Presentation is loading. Please wait.

Presentation is loading. Please wait.

DevOps Database Administration

Published byJennifer Grant Modified over 5 years ago

Similar presentations

Presentation on theme: "DevOps Database Administration"— Presentation transcript:

1 DevOps Database Administration
Repeatable, Automated, and Safe Framework SQL Saturday 714 Philadelphia

2 About Stephen.Mokszycki@outlook.com
DBA and IT Professional for ~10 years. Currently I am a Senior DBA and .Net Developer at Worked with SQL 7.0/2000/2005/2008/2012/2014/2016 I have worked in a large environment: 500+ Instances, ~6000 databases, 10s TBs of data. I have worked in a small environments: 5 instances, 60 databases, 1TB of data Automation keeps me sane. Currently building a system that generates over 45 million rows an hour Make a joke about Joining the Dark side.

3 Overview: DEVOPS! Outsourcing Database Administration to your Users
Why and How do we enable self service? How do we secure it? How do we build it?

4 Why would you want to use a DEVOPS APproach?
The little things are interruptive to the DBA(s). Empower the Devs safely, reducing time for both parties. DEVOPS! DBAs have more time for the hard problems. Reduce administrative errors. The two main keys are eliminating interruptions for all parties, and REDUCING ERRORS. Don’t, repeat yourself - DRY principle. AND LESS WORK!

5 The normal Request cycle
Dev Needs Something Dev Submits a ticket Dev pings DBA DBA pauses, reviews request DBA request more info Dev sends more details DBA reviews again DBA executes DBA follows up with user confirms DBA Does Everything

6 Outsourcing the work: DEVOPS Self Service
In order to create a self service option we have to grant people access. There are two ways to do this, the unsafe way and the safe way. Taking advantage of privilege escalation is the key idea.

7 Demo TIME! EXECUTE AS DEMO STEP 6.

8 How to make it SAFE Using existing tool sets: SQL and maybe powershell. Using role based permissions and schemas Using something scary: TRUSTWORTHY Database. Executing procedures as another login, or privilege escalation Passing parameters safely with QuoteName() and injection checks

9 A Trustworthy Database Is Dangerous
Trustworthy lets the dbo do anything he can normally do outside of the database. Because of this we have to be careful with what we allow our users can do. We have to leverage Stored Procs and Role based permissions. We have to have safe repeatable code, with repeatable outcomes. Remember the goal: give the Devs some access into the admin world without compromising the integrity of our Server.

10 Trustworthy and DBO From the docs:
The TRUSTWORTHY database property is used to indicate whether the instance of SQL Server trusts the database and the contents within it. DBO: The dbo, or database owner, is a user account that has implied permissions to perform all activities in the database. Members of the sysadmin fixed server role are automatically mapped to dbo. Start the EXEC as Demo

11 Your DBO user matters! What happens if my DBO is now SA?
Can he do SA things? Give the demo of the SA User Not doing anything

12 Privilege Escalation: Execute AS OWNER
In Combination with Trustworthy we can take advantage of our DBO User We can Break the outside of our database! Running as another account! What does this mean? What happens when the database owner is SA, the Database is Trustworthy, and We are executing things as Owner? Lets Find out!

13 The Two Options to Self Service
Give the people direct access aka SA Give Devs Self Service via Controls Helpdesk Has SA HD tries to Fix things, drops Login DBA has no clue Wrong Login is dropped! Business is down! DBA scrambles to figure out what happened. DBA URLT HelpDesk executes proc Tries to Fix things, tries drop login Access is blocked! Event is logged! DBA notified Business as usual DBA follows up

14 Demo TIME!

15 SQL INJECTION! Watch out for injection! Verify your inputs.
Encapsulate your string inputs with QUOTENAME() LOG LOG LOG! You need to know what happened.

16 Auditing, and Verification
Auditing is hard when our sprocs are executed as owner….. ORIGINAL_LOGIN() LOG EVERYTHING! All Variables used Sproc name Who did it Date and Time Logs can drive alerts!

17 Recap: Our SQL Tools Tools in our Framework:
A database, where users can ONLY execute a limited set of objects Via roles and schemas. TRUSTWORTHY and “sa” as the owner. EXECUTE AS OWNER An audit and SQL Injection Check ORIGINAL_LOGIN() QUOTENAME()

18 Demo TIME!

19 Expanding from here Increase your injection checks
Add additional safety checks Add more to the log function and log tables. Raise eventlog errors Dump the users output somewhere, incase you need it later. Don’t copy paste, make a sproc or a function! Reusable code! Never write it twice! Make a WebAPI that the Devs can hit and access

Download ppt "DevOps Database Administration"

Similar presentations

Stored procedures and views You can see definitions for stored procedures and views in the demo databases but you can’t change them. For views, expand.

Stored procedures and views You can see definitions for stored procedures and views in the demo databases but you can’t change them. For views, expand.
Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
System Administration Accounts privileges, users and roles

System Administration Accounts privileges, users and roles
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Today’s Agenda Chapter 12 Admin Tasks Chapter 13 Automating Admin Tasks.

Today’s Agenda Chapter 12 Admin Tasks Chapter 13 Automating Admin Tasks.
Module 13 Automating SQL Server 2008 R2 Management.

Module 13 Automating SQL Server 2008 R2 Management.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
How a little code can help with support.. Chris Barba – Developer at Cimarex Energy Blog:

How a little code can help with support.. Chris Barba – Developer at Cimarex Energy Blog:
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
SCORCH – Fun Recipes for RunBooks MMS Minnesota 2014 Steve Jesok & Matthew #MMSSCOrch.

SCORCH – Fun Recipes for RunBooks MMS Minnesota 2014 Steve Jesok & Matthew #MMSSCOrch.
What to do for a Financial year end And When to do it.

What to do for a Financial year end And When to do it.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Attacking Applications: SQL Injection & Buffer Overflows.

Attacking Applications: SQL Injection & Buffer Overflows.
Learningcomputer.com SQL Server 2008 – Administration, Maintenance and Job Automation.

Learningcomputer.com SQL Server 2008 – Administration, Maintenance and Job Automation.
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.

Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
Module 10 Assigning Server and Database Roles. Module Overview Working with Server Roles Working with Fixed Database Roles Creating User-defined Database.

Module 10 Assigning Server and Database Roles. Module Overview Working with Server Roles Working with Fixed Database Roles Creating User-defined Database.

Similar presentations

Ads by Google