db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d..@apache.org
Subject svn commit: r545237 - in /db/derby/docs/trunk/src: adminguide/ devguide/ ref/
Date Thu, 07 Jun 2007 16:33:00 GMT
Author: dag
Date: Thu Jun  7 09:32:56 2007
New Revision: 545237

URL: http://svn.apache.org/viewvc?view=rev&rev=545237
Log:
Documents DERBY-2264 changes for enforcing database owner powers.
Also adds a new node to explain the concept of database owner.

Added:
    db/derby/docs/trunk/src/devguide/cdevcsecureDbOwner.dita   (with props)
Modified:
    db/derby/docs/trunk/src/adminguide/cadminappsclient.dita
    db/derby/docs/trunk/src/devguide/cdevcsecure36127.dita
    db/derby/docs/trunk/src/devguide/cdevcsecure36595.dita
    db/derby/docs/trunk/src/devguide/cdevcsecuregrantrevokeaccess.dita
    db/derby/docs/trunk/src/devguide/derbydev.ditamap
    db/derby/docs/trunk/src/devguide/rdevcsecure13713.dita
    db/derby/docs/trunk/src/devguide/rdevdvlp22102.dita
    db/derby/docs/trunk/src/devguide/tdevcsecurenewbootpw.dita
    db/derby/docs/trunk/src/devguide/tdevcsecurenewextkey.dita
    db/derby/docs/trunk/src/devguide/tdevcsecurenewkeyoverview.dita
    db/derby/docs/trunk/src/devguide/tdevcsecureunencrypteddb.dita
    db/derby/docs/trunk/src/devguide/tdevdvlp40464.dita
    db/derby/docs/trunk/src/ref/rrefattrib15290.dita
    db/derby/docs/trunk/src/ref/rrefattrib16471.dita
    db/derby/docs/trunk/src/ref/rrefattrib26867.dita
    db/derby/docs/trunk/src/ref/rrefattrib42100.dita
    db/derby/docs/trunk/src/ref/rrefattrib60346.dita
    db/derby/docs/trunk/src/ref/rrefattrib88843.dita
    db/derby/docs/trunk/src/ref/rrefattribencryptkey.dita
    db/derby/docs/trunk/src/ref/rrefattribnewbootpw.dita
    db/derby/docs/trunk/src/ref/rrefattribnewencryptkey.dita
    db/derby/docs/trunk/src/ref/rrefcreatefunctionstatement.dita
    db/derby/docs/trunk/src/ref/rrefcreateprocedurestatement.dita
    db/derby/docs/trunk/src/ref/rrefexcept71493.dita
    db/derby/docs/trunk/src/ref/rrefsqlj15446.dita
    db/derby/docs/trunk/src/ref/rrefsqlj24513.dita
    db/derby/docs/trunk/src/ref/rrefsqlj40506.dita
    db/derby/docs/trunk/src/ref/rrefsqlj43125.dita
    db/derby/docs/trunk/src/ref/rrefsqljrenametablestatement.dita
    db/derby/docs/trunk/src/ref/rrefsqljrevoke.dita

Modified: db/derby/docs/trunk/src/adminguide/cadminappsclient.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/adminguide/cadminappsclient.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/adminguide/cadminappsclient.dita (original)
+++ db/derby/docs/trunk/src/adminguide/cadminappsclient.dita Thu Jun  7 09:32:56 2007
@@ -214,7 +214,9 @@
 <entry colname="col3">shutdown</entry>
 <entry colname="COLSPEC3">This property is also available using EmbeddedDataSource.
 See the <ph conref="../conrefs.dita#pub/citref"></ph> for more information.
-Similar to setting connectionAttribute to "shutdown=true". Only "shutdown" is allowed, other values equate to null. The result of conflicting settings of createDatabase, shutdownDatabase and connectionAttributes is undefined.</entry>
+Similar to setting connectionAttribute to "shutdown=true". Only "shutdown" is allowed, other values equate to null. The result of conflicting settings of createDatabase, shutdownDatabase and connectionAttributes is undefined.
+If authentication <b>and</b> sqlAuthorization are both enabled, database shutdown is restricted to the database owner.
+</entry>
 </row>
 </tbody>
 </tgroup>

Modified: db/derby/docs/trunk/src/devguide/cdevcsecure36127.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/devguide/cdevcsecure36127.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/devguide/cdevcsecure36127.dita (original)
+++ db/derby/docs/trunk/src/devguide/cdevcsecure36127.dita Thu Jun  7 09:32:56 2007
@@ -38,5 +38,28 @@
 running in a connectivity server and user authentication is turned on, stopping
 the server requires a user name and password. You will need to alter shutdown
 scripts accordingly. </note>
+<p>
+</p>
+<note>
+  Additionally, if you create and start
+  a <ph conref="../conrefs.dita#prod/productshortname"></ph> system
+  with user authentication and
+  <xref href="cdevcsecure36595.dita#cdevcsecure36595">SQL authorization</xref>
+  both enabled, or plan to enable them later,
+  you should make sure you create
+  the database by connecting as the user that is to become the
+  <xref href="cdevcsecureDbOwner.dita#cdevcsecureDbOwner">database
+    owner</xref>. 
+  
+  If you neglect to supply a user when the database is created, the
+  database owner will by default become "APP". If you later enable
+  both authentication and SQL authorization and "APP" is a not valid
+  user name, you will not be able to perform operations restricted to
+  the database owner, including shutting down the database (as opposed
+  to the full system which may currently be shut down by any
+  authenticated user, see previous note). Nor will you be able to
+  (re)encrypt the database nor perform a full upgrade of it.
+</note>
+
 </conbody>
 </concept>

