db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chaa...@apache.org
Subject svn commit: r1021346 - in /db/derby/docs/trunk/src/ref: rrefcallprocedure.dita rrefcreatefunctionstatement.dita rrefcreateprocedurestatement.dita rrefsqlj25228.dita rrefsqlj42324.dita rrefsqlj42476.dita
Date Mon, 11 Oct 2010 13:44:32 GMT
Author: chaase3
Date: Mon Oct 11 13:44:31 2010
New Revision: 1021346

URL: http://svn.apache.org/viewvc?rev=1021346&view=rev
Log:
DERBY-4680: Add documentation for routines running with definer's rights

Modified 6 topics in reference manual. 

Patches: DERBY-4680-3.diff

Modified:
    db/derby/docs/trunk/src/ref/rrefcallprocedure.dita
    db/derby/docs/trunk/src/ref/rrefcreatefunctionstatement.dita
    db/derby/docs/trunk/src/ref/rrefcreateprocedurestatement.dita
    db/derby/docs/trunk/src/ref/rrefsqlj25228.dita
    db/derby/docs/trunk/src/ref/rrefsqlj42324.dita
    db/derby/docs/trunk/src/ref/rrefsqlj42476.dita

Modified: db/derby/docs/trunk/src/ref/rrefcallprocedure.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefcallprocedure.dita?rev=1021346&r1=1021345&r2=1021346&view=diff
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefcallprocedure.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefcallprocedure.dita Mon Oct 11 13:44:31 2010
@@ -25,7 +25,24 @@ limitations under the License.
 </prolog>
 <refbody>
 <section><p>The CALL (PROCEDURE) statement is used to call procedures. A call
to a
-procedure does not return any value.</p></section>
+procedure does not return any value.</p>
+<p>When a procedure with definer's rights is called, the current default schema
+is set to the eponymously named schema of the definer. For example, if the
+defining user is called OWNER, the default schema will also be set to OWNER.
+The definer's rights include the right to set the current role to a role
+for which the definer has privileges. When the procedure is first invoked, no
+role is set; even if the invoker has set a current role, the procedure running
+with definer's rights has no current role set initially.</p>
+<p>When a procedure with invoker's rights is called, the current default
+schema and current role are unchanged initially within the procedure. Similarly,
+if SQL authorization mode is not enabled, the current default schema is
+unchanged initially within the procedure.</p>
+<p>When the call returns, any changes made inside the procedure to the default
+current schema (and current role, if relevant) are reset (popped).</p>
+<p>For information about definer's rights, see
+<xref href="rrefcreateprocedurestatement.dita#rrefcreateprocedurestatement/rrefcrprodefrts"></xref>.
+</p>
+</section>
 <section><title>Syntax</title>
 <codeblock><b>CALL <i><xref href="rrefcreateprocedurestatement.dita#rrefcreateprocedurestatement/rrefcrproprocedurename">procedure-Name</xref></i>
( [ <varname>expression</varname> [, <varname>expression</varname>]*
] )
 </b></codeblock></section>

Modified: db/derby/docs/trunk/src/ref/rrefcreatefunctionstatement.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefcreatefunctionstatement.dita?rev=1021346&r1=1021345&r2=1021346&view=diff
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefcreatefunctionstatement.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefcreatefunctionstatement.