db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chaa...@apache.org
Subject svn commit: r732365 - in /db/derby/docs/trunk/src: devguide/cdevcsecureroles.dita devguide/rdevcsecuresqlauthexceptions.dita ref/rrefsqljgrant.dita ref/rrefsqljrevoke.dita tools/rtoolsijcomrefshow.dita
Date Wed, 07 Jan 2009 15:36:42 GMT
Author: chaase3
Date: Wed Jan  7 07:36:42 2009
New Revision: 732365

URL: http://svn.apache.org/viewvc?rev=732365&view=rev
Log:
DERBY-3193: SQL roles: Add documentation

This patch makes a few additional final corrections to the SQL roles 
documentation.

Patch: DERBY-3193-4.diff

Modified:
    db/derby/docs/trunk/src/devguide/cdevcsecureroles.dita
    db/derby/docs/trunk/src/devguide/rdevcsecuresqlauthexceptions.dita
    db/derby/docs/trunk/src/ref/rrefsqljgrant.dita
    db/derby/docs/trunk/src/ref/rrefsqljrevoke.dita
    db/derby/docs/trunk/src/tools/rtoolsijcomrefshow.dita

Modified: db/derby/docs/trunk/src/devguide/cdevcsecureroles.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/devguide/cdevcsecureroles.dita?rev=732365&r1=732364&r2=732365&view=diff
==============================================================================
--- db/derby/docs/trunk/src/devguide/cdevcsecureroles.dita (original)
+++ db/derby/docs/trunk/src/devguide/cdevcsecureroles.dita Wed Jan  7 07:36:42 2009
@@ -54,8 +54,10 @@
 statement to grant a role to one or more users, to PUBLIC, or to another role.
 </p>
 <p>A role A <i>contains</i> another role B if role B is granted to role
A, or is
-contained in a role granted to role A. In this case, the privileges identified
-by role B are inherited by role A.</p>
+contained in a role C granted to role A. Privileges granted to a contained role
+are inherited by the containing roles. So the set of privileges identified by
+role A is the union of the privileges granted to role A and the privileges
+granted to any contained roles of role A.</p>
 <p>For example, suppose the database owner issued the following statements:</p>
 <codeblock>  create role readUser;
   create role updateUser;
@@ -129,21 +131,20 @@
 role.</p>
 <p>When a privilege is revoked from a role A, that privilege is no longer held
 by role A, unless A otherwise inherits that privilege from a contained role.</p>
-<p>If a role loses a privilege to an object, and a session whose current user is
-different from the owner of that object has a current role which is that role
-or a role that contains that role, the session also loses that privilege, 
-unless one or more of the following is true:</p>
+<p>If a privilege to an object is revoked from role A, a session will lose that
+privilege if it has a current role set to A or a role that contains A, unless
+one or more of the following is true:</p>
 <ul>
-<li>The role is granted directly to the current user</li>
-<li>The role is granted to PUBLIC</li>
-<li>The role is also granted to another role in the current role's contained
-roles</li>
-<li>The session's current user is the database owner</li>
+<li>The privilege is granted directly to the current user</li>
+<li>The privilege is granted to PUBLIC</li>
+<li>The privilege is also granted to another role B in the current role's set of
+contained roles</li>
+<li>The session's current user is the database owner or the object owner</li>
 </ul>
 </section>
 <section><title>Revoking roles</title>
-<p>The database owner can use the REVOKE statement to revoke a role from a user
-or from another role.</p>
+<p>The database owner can use the REVOKE statement to revoke a role from a user,
+from PUBLIC, or from another role.</p>
 <p>When a role is revoked from a user, that session can no longer keep that
 role, nor can it take on that role in a SET ROLE statement, unless the role is
 also granted to PUBLIC. If that role is the current role of an existing session,

Modified: db/derby/docs/trunk/src/devguide/rdevcsecuresqlauthexceptions.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/devguide/rdevcsecuresqlauthexceptions.dita?rev=732365&r1=732364&r2=732365&view=diff
==============================================================================
--- db/derby/docs/trunk/src/devguide/rdevcsecuresqlauthexceptions.dita (original)
+++ db/derby/docs/trunk/src/devguide/rdevcsecuresqlauthexceptions.dita Wed Jan  7 07:36:42
2009
@@ -85,7 +85,7 @@
 <i>SQLException</i> 4251B.</li>
 </ul>
 <p>For all statements, an attempt to specify an identifier argument more than
-128 characters long raises the <i>SQLException</i> 42622.</p>.
+128 characters long raises the <i>SQLException</i> 42622.</p>
 </section>
 </refbody>
 </reference>

Modified: db/derby/docs/trunk/src/ref/rrefsqljgrant.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefsqljgrant.dita?rev=732365&r1=732364&r2=732365&view=diff
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefsqljgrant.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefsqljgrant.dita Wed Jan  7 07:36:42 2009
@@ -24,7 +24,8 @@
 <title>GRANT statement </title>
 <shortdesc>Use the GRANT statement to give permissions to a specific user or
 role, or to all users, to perform actions on database objects. You can also use
-the GRANT statement to grant a role to a user or to another role.</shortdesc>
+the GRANT statement to grant a role to a user, to PUBLIC, or to another role.
+</shortdesc>
 <prolog><metadata>
 <keywords><indexterm>GRANT statement</indexterm><indexterm>SQL statements<indexterm>GRANT</indexterm></indexterm>
 </keywords>
@@ -67,8 +68,10 @@
 <xref href="rrefattrib26867.dita#rrefattrib26867">database owner</xref> can
 grant a role.</p>
 <p>A role A <i>contains</i> another role B if role B is granted to role
A, or is
-contained in a role granted to role A. In this case, the privileges identified
-by role B are inherited by role A.</p>
+contained in a role C granted to role A. Privileges granted to a contained role
+are inherited by the containing roles. So the set of privileges identified by
+role A is the union of the privileges granted to role A and the privileges
+granted to any contained roles of role A.</p>
 </section>
 <section id="grantprivtype"><title>privilege-types</title><codeblock><b>
 ALL PRIVILEGES |
   privilege-list

