db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Db-derby Wiki] Update of "UserIdentifiers" by DanDebrunner
Date Fri, 18 Jan 2008 22:01:46 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Db-derby Wiki" for change notification.

The following page has been changed by DanDebrunner:
http://wiki.apache.org/db-derby/UserIdentifiers

The comment on the change is:
Clarify by using authorization identifier inspired by Rick's note in DERBY-2109

------------------------------------------------------------------------------
- = User Identifiers in Derby =
+ = User Names & Authorization Identifiers in Derby =
+ [[TableOfContents]]
  == Overview ==
- A user in Derby is represented by a case-sensitive value, called ''normal user name'' in
this document. E.g.''EVE'', ''eve'', ''eVe'', ''eve@yahoo.com'' are all different users. A
user name can be provided to or read from Derby in a number of forms, e.g. SQL identifiers,
a String in a Java program etc. This wiki page summarizes the how a user name is treated in
various situations.
+ A user in Derby is represented by a case-sensitive value, called an ''authorization identifier''.
E.g.''EVE'', ''eve'', ''eVe'', ''eve@yahoo.com'' are all different users. A user name can
be provided to or read from Derby in a number of forms, e.g. SQL identifiers, a String in
a Java program etc. This wiki page summarizes the how a user name converted to an ''authorization
identifier'' in various situations.
  
  Note that rules for user names in Derby are independent on how that user name is defined
to Derby or authenticated. Thus these rules apply if the database is using the BUILTIN authentication
or LDAP authentication.
  == User Name Rules ==
  || '''Context'''  || '''Definition''' || '''Use''' ||
- ||<|2(> SQL identifiers ||<|2(> User identifier is a SQL identifier, section
5.4 SQL 2003. A regular identifier is upper-cased to its normal form, e.g. eve, eVe and EVE
all represent the user EVE. A delimited identifier (with double quotes) does not have any
case conversion to its normal form, e.g. "eVe" represents the user eVe. Note that the delimited
identifier "EVE" represents the user EVE which is the same user as the regular identifiers
eve, EVE and EvE etc. The normal user name represents how a user name is stored/processed
by the SQL engine in a SQL context, e.g. the system tables representing granted permissions.
Note that derby.* properties are not in the SQL context. || grantee in GRANT statement ||
+ ||<|2(> SQL identifiers ||<|2(> User identifier is a SQL identifier, section
5.4 SQL 2003. A regular identifier is upper-cased to represent an authorization identifier,
e.g. eve, eVe and EVE all represent the authorization identifier EVE. A delimited identifier
(with double quotes) does not have any case conversion to its authorization identifier, e.g.
"eVe" represents the authorization identifier eVe. Note that the delimited identifier "EVE"
represents the authorization identifier EVE which is the same user as the regular identifiers
eve, EVE and EvE etc. The authorization identifier represents how a user name is stored/processed
by the SQL engine in a SQL context, e.g. the system tables representing granted permissions.
Note that derby.* properties are not in the SQL context. || grantee in GRANT statement ||
  || grantee in REVOKE statement ||
  || || || ||
- ||<|3(> CURRENT USER expression ||<|3(>  Returns the normal user name for the
current user. E.g. returns eVe for the user eVe and EVE for the user EVE. || VALUES CURRENT
USER ||
+ ||<|3(> CURRENT USER expression ||<|3(>  Returns the authorization identifier
for the current user. || VALUES CURRENT USER ||
  || VALUES SESSION_USER ||
  || VALUES {fn user()} ||
  || || || ||
- ||<|2(>  SQL Routine ||<|2(>  A system SQL routine taking a USERNAME parameter
requires the caller pass in the normal user name, this is to align with the value being passed
in from CURRENT USER or a value obtained from a system table representing a user. || SYSCS_UTIL.SYSCS_SET_USER_ACCESS
[http://issues.apache.org/jira/browse/DERBY-3095 DERBY-3095] ||
+ ||<|2(>  SQL Routine ||<|2(>  A system SQL routine taking a USERNAME parameter
requires the caller pass in the authorization identifier, this is to align with the value
being passed in from CURRENT USER or a value obtained from a system table representing a user.
|| SYSCS_UTIL.SYSCS_SET_USER_ACCESS [http://issues.apache.org/jira/browse/DERBY-3095 DERBY-3095]
||
  || SYSCS_UTIL.SYSCS_GET_USER_ACCESS [http://issues.apache.org/jira/browse/DERBY-3095 DERBY-3095]
||
  || || || ||
  ||<|3(> JDBC Connection request ||<|3(> Follows the rules of SQL identifiers
including support for delimited identifiers. || User named passed into method call, e.g. DataSource.setUser,
DriverManager.getConnection ||
  || User set as user property in DriverManager connection request ||
  || User name on JDBC URL ||
  || || || ||
- || JDBC !DatabaseMetaData.getUserName() || Returns the user name used to make the JDBC connection
request which is a SQL identifier and not the normal form of the name. || conn.getMetaData().getUserName()
||
+ || JDBC !DatabaseMetaData.getUserName() || Returns the user name used to make the JDBC connection
request which is a SQL identifier and not the authorization identifier. || conn.getMetaData().getUserName()
||
  || || || ||
  ||<|2(> Derby BUILTIN authentication ||<|2(> Follows the rules of SQL identifiers
including support for delimited identifiers. [http://issues.apache.org/jira/browse/DERBY-3150
DERBY-3150]  || System property derby.user.''username''=''password'' ||
  || CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY( 'derby.user.username', 'password') ||
@@ -29, +30 @@

  ||<|2(> Connection authorization ||<|2(> User names set in Java or database
properties. Documented as following the rules of SQL identifiers including support for delimited
identifiers. Thus derby.database.fullAccessUsers=eVe and derby.database.fullAccessUsers=EVE
have identical meaning. || derby.database.fullAccessUsers ||
  || derby.database.readOnlyAccessUsers ||
  
- == Example - User EVE ==
+ == Example - Authorization identifier EVE ==
- All of these examples are valid for user name EVE
+ All of these examples are valid for authorization identifier EVE
  || GRANT SELECT ON t TO eve ||
  || REVOKE SELECT ON T FROM EvE ||
  || GRANT SELECT ON t TO EVE ||
@@ -46, +47 @@

  || CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.user.eve', 'password') ||
  || derby.database.readOnlyAccessUsers=eve ||
  
- == Example - User eve ==
+ == Example - Authorization identifier eve ==
- All of these examples are valid for user name eve
+ All of these examples are valid for authorization identifier eve
  || GRANT SELECT ON t TO "eve" ||
  || REVOKE SELECT ON T FROM "eve" ||
  || VALUES CURRENT_USER will return eve ||
@@ -58, +59 @@

  || CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.user."eve"', 'password') ||
  || derby.database.readOnlyAccessUsers="eve" ||
  
+ == Note ==
+ Earlier versions of this document used ''normal user name'' to represent ''authorization
identifier''.
+ Thanks to Rick's comments in [http://issues.apache.org/jira/browse/DERBY-2109?focusedCommentId=12560512#action_12560512
DERBY-2109]
+ I decided to re-write this in terms of ''authorization identifier''.
+ 

Mime
View raw message