问题
I have a jar file that I want to run as a step in an SQL Job. However, the jar file has to run on machineA but the SQL job is schedule on serverA.
To make this possible, in serverA's SQL job, I use xp_cmdshell to issue a wmic command to the terminal.
xp_cmdshell permits me to issue a terminal command from an T-SQL script
wmic permits me to issue a terminal command to machine (in this case a java -jar command)
Below is the command I use
EXEC master..xp_cmdshell 'wmic /user:mydomain\myuser /password:mypassword /node:machineA process call create "cmd /c java -jar D:\jars\saveToSharedFolder.jar"'
saveToSharedFolder.jar is a java application that extracts data from the database and writes it to an excel file, then saves this excel file to a shared folder located in a server say, \serverA\files\savedData.xlsx.
The file savedData.xlsx is not being saved in \serverA\files.
When I tried outputting the java error messages to a file, I got this.
java.io.FileNotFoundException: \\serverA\files\savedData.xlsx (Access is denied)
Exception in thread "main" java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:58)
Caused by: org.apache.poi.openxml4j.exceptions.OpenXML4JRuntimeException: Fail to save: an error occurs while saving the package : null
at org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:602)
at org.apache.poi.openxml4j.opc.OPCPackage.save(OPCPackage.java:1557)
at org.apache.poi.POIXMLDocument.write(POIXMLDocument.java:248)
at saveToSharedFolder.saveData(saveToSharedFolder.java:115)
at saveToSharedFolder.main(saveToSharedFolder.java:46)
... 5 more
Caused by: java.lang.NullPointerException
at java.util.zip.DeflaterOutputStream.<init>(Unknown Source)
at java.util.zip.DeflaterOutputStream.<init>(Unknown Source)
at java.util.zip.ZipOutputStream.<init>(Unknown Source)
at java.util.zip.ZipOutputStream.<init>(Unknown Source)
at org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:531)
... 9 more
I know it is a folder permission issue. However, I am quite loss as to what account should I grant write permission to the folder.
When I try to login in machineA using mydomain\myuser and mypassword that I used in the wmic command, and run the jar file in machineA, it successfully saves \serverA\files\savedData.xlsx
I also tried granting the nt service account I get when I run EXEC master..xp_cmdshell 'whoami'. Because that's the account that runs the wmic account right? But it still doesn't create \serverA\files\savedData.xlsx
It's quite weird though, Since I launched wmic using mydomain\myuser and mypassword shouldn't the jar file be run with myuser's credentials and thus be able to create \serverA\files\savedData.xlsx?
回答1:
xp_cmdshell runs under the security context of the SQL Server service account if the invoking login is a sysadmin role member. For non-sysadmin role members, xp_cmdshell runs under the security context of the xp_cmdshell proxy account.
Not sure why you are using T-SQL to invoke the process. Instead, consider using a CmdExec job step type to execute the command directly. You can specify the desired security context of the process in the job step configuration (SQL Server Agent service account or proxy). See https://msdn.microsoft.com/en-us/library/ms190264.aspx.
来源:https://stackoverflow.com/questions/40607634/which-account-is-used-when-executing-xp-cmdshell-wmic-java-jar