Modified: db/derby/docs/trunk/src/devguide/cdevcsecure36595.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/devguide/cdevcsecure36595.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/devguide/cdevcsecure36595.dita (original)
+++ db/derby/docs/trunk/src/devguide/cdevcsecure36595.dita Thu Jun  7 09:32:56 2007
@@ -89,7 +89,9 @@
 the ability to read from or write to database objects is further restricted
 to the owner of the database objects. The owner must grant permission for
 others to access the database objects. No one but the owner of an object or
-the database owner can drop the object. </li>
+the
+<xref href="cdevcsecureDbOwner.dita#cdevcsecureDbOwner">database owner</xref>
+can drop the object. </li>
 <li>The access mode specified for the <codeph>derby.database.defaultConnectionMode</codeph> property
 overrides the permissions that are granted by the owner of a database object.
 For example, if a user is granted INSERT privileges on a table but the user

Added: db/derby/docs/trunk/src/devguide/cdevcsecureDbOwner.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/devguide/cdevcsecureDbOwner.dita?view=auto&rev=545237
==============================================================================
--- db/derby/docs/trunk/src/devguide/cdevcsecureDbOwner.dita (added)
+++ db/derby/docs/trunk/src/devguide/cdevcsecureDbOwner.dita Thu Jun  7 09:32:56 2007
@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="cdevcsecureDbOwner" xml:lang="en-us">
+<title>Database owner
+</title>
+
+<shortdesc>
+  The term <i>database owner</i> refers to the current authorization
+  identifier when the database is created, that is, the user creating
+  the database. If you enable or plan to enable SQL authorization,
+  controlling the identity of the database owner becomes important.
+</shortdesc>
+
+<prolog>
+  <metadata>
+    <keywords>
+
+      <indexterm>
+        database owner
+      </indexterm>
+
+      <indexterm>
+        database owner
+        <indexterm>
+          powers
+        </indexterm>
+      </indexterm>
+
+      <indexterm>
+        database owner
+        <indexterm>
+          permissions
+        </indexterm>
+      </indexterm>
+
+    </keywords>
+  </metadata>
+</prolog>
+<conbody>
+  <p>
+    When a database is created, the database owner of that database
+    gets implicitly set to the authorization identifier used in the
+    connect operation which creates the database, for example by
+    supplying the URL attribute "user".  Note that this applies even
+    if authentication is not (yet) enabled.  In SQL, the built-in
+    functions USER and the equivalent CURRENT_USER return the current
+    authorization identifier.
+  </p>
+  <p>
+    If the database is created <i>without</i> supplying a user (only
+    possible if authentication is not enabled), the database owner
+    gets set to the default authorization identifier, "APP", which is
+    also the name of the default schema, see the section "SET
+    SCHEMA statement" in
+    the <cite><ph conref="../conrefs.dita#pub/citref"></ph></cite>.
+  </p>
+  <p>
+    The database owner has automatic SQL level permissions when
+    SQL authorization is enabled, see more about this
+    in <xref href="cdevcsecure36595.dita#cdevcsecure36595"></xref>.
+  </p>
+  <p>
+    To further enhance security, when <i>both</i>
+    <xref href="cdevcsecure36127.dita#cdevcsecure36127">authentication</xref>
+    and SQL authorization are enabled for a
+    database, Derby restricts some special powers to the database
+    owner: only the database owner is allowed to
+    <xref href="tdevdvlp40464.dita#tdevdvlp40464">shut down</xref>
+    the database, to
+    <xref href="tdevcsecureunencrypteddb.dita#tdevcsecureunencrypteddb">encrypt</xref>
+    or
+    <xref href="tdevcsecurenewkeyoverview.dita#tdevcsecurenewkeyoverview">reencrypt</xref>
+    the database or to perform a
+    <xref href="tdevupgradedb.dita#tdevupgradedb">full upgrade</xref>
+    of it. These powers can not be delegated.
+  </p>
+  <p>
+    <note type="attention">
+      There is currently no way of changing the database owner once
+      the database is created. This means that if you plan to run with
+      SQL authorization enabled, you should make sure to create the
+      database as the user you want to be the owner.
+    </note>
+  </p>
+  
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/devguide/cdevcsecureDbOwner.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: db/derby/docs/trunk/src/devguide/cdevcsecuregrantrevokeaccess.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/devguide/cdevcsecuregrantrevokeaccess.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/devguide/cdevcsecuregrantrevokeaccess.dita (original)
+++ db/derby/docs/trunk/src/devguide/cdevcsecuregrantrevokeaccess.dita Thu Jun  7 09:32:56 2007
@@ -56,7 +56,9 @@
 </ul></p>
 <p>When a table, view, function, or procedure is created, the person that
 creates the object is referred to as the <term>owner</term> of the object.
-Only the object owner and the database owner have full privileges on the object.
+Only the object owner and the
+<xref href="cdevcsecureDbOwner.dita#cdevcsecureDbOwner">database owner</xref>
+have full privileges on the object.
 No other users have privileges on the object until the object owner grants
 privileges to them.</p>
 <section><title>Public and individual user privileges</title><p>The object

Modified: db/derby/docs/trunk/src/devguide/derbydev.ditamap
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/devguide/derbydev.ditamap?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/devguide/derbydev.ditamap (original)
+++ db/derby/docs/trunk/src/devguide/derbydev.ditamap Thu Jun  7 09:32:56 2007
@@ -1511,6 +1511,8 @@
 </topicref>
 </relcell>
 <relcell>
+<topicref href="cdevcsecureDbOwner.dita" navtitle="Database owner">
+</topicref>
 <topicref href="cdevcsecure865580.dita" navtitle="User names and schemas">
 </topicref>
 <topicref href="rdevcsecure622.dita" navtitle="Exceptions when using authorization identifiers">
@@ -1520,6 +1522,10 @@
 </relrow>
 <relrow>
 <relcell>
+<topicref href="cdevcsecureDbOwner.dita" navtitle="Database owner">
+</topicref>
+</relcell>
+<relcell>
 <topicref href="cdevcsecure865580.dita" navtitle="User names and schemas">
 </topicref>
 </relcell>
@@ -2223,6 +2229,8 @@
 </topicref>
 <topicref href="cdevcsecure37241.dita" navtitle="Users and authorization identifiers">
 <topicref href="cdevcsecure24458.dita" navtitle="Authorization identifiers, user authentication, and user authorization">
+</topicref>
+<topicref href="cdevcsecureDbOwner.dita" navtitle="Database owner">
 </topicref>
 <topicref href="cdevcsecure865580.dita" navtitle="User names and schemas">
 </topicref>

