA to ..." - exactly like I have used in the modified v12 script.
So what do you need me to do to supply the database? - FWIW, Chris has received a similar one a few weeks ago, cf. that FAQ "Unloading an v10 OEM database fails with v17".
@Reg: What do you need me to do to supply the database? - FWIW, Chris has received a similar one a few weeks ago, cf. that FAQ "Unloading an v10 OEM database fails with v17".
User | Count |
---|---|
67 | |
11 | |
10 | |
10 | |
9 | |
8 | |
6 | |
4 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.