Modified: db/derby/docs/trunk/src/ref/rrefsqljrevoke.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefsqljrevoke.dita?rev=732365&r1=732364&r2=732365&view=diff
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefsqljrevoke.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefsqljrevoke.dita Wed Jan  7 07:36:42 2009
@@ -21,8 +21,8 @@
 <title>REVOKE statement </title>
 <shortdesc>Use the REVOKE statement to remove permissions from a specific
 user or role, or from all users, to perform actions on database objects. You can
-also use the REVOKE statement to revoke a role from a user or from another
-role.</shortdesc>
+also use the REVOKE statement to revoke a role from a user, from PUBLIC, or from
+another role.</shortdesc>
 <prolog><metadata>
 <keywords><indexterm>REVOKE statement<indexterm>syntax</indexterm></indexterm>
 <indexterm>SQL statements<indexterm>REVOKE</indexterm></indexterm><indexterm>REVOKE
@@ -185,7 +185,7 @@
 revoked, dependent objects will be dropped. Note that dropping may be too
 pessimistic. This is because
 <ph conref="../conrefs.dita#prod/productshortname"></ph> does not currently make
-an attempt to re-check if the necessary privileges are still available in such
+an attempt to recheck if the necessary privileges are still available in such
 cases.</dd></dlentry></dl></section>
 <example> <title>Revoke examples</title><p>To revoke the SELECT privilege
 on table <codeph>t</codeph> from the authorization IDs <codeph>maria</codeph>
and <codeph>harry</codeph>,

Modified: db/derby/docs/trunk/src/tools/rtoolsijcomrefshow.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/tools/rtoolsijcomrefshow.dita?rev=732365&r1=732364&r2=732365&view=diff
==============================================================================
--- db/derby/docs/trunk/src/tools/rtoolsijcomrefshow.dita (original)
+++ db/derby/docs/trunk/src/tools/rtoolsijcomrefshow.dita Wed Jan  7 07:36:42 2009
@@ -28,9 +28,9 @@
 Procedures command</indexterm><indexterm>Show Synonyms command</indexterm><indexterm>Show
 Indexes in Schema command</indexterm><indexterm>Show Indexes from Table command</indexterm>
 <indexterm>Roles<indexterm>displaying</indexterm></indexterm>
-<indexterm>Show Roles command</indexterm>
-<indexterm>Show Enabled Roles command</indexterm>
-<indexterm>Show Settable Roles command</indexterm>
+<indexterm>SHOW ROLES command</indexterm>
+<indexterm>SHOW ENABLED_ROLES command</indexterm>
+<indexterm>SHOW SETTABLE_ROLES command</indexterm>
 </keywords>
 </metadata></prolog>
 <refbody>
@@ -39,7 +39,9 @@
    CONNECTIONS |
    INDEXES [ IN <i>schemaName</i> | FROM <i>table-Name</i> ] |
    PROCEDURES [ IN <i>schemaName</i> ] |
-   [ENABLED | SETTABLE] ROLES |
+   ROLES |
+   ENABLED_ROLES |
+   SETTABLE_ROLES |
    SCHEMAS |
    SYNONYMS [ IN <i>schemaName</i> ] |
    TABLES [ IN <i>schemaName</i> ] |
@@ -118,34 +120,33 @@
 
 18 rows selected</codeblock>  
 
-<p id="showroles"><b>SHOW ROLES</b></p>
-<p>SHOW ROLES displays the names of all roles created, whether available or
-settable for the current session or not.</p>
-<p>SHOW ENABLED ROLES displays the names of all the roles whose privileges are
+<p id="showroles"><b>SHOW ROLES, SHOW ENABLED_ROLES, SHOW SETTABLE_ROLES</b></p>
+<p>SHOW ROLES displays the names of all roles created, whether settable for the
+current session or not.</p>
+<p>SHOW ENABLED_ROLES displays the names of all the roles whose privileges are
 available for the current session. That is, it shows the current role and any
-role granted to or contained in the current role. (For a definition of role
-containment, see "Using SQL roles" in the
-<ph conref="../conrefs.dita#pub/citdevelop"></ph>.)
-</p>
-<p>SHOW SETTABLE ROLES displays all the roles that the current session can set,
-that is, all roles that have been granted to the current user.</p>
+role contained in the current role. (For a definition of role containment, see
+"Using SQL roles" in the <ph conref="../conrefs.dita#pub/citdevelop"></ph>.)</p>
+<p>SHOW SETTABLE_ROLES displays all the roles that the current session can set,
+that is, all roles that have been granted to the current user or to PUBLIC.</p>
+<p>The roles shown by these commands are sorted in ascending order.</p>
 <p><b>Example</b></p>
 <codeblock>ij&gt; <b>show roles;</b>
 ROLEID                        
 ------------------------------
-CASUALUSER                             
 ANYUSER                             
+CASUALUSER                             
 POWERUSER                             
 
 3 rows selected
-ij&gt; <b>show enabled roles;</b>
+ij&gt; <b>show enabled_roles;</b>
 ROLEID                        
 ------------------------------
-CASUALUSER                             
 ANYUSER                             
+CASUALUSER                             
 
 2 rows selected
-ij&gt; <b>show settable roles;</b>
+ij&gt; <b>show settable_roles;</b>
 ROLEID                        
 ------------------------------
 CASUALUSER                             



Mime
View raw message