Modified: db/derby/docs/trunk/src/devguide/rdevcsecure13713.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/devguide/rdevcsecure13713.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/devguide/rdevcsecure13713.dita (original)
+++ db/derby/docs/trunk/src/devguide/rdevcsecure13713.dita Thu Jun  7 09:32:56 2007
@@ -37,7 +37,7 @@
 <section><p>When creating the database, the application developer encrypts
 the database by using the following connection URL:</p></section>
 <example> <codeblock><b>jdbc:derby:wombat;create=true;dataEncryption=true;
-    bootPassword=sxy90W348HHn</b></codeblock></example>
+    bootPassword=sxy90W348HHn;user=redbaron</b></codeblock></example>
 <section><p>Before deploying the database, the application developer turns
 on user authentication, sets the authentication provider to BUILTIN, creates
 a single user and password, and disallows system-wide properties to protect
@@ -49,16 +49,32 @@
     'derby.authentication.provider', 'BUILTIN')
 
 CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY(
-    'derby.user.enduser', 'red29PlaNe')
+    'derby.user.redbaron', 'red29PlaNe')
 
 CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY(
     'derby.database.propertiesOnly', true')</b></codeblock></example>
 <section><p>When the user connects (and boots) the database, the user has
-to provide the <i>bootPassword</i>, the user name, and the password. The following
-example shows how to provide those in a connection URL, although the application
-programmer would probably provide GUI windows to allow the end user to type
-those in:</p></section>
+to provide the <i>bootPassword</i>, the user name, and the password. 
+</p>
+<p>
+  <note>
+    The user name (the value specified by
+    the <codeph>derby.user.<i>enduser</i></codeph> property) must be
+    supplied when the database is created, even if authentication is
+    not yet enabled. Otherwise the database owner will have the
+    default name "APP"
+    (see <xref
+    href="cdevcsecureDbOwner.dita#cdevcsecureDbOwner"></xref> for
+    details).
+  </note>
+</p>
+<p>
+  The following example shows how to provide these properties in a
+  connection URL, although the application programmer would probably
+  provide GUI windows to allow the end user to type those in:
+</p>
+</section>
 <example> <codeblock><b>jdbc:derby:wombat;bootPassword=sxy90W348HHn;
-    user=enduser;password=red29PlaNe</b></codeblock></example>
+    user=redbaron;password=red29PlaNe</b></codeblock></example>
 </refbody>
 </reference>

Modified: db/derby/docs/trunk/src/devguide/rdevdvlp22102.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/devguide/rdevdvlp22102.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/devguide/rdevdvlp22102.dita (original)
+++ db/derby/docs/trunk/src/devguide/rdevdvlp22102.dita Thu Jun  7 09:32:56 2007
@@ -51,7 +51,9 @@
 <li><i>jdbc:derby:support/bugsdb;create=true</i>   <p>Create the database <i>support/bugsdb</i> in
 the system directory, automatically creating the intermediate directory <i>support</i> if
 it does not exist.</p></li>
-<li><i>jdbc:derby:sample;shutdown=true</i>   <p>Shut down the <i>sample</i> database.</p></li>
+<li><i>jdbc:derby:sample;shutdown=true</i>   <p>Shut down the <i>sample</i> database.
+(Authentication is not enabled, so no user credentials are required.)
+</p></li>
 <li><i>jdbc:derby:/myDB</i>   <p>Access <i>myDB</i> (which is directly in
 a directory in the classpath) as a read-only database.</p></li>
 <li><i>jdbc:derby:classpath:/myDB</i>   <p>Access <i>myDB</i> (which is directly

Modified: db/derby/docs/trunk/src/devguide/tdevcsecurenewbootpw.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/devguide/tdevcsecurenewbootpw.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/devguide/tdevcsecurenewbootpw.dita (original)
+++ db/derby/docs/trunk/src/devguide/tdevcsecurenewbootpw.dita Thu Jun  7 09:32:56 2007
@@ -50,9 +50,20 @@
 the database.</cmd><stepxmp>For example, when the following URL is used when
 the <codeph>salesdb</codeph> database is rebooted, the database is encrypted
 with the new encryption key, and is protected by the password new1234xyz:<codeblock> jdbc:derby:salesdb;bootPassword=abc1234xyz;newBootPassword=new1234xyz</codeblock
-></stepxmp><info>If you disabled log archival before you applied the new boot
+></stepxmp>
+  <info>
+    <p>
+    If <xref href="cdevcsecure36127.dita#cdevcsecure36127">authentication</xref>
+    and
+    <xref href="cdevcsecure36595.dita#cdevcsecure36595">SQL authorization</xref>
+    are both enabled, the credentials of the 
+    <xref href="cdevcsecureDbOwner.dita#cdevcsecureDbOwner">database owner</xref>
+    must be supplied as well, since reencryption is a restricted operation.
+    </p>
+  </info>
+<info><p>If you disabled log archival before you applied the new boot
 password, create a new backup of the database after the database is reconfigured
-with new the boot password.<p></p></info></step>
+with the new boot password.</p></info></step>
 </steps>
 </taskbody>
 </task>

