Credentials 包含访问 SQL Server Instance 以外的资源所需要的验证信息,大多少Credentials 都包含一个 Windows 用户名和密码。
如果以SQL Server 验证方式创建Login,并将该Login隐射到Credentials,那么该Login能够通过存储在Credentials中的验证信息访问到 SQL Server 实例外部的资源。Credentials是访问资源的中介,通过授予Credentials访问资源的权限,能够集中管理资源访问的权限。在SQL Server中,只需要将Login(Windows Login 或 SQL Server Login)隐射相应的Credentials,就使该Login拥有访问相应资源的权限。
1,创建Credentials的语法
Identity 指定Credentials包含的Account,Secret指定password。
CREATE CREDENTIAL credential_name
WITH IDENTITY = ‘identity_name‘
[ , SECRET = ‘secret‘ ]
[ FOR CRYPTOGRAPHIC PROVIDER cryptographic_provider_name ]
IDENTITY =‘identity_name‘
Specifies the name of the account to be used when connecting outside the server.
SECRET =‘secret‘
Specifies the secret required for outgoing authentication. This clause is optional.
Remarks
When IDENTITY is a Windows user, the secret can be the password. The secret is encrypted using the service master key. If the service master key is regenerated, the secret is re-encrypted using the new service master key.
After creating a credential, you can map it to a SQL Server login by using CREATE LOGIN or ALTER LOGIN. A SQL Server login can be mapped to only one credential, but a single credential can be mapped to multiple SQL Server logins.
If there is no login mapped credential for the provider, the credential mapped to SQL Server service account is used.
A login can have multiple credentials mapped to it as long as they are used with distinctive providers. There must be only one mapped credential per provider per login. The same credential can be mapped to other logins.
2,创建Credentials,并Mapping到SQL Server Login
一个SQL Server Login只能Map到一个Credentials,多个Login能够Map到同一个Credentials。
CREATE CREDENTIAL AlterEgo
WITH IDENTITY = ‘Mary5‘,
SECRET = ‘<EnterStrongPasswordHere>‘;
/* Modify the login to assign a non cryptographic provider credential */
ALTER LOGIN Login1
WITH CREDENTIAL = AlterEgo;
GO
3,Login 和 Credentials的区别
在SQL Server中,Login用于登陆SQL Server Instance。虽然Login有权限登陆SQL Server Instance,但是不具有访问SQL Server Instance之外的资源的权限。而Credentials用于访问SQL Server Instance以外的资源,将Login映射到Credentials,Login就能通过Credentials存储的域账户访问SQL Server Instance之外的资源。
Appendix:
1,引用《Security Questions: Logins, Credentials, and Proxies》:
- Login: A login is any principal that is granted access to a SQL Server instance. The access can be granted to domain users, domain group, or SQL Server authenticated accounts.
- Credential: A credential provides a mechanism to store login information for a domain account within SQL Server. The credential can then be used to pass that authentication information from into another login or a proxy to grant it permissions to resources external to SQL Server.
Credentials get brought in when permissions from domain users need to be granted to accounts or services that wouldn’t usually have those permissions. For instance, if an assembly required EXTERNAL_ACCESS, those permissions could be granted through the use of a credential. Credentials can also be used to grant SQL Authentication accounts access to external resources.
2,引用《Credentials (Database Engine)》:
A credential is a record that contains the authentication information (credentials) required to connect to a resource outside SQL Server. This information is used internally by SQL Server. Most credentials contain a Windows user name and password.
The information stored in a credential enables a user who has connected to SQL Server by way of SQL Server Authentication to access resources outside the server instance. When the external resource is Windows, the user is authenticated as the Windows user specified in the credential. A single credential can be mapped to multiple SQL Server logins. However, a SQL Server login can be mapped to only one credential.
System credentials are created automatically and are associated with specific endpoints. Names for system credentials start with two hash signs (##).
参考doc:
CREATE CREDENTIAL (Transact-SQL)
Security Questions: Logins, Credentials, and Proxies