Modified: db/derby/docs/trunk/src/devguide/tdevcsecurenewextkey.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/devguide/tdevcsecurenewextkey.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/devguide/tdevcsecurenewextkey.dita (original)
+++ db/derby/docs/trunk/src/devguide/tdevcsecurenewextkey.dita Thu Jun  7 09:32:56 2007
@@ -45,9 +45,21 @@
 the database.</cmd><stepxmp>For example, when the following URL is used when
 the <codeph>salesdb</codeph> database is rebooted, the database is encrypted
 with the new encryption key 6862636465666768:<codeblock>jdbc:derby:salesdb;encryptionKey=6162636465666768;newEncryptionKey=6862636465666768'</codeblock
-></stepxmp><info>If you disabled log archival before you applied the new encryption
+></stepxmp>
+<info>
+  <p>
+  If <xref href="cdevcsecure36127.dita#cdevcsecure36127">authentication</xref>
+  and
+  <xref href="cdevcsecure36595.dita#cdevcsecure36595">SQL authorization</xref>
+  are both enabled, the credentials of the 
+  <xref href="cdevcsecureDbOwner.dita#cdevcsecureDbOwner">database owner</xref>
+  must be supplied as well, since encryption is a restricted operation.
+  </p>
+</info>
+<info><p>If you disabled log archival before you applied the new encryption
 key, create a new backup of the database after the database is reconfigured
-with new the encryption key.<p></p></info></step>
+with new the encryption key.
+</p></info></step>
 </steps>
 </taskbody>
 </task>

Modified: db/derby/docs/trunk/src/devguide/tdevcsecurenewkeyoverview.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/devguide/tdevcsecurenewkeyoverview.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/devguide/tdevcsecurenewkeyoverview.dita (original)
+++ db/derby/docs/trunk/src/devguide/tdevcsecurenewkeyoverview.dita Thu Jun  7 09:32:56 2007
@@ -53,6 +53,15 @@
 <choice>To <xref href="tdevcsecurenewextkey.dita#tdevcsecurenewextkey">encrypt
 the database with a new external encryption key</xref>, use the <i>newEncryptionKey</i> attribute.</choice>
 </choices>
+<info>
+  If <xref href="cdevcsecure36127.dita#cdevcsecure36127">authentication</xref>
+  and
+  <xref href="cdevcsecure36595.dita#cdevcsecure36595">SQL authorization</xref>
+  are both enabled, the credentials of the 
+  <xref href="cdevcsecureDbOwner.dita#cdevcsecureDbOwner">database owner</xref>
+  must be supplied, since reencryption is a restricted operation.
+</info>
+
 </step>
 </steps>
 </taskbody>

Modified: db/derby/docs/trunk/src/devguide/tdevcsecureunencrypteddb.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/devguide/tdevcsecureunencrypteddb.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/devguide/tdevcsecureunencrypteddb.dita (original)
+++ db/derby/docs/trunk/src/devguide/tdevcsecureunencrypteddb.dita Thu Jun  7 09:32:56 2007
@@ -62,8 +62,19 @@
 <stepxmp>For example, to encrypt the <codeph>salesdb</codeph> database with
 the boot password <codeph>abc1234xyz</codeph>, specify the following attributes
 in the URL:<codeblock>jdbc:derby:salesdb;dataEncryption=true;bootPassword=abc1234xyz </codeblock></stepxmp>
-<info>If you disabled log archival before you encrypted the database, create
-a new backup of the database after the database is encrypted.</info></step>
+<info>
+  <p>
+  If <xref href="cdevcsecure36127.dita#cdevcsecure36127">authentication</xref>
+  and
+  <xref href="cdevcsecure36595.dita#cdevcsecure36595">SQL authorization</xref>
+  are both enabled, the credentials of the 
+  <xref href="cdevcsecureDbOwner.dita#cdevcsecureDbOwner">database owner</xref>
+  must be supplied as well, since encryption is a restricted operation.
+</p>
+</info>
+<info><p>
+If you disabled log archival before you encrypted the database, create
+a new backup of the database after the database is encrypted.</p></info></step>
 </steps>
 </taskbody>
 </task>

Modified: db/derby/docs/trunk/src/devguide/tdevdvlp40464.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/devguide/tdevdvlp40464.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/devguide/tdevdvlp40464.dita (original)
+++ db/derby/docs/trunk/src/devguide/tdevdvlp40464.dita Thu Jun  7 09:32:56 2007
@@ -38,6 +38,21 @@
 down the database of the current connection if you specify the default connection
 instead of a database name<i> </i>(within an SQL statement).</p><codeblock><b>// shutting down a database from your application</b>
 DriverManager.getConnection(
-    "jdbc:derby:sample;shutdown=true");</codeblock></context>
+    "jdbc:derby:sample;shutdown=true");</codeblock>
+<p>
+If user
+<xref href="cdevcsecure36127.dita#cdevcsecure36127">authentication</xref>
+and
+<xref href="cdevcsecure36595.dita#cdevcsecure36595">SQL authorization</xref>
+are both enabled, only the
+<xref href="cdevcsecureDbOwner.dita#cdevcsecureDbOwner">database owner</xref>
+can shut down the database.
+</p>
+
+<codeblock><b>// shutting down an authenticated database as database owner</b>
+DriverManager.getConnection(
+    "jdbc:derby:securesample;user=joeowner;password=secret;shutdown=true");</codeblock>
+
+</context>
 </taskbody>
 </task>

Modified: db/derby/docs/trunk/src/ref/rrefattrib15290.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefattrib15290.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefattrib15290.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefattrib15290.dita Thu Jun  7 09:32:56 2007
@@ -35,7 +35,19 @@
 must be combined with the <i><xref href="rrefattrib42100.dita#rrefattrib42100">bootPassword=key</xref></i> attribute
 or the <xref href="rrefattribnewencryptkey.dita#rrefattribnewencryptkey">newEncryptionKey=key</xref> attribute.
 You have the option of also specifying the <i><xref href="rrefattrib88843.dita#rrefattrib88843">encryptionProvider=providerName</xref></i> and <i><xref
-href="rrefattrib60346.dita#rrefattrib60346">encryptionAlgorithm=algorithm</xref></i> attributes.</p> </section>
+href="rrefattrib60346.dita#rrefattrib60346">encryptionAlgorithm=algorithm</xref></i> attributes.</p> 
+<p>
+  For an existing, unencrypted database for which authentication
+  and SQL authorization are both
+  enabled, only the 
+  <xref href="rrefattrib26867.dita#rrefattrib26867">database owner</xref>
+  can perform encryption. See also "Enabling user authentication"
+  and "Setting the SQL standard authorization mode"
+  in the 
+  <ph conref="../conrefs.dita#pub/citdevelop"></ph>
+  for more information.
+</p>
+</section>
 <example><title>Examples</title><codeblock><b><ph> -- encrypt a new database</ph>
 jdbc:derby:encryptedDB;create=true;dataEncryption=true;
     bootPassword=cLo4u922sc23aPe

Modified: db/derby/docs/trunk/src/ref/rrefattrib16471.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefattrib16471.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefattrib16471.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefattrib16471.dita Thu Jun  7 09:32:56 2007
@@ -26,9 +26,20 @@
 </metadata></prolog>
 <refbody>
 <section><title>Function</title> <p>Shuts down the specified database if you
-specify a <i>databaseName</i>. (Reconnecting to the database reboots the database.)</p> <p>Shuts
+specify a <i>databaseName</i>. (Reconnecting to the database reboots the database.)
+For a database for which authentication and SQL authorization are both
+enabled, only the 
+<xref href="rrefattrib26867.dita#rrefattrib26867">database owner</xref>
+can perform shutdown of that database.
+Please see "Enabling user authentication"
+and "Setting the SQL standard authorization mode"
+in the 
+<ph conref="../conrefs.dita#pub/citdevelop"></ph>
+for more information.
+</p> <p>Shuts
 down the entire <ph conref="../conrefs.dita#prod/productshortname"></ph> system
-if and only if you do not specify a <i>databaseName </i></p> <p>When you are
+if and only if you do not specify a <i>databaseName</i>.</p>
+<p>When you are
 shutting down a single database, it lets <ph conref="../conrefs.dita#prod/productshortname"></ph> perform
 a final checkpoint on the database.</p> <p>When you are shutting down a system,
 it lets <ph conref="../conrefs.dita#prod/productshortname"></ph> perform a
@@ -45,7 +56,7 @@
 the <i>DriverManager</i> with a <i>shutdown=true</i> attribute raises an exception.</note></p> </section>
 <example> <codeblock><b><ph>-- shuts down entire system</ph>
 jdbc:derby:;shutdown=true
-<ph>-- shuts down salesDB</ph>
+<ph>-- shuts down salesDB (authentication not enabled)</ph>
 jdbc:derby:salesDB;shutdown=true</b></codeblock> </example>
 </refbody>
 </reference>

Modified: db/derby/docs/trunk/src/ref/rrefattrib26867.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefattrib26867.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefattrib26867.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefattrib26867.dita Thu Jun  7 09:32:56 2007
@@ -35,7 +35,30 @@
 create time if failure occurs after the database call occurs. If a database
 connection URL used <i>create=true</i> and the connection fails to be created,
 check for the database directory. If it exists, remove it and its contents
-before the next attempt to create the database.</p> </section>
+before the next attempt to create the database.</p> 
+</section>
+<section><title>Database owner</title> <p>
+  When the database is created, the current authorization identifier
+  becomes the database owner (see the
+  <i><xref href="rrefattrib10035.dita#rrefattrib10035"></xref></i>).
+  If authentication and SQL authorization are both enabled (see "Enabling user authentication"
+  and "Setting the SQL standard authorization mode"
+  in the 
+  <ph conref="../conrefs.dita#pub/citdevelop"></ph>),
+  only the database owner can
+  <xref href="rrefattrib16471.dita#rrefattrib16471">shut down</xref>
+  the database,
+  <xref href="rrefattrib15290.dita#rrefattrib15290">encrypt</xref> it,
+  reencrypt it with a new
+  <xref href="rrefattribnewbootpw.dita#rrefattribnewbootpw">boot password</xref>
+  or new
+  <xref href="rrefattribnewencryptkey.dita#rrefattribnewencryptkey">encryption key</xref>,
+  or perform a full upgrade. 
+  If authentication is not enabled, and no
+  user is supplied, the database owner defaults to "APP", which is also
+  the name of the default schema (see <xref href="rrefsqlj32268.dita#rrefsqlj32268"></xref>).
+</p>
+</section>
 <section><title>Combining with other attributes</title> <p>You
 must specify a <i>databaseName</i> (after the subprotocol in the database
 connection URL) or a <i><xref href="rrefattrib17246.dita#rrefattrib17246">databaseName=nameofDatabase</xref></i> attribute

Modified: db/derby/docs/trunk/src/ref/rrefattrib42100.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefattrib42100.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefattrib42100.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefattrib42100.dita Thu Jun  7 09:32:56 2007
@@ -35,9 +35,25 @@
 <section><title>Combining with other attributes</title><p>When you create
 a new database, the <i>bootPassword=key</i> attribute must be combined with
 the <i><xref href="rrefattrib26867.dita#rrefattrib26867">create=true</xref></i> and <i><xref
-href="rrefattrib15290.dita#rrefattrib15290">dataEncryption=true</xref></i> attributes. </p><p>When
-you configure an existing unencrypted database for encryption,  the <i>bootPassword=key</i> attribute
-must be combined with the <xref href="rrefattrib15290.dita#rrefattrib15290">dataEncryption=true</xref> attribute. </p><p>When
+href="rrefattrib15290.dita#rrefattrib15290">dataEncryption=true</xref></i> attributes. </p>
+<p>
+  When you configure an existing unencrypted database for encryption,
+  the <i>bootPassword=key</i> attribute must be combined with
+  the <xref href="rrefattrib15290.dita#rrefattrib15290">dataEncryption=true</xref>
+  attribute.
+  For an existing, unencrypted database for which authentication and
+  SQL authorization are both
+  enabled, only the 
+  <xref href="rrefattrib26867.dita#rrefattrib26867">database owner</xref>
+  can perform encryption. 
+  Please see "Enabling user authentication"
+  and "Setting the SQL standard authorization mode"
+  in the 
+  <ph conref="../conrefs.dita#pub/citdevelop"></ph>
+  for more information.
+
+</p>
+<p>When
 you boot an existing encrypted database, no other attributes are necessary.</p> </section>
 <example><title>Examples</title><codeblock><b><ph>-- create a new, encrypted database</ph>
 jdbc:derby:newDB;create=true;dataEncryption=true;

Modified: db/derby/docs/trunk/src/ref/rrefattrib60346.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefattrib60346.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefattrib60346.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefattrib60346.dita Thu Jun  7 09:32:56 2007
@@ -38,7 +38,20 @@
 must be combined with the <i><xref href="rrefattrib42100.dita#rrefattrib42100">bootPassword=key</xref></i> attribute
 and the <xref href="rrefattrib15290.dita#rrefattrib15290">dataEncryption=true</xref> attribute.
 You have the option of also specifying the <i><xref href="rrefattrib88843.dita#rrefattrib88843">encryptionProvider=providerName</xref></i> attribute
-to specify the encryption provider of the algorithm.</p></section>
+to specify the encryption provider of the algorithm.</p>
+<p>
+  For an existing database for which authentication and
+  SQL authorization are both
+  enabled, only the 
+  <xref href="rrefattrib26867.dita#rrefattrib26867">database owner</xref>
+  can perform encryption or reencryption. 
+  Please see "Enabling user authentication"
+  and "Setting the SQL standard authorization mode"
+  in the 
+  <ph conref="../conrefs.dita#pub/citdevelop"></ph>
+  for more information.
+</p>
+</section>
 <example> <title>Examples</title><codeblock><b><ph> -- encrypt a new database</ph>
     jdbc:derby:encryptedDB;create=true;dataEncryption=true;
     encryptionProvider=com.sun.crypto.provider.SunJCE;

Modified: db/derby/docs/trunk/src/ref/rrefattrib88843.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefattrib88843.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefattrib88843.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefattrib88843.dita Thu Jun  7 09:32:56 2007
@@ -35,7 +35,20 @@
 <section><title>Combining with other attributes</title> <p>The <i>encryptionProvider</i> attribute
 must be combined with the <i><xref href="rrefattrib42100.dita#rrefattrib42100">bootPassword=key</xref> and <xref
 href="rrefattrib15290.dita#rrefattrib15290">dataEncryption=true</xref></i> attributes. You can
-also specify the <i><xref href="rrefattrib60346.dita#rrefattrib60346">encryptionAlgorithm=algorithm</xref></i> attribute.</p> </section>
+also specify the <i><xref href="rrefattrib60346.dita#rrefattrib60346">encryptionAlgorithm=algorithm</xref></i> attribute.</p> 
+<p>
+  For an existing, unencrypted database for which authentication and
+  SQL authorization are both
+  enabled, only the 
+  <xref href="rrefattrib26867.dita#rrefattrib26867">database owner</xref>
+  can perform encryption or reencryption. 
+  Please see "Enabling user authentication"
+  and "Setting the SQL standard authorization mode"
+  in the 
+  <ph conref="../conrefs.dita#pub/citdevelop"></ph>
+  for more information.  
+</p>
+</section>
 <example><title>Examples</title><codeblock><b><ph>-- create a new, encrypted database</ph>
 jdbc:derby:encryptedDB;create=true;dataEncryption=true;
     encryptionProvider=com.sun.crypto.provider.SunJCE;

Modified: db/derby/docs/trunk/src/ref/rrefattribencryptkey.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefattribencryptkey.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefattribencryptkey.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefattribencryptkey.dita Thu Jun  7 09:32:56 2007
@@ -35,7 +35,18 @@
 <section><title>Combining with other attributes</title><p>When creating a
 new database, you must combine the <i>encryptionKey</i> attribute with the <i>create=true</i> and <i>dataEncryption=true</i> attributes. </p><p>When
 you configure an existing unencrypted database for encryption, the <i>encryptionKey</i> attribute
-must be combined with the <i>dataEncryption=true</i> attribute.</p><p>When
+must be combined with the <i>dataEncryption=true</i> attribute.
+For an existing, unencrypted database for which authentication
+and SQL authorization are both
+enabled, only the 
+<xref href="rrefattrib26867.dita#rrefattrib26867">database owner</xref>
+can perform encryption. 
+Please see "Enabling user authentication"
+and "Setting the SQL standard authorization mode"
+in the 
+<ph conref="../conrefs.dita#pub/citdevelop"></ph>
+for more information.
+</p><p>When
 booting an existing encrypted database, you must also specify the <i>encryptionAlgorithm</i> attribute
 if the algorithm that was used when the database was created is not the default
 algorithm. </p><p>The default encryption algorithm used by <ph conref="../conrefs.dita#prod/productshortname"></ph> is

Modified: db/derby/docs/trunk/src/ref/rrefattribnewbootpw.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefattribnewbootpw.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefattribnewbootpw.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefattribnewbootpw.dita Thu Jun  7 09:32:56 2007
@@ -36,7 +36,20 @@
 <section><title>Combining with other attributes</title><p>The <i>newBootPassword</i> attribute
 must be combined with the <i><xref href="rrefattrib42100.dita#rrefattrib42100">bootPassword=key</xref></i> attribute.</p><p>You
 cannot change the encryption provider or the encryption algorithm when you
-use the <i>newBootPassword</i> attribute.</p> </section>
+use the <i>newBootPassword</i> attribute.</p>
+<p>
+  For an existing encrypted database for which authentication and
+  SQL authorization are both
+  enabled, only the 
+  <xref href="rrefattrib26867.dita#rrefattrib26867">database owner</xref>
+  can perform reencryption. 
+  Please see "Enabling user authentication"
+  and "Setting the SQL standard authorization mode"
+  in the 
+  <ph conref="../conrefs.dita#pub/citdevelop"></ph>
+  for more information.
+</p>
+</section>
 <example><title>Example</title><codeblock><b><ph>-- specify a new boot password for a database</ph>
 jdbc:derby:salesdb;bootPassword=abc1234xyz;newBootPassword=new1234xyz</b></codeblock> </example>
 </refbody>

Modified: db/derby/docs/trunk/src/ref/rrefattribnewencryptkey.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefattribnewencryptkey.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefattribnewencryptkey.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefattribnewencryptkey.dita Thu Jun  7 09:32:56 2007
@@ -35,7 +35,20 @@
 <section><title>Combining with other attributes</title> <p>The <i>newEncryptionKey</i> attribute
 must be combined with the <i><xref href="rrefattribencryptkey.dita#rrefattribencryptkey">encryptionKey=key</xref></i> attribute.</p><p>You
 cannot change the encryption provider or the encryption algorithm when you
-use the <i>newEncryptionKey</i> attribute.</p> </section>
+use the <i>newEncryptionKey</i> attribute.</p> 
+<p>
+  For an existing encrypted database for which authentication and
+  SQL authorization are both
+  enabled, only the 
+  <xref href="rrefattrib26867.dita#rrefattrib26867">database owner</xref>
+  can perform reencryption. 
+  Please see "Enabling user authentication"
+  and "Setting the SQL standard authorization mode"
+  in the 
+  <ph conref="../conrefs.dita#pub/citdevelop"></ph>
+  for more information.
+</p>
+</section>
 <example><title>Example</title><codeblock><b><ph>-- specify a new encryption key for a database</ph>
 jdbc:derby:salesdb;encryptionKey=6162636465666768;newEncryptionKey=6862636465666768</b></codeblock> </example>
 </refbody>

Modified: db/derby/docs/trunk/src/ref/rrefcreatefunctionstatement.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefcreatefunctionstatement.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefcreatefunctionstatement.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefcreatefunctionstatement.dita Thu Jun  7 09:32:56 2007
@@ -28,7 +28,9 @@
 </keywords>
 </metadata></prolog>
 <refbody>
-<section><p>The function owner and the database owner automatically gain the
+<section><p>The function owner and the 
+<xref href="rrefattrib26867.dita#rrefattrib26867">database owner</xref>
+automatically gain the
 EXECUTE privilege on the function, and are able to grant this privilege to
 other users. The EXECUTE privileges cannot be revoked from the function and
 database owners.</p></section>

Modified: db/derby/docs/trunk/src/ref/rrefcreateprocedurestatement.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefcreateprocedurestatement.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefcreateprocedurestatement.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefcreateprocedurestatement.dita Thu Jun  7 09:32:56 2007
@@ -28,7 +28,9 @@
 <refbody>
 <section><p>The CREATE PROCEDURE statement allows you to create Java stored
 procedures, which you can then call using the CALL PROCEDURE statement.</p><p>The
-procedure owner and the database owner automatically gain the EXECUTE privilege
+procedure owner and the 
+<xref href="rrefattrib26867.dita#rrefattrib26867">database owner</xref>
+automatically gain the EXECUTE privilege
 on the procedure, and are able to grant this privilege to other users. The
 EXECUTE privileges cannot be revoked from the procedure and database owners.</p></section>
 <refsyn><title>Syntax</title><codeblock><b>CREATE PROCEDURE <i><xref href="rrefcreateprocedurestatement.dita#rrefcreateprocedurestatement/rrefcrproprocedurename"

Modified: db/derby/docs/trunk/src/ref/rrefexcept71493.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefexcept71493.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefexcept71493.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefexcept71493.dita Thu Jun  7 09:32:56 2007
@@ -278,6 +278,22 @@
                             <entry colname="col2">The connection was refused because the database <varname>&lt;databaseName&gt;</varname> was not found.</entry>
                         </row>
                         <row>
+                            <entry colname="col1">08004</entry>
+                            <entry colname="col2">Database connection refused.</entry>
+                        </row>
+                        <row>
+                            <entry colname="col1">08004</entry>
+                            <entry colname="col2">User <varname>&lt;userName&gt;</varname> cannot shut down database <varname>&lt;databaseName&gt;</varname>. Only the database owner can perform this operation.</entry>
+                        </row>
+                        <row>
+                            <entry colname="col1">08004</entry>
+                            <entry colname="col2">User <varname>&lt;userName&gt;</varname> cannot (re)encrypt database <varname>&lt;databaseName&gt;</varname>. Only the database owner can perform this operation.</entry>
+                        </row>
+                        <row>
+                            <entry colname="col1">08004</entry>
+                            <entry colname="col2">User <varname>&lt;userName&gt;</varname> cannot hard upgrade database <varname>&lt;databaseName&gt;</varname>. Only the database owner can perform this operation.</entry>
+                        </row>
+                        <row>
                             <entry colname="col1">08006</entry>
                             <entry colname="col2">An error occurred during connect reset and the connection has been terminated.  See chained exceptions for details.</entry>
                         </row>

Modified: db/derby/docs/trunk/src/ref/rrefsqlj15446.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefsqlj15446.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefsqlj15446.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefsqlj15446.dita Thu Jun  7 09:32:56 2007
@@ -29,7 +29,9 @@
 object that you can use until you drop it. Views are not updatable.</p><p>If
 a qualified view name is specified, the schema name cannot begin with <i>SYS</i>.</p><p>The
 view owner automatically gains the SELECT privilege on the view. The SELECT
-privilege cannot be revoked from the view owner. The database owner automatically
+privilege cannot be revoked from the view owner. The 
+<xref href="rrefattrib26867.dita#rrefattrib26867">database owner</xref>
+automatically
 gains the SELECT privilege on the view and is able to grant this privilege
 to other users. The SELECT privilege cannot be revoked from the database owner.</p><p>The
 view owner can only grant the SELECT privilege to other users if the view

Modified: db/derby/docs/trunk/src/ref/rrefsqlj24513.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefsqlj24513.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefsqlj24513.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefsqlj24513.dita Thu Jun  7 09:32:56 2007
@@ -29,8 +29,9 @@
 <section> <p>A CREATE TABLE statement creates a table. Tables contain columns
 and constraints, rules to which data must conform. Table-level constraints
 specify a column or columns. Columns have a data type and can specify column
-constraints (column-level constraints).</p><p>The table owner and the database
-owner automatically gain the following privileges on the table and are able
+constraints (column-level constraints).</p><p>The table owner and the 
+<xref href="rrefattrib26867.dita#rrefattrib26867">database owner</xref>
+automatically gain the following privileges on the table and are able
 to grant these privileges to other users:<ul>
 <li>INSERT</li>
 <li>SELECT</li>

Modified: db/derby/docs/trunk/src/ref/rrefsqlj40506.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefsqlj40506.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefsqlj40506.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefsqlj40506.dita Thu Jun  7 09:32:56 2007
@@ -29,7 +29,9 @@
 <section> <p>The LOCK TABLE statement allows you to explicitly acquire a shared
 or exclusive table lock on the specified table. The table lock lasts until
 the end of the current transaction. </p><p>To lock a table, you must either
-be the database owner or the table owner.</p><p>Explicitly locking a table
+be the 
+<xref href="rrefattrib26867.dita#rrefattrib26867">database owner</xref>
+or the table owner.</p><p>Explicitly locking a table
 is useful to:   <ul>
 <li>Avoid the overhead of multiple row locks on a table (in other words, user-initiated
 lock escalation)</li>

Modified: db/derby/docs/trunk/src/ref/rrefsqlj43125.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefsqlj43125.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefsqlj43125.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefsqlj43125.dita Thu Jun  7 09:32:56 2007
@@ -42,8 +42,9 @@
 any number of triggers for a single table, including multiple triggers on
 the same table for the same event.</p><p>You can create a trigger in any schema
 where you are the schema owner. To create a trigger on a table that you do
-not own, you must be granted the TRIGGER privilege on that table. The database
-owner can also create triggers on any table in any schema.</p><p>The trigger
+not own, you must be granted the TRIGGER privilege on that table. The 
+<xref href="rrefattrib26867.dita#rrefattrib26867">database owner</xref>
+can also create triggers on any table in any schema.</p><p>The trigger
 does not need to reside in the same schema as the table on which the trigger
 is defined.</p><p>If a qualified trigger name is specified, the schema name
 cannot begin with <i>SYS</i>.</p></section>

Modified: db/derby/docs/trunk/src/ref/rrefsqljrenametablestatement.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefsqljrenametablestatement.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefsqljrenametablestatement.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefsqljrenametablestatement.dita Thu Jun  7 09:32:56 2007
@@ -27,7 +27,9 @@
 <refbody>
 <section> <p>RENAME TABLE allows you to rename an existing table in any schema
 (except the schema <i>SYS</i>). </p><p>To rename a table, you must either
-be the database owner or the table owner.</p></section>
+be the 
+<xref href="rrefattrib26867.dita#rrefattrib26867">database owner</xref>
+or the table owner.</p></section>
 <refsyn><title>Syntax</title> <codeblock><b>RENAME TABLE <i>table-Name</i> TO <i><xref
 href="rrefnewtablename.dita#rrefnewtablename">new-Table-Name</xref></i></b></codeblock> <p>If
 there is a view or foreign key that references the table, attempts to rename

Modified: db/derby/docs/trunk/src/ref/rrefsqljrevoke.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefsqljrevoke.dita?view=diff&rev=545237&r1=545236&r2=545237
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefsqljrevoke.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefsqljrevoke.dita Thu Jun  7 09:32:56 2007
@@ -39,7 +39,8 @@
 </ul></p><p>Before you issue a REVOKE statement, check that the <codeph>derby.database.sqlAuthorization</codeph> property
 is set to <codeph>true</codeph>. The <codeph>derby.database.sqlAuthorization</codeph> property
 enables the SQL Authorization mode.</p><p>You can revoke privileges from an
-object if you are the owner of the object or the database owner.</p><p>The
+object if you are the owner of the object or the 
+<xref href="rrefattrib26867.dita#rrefattrib26867">database owner</xref>.</p><p>The
 syntax that you use for the REVOKE statement depends on whether you are revoking
 privileges to a table or to a routine.</p></section>
 <section><title>Syntax for tables</title><codeblock><b>REVOKE <i><xref href="rrefsqljrevoke.dita#rrefsqljrevoke/revokeptype">privilege-type</xref



Mime
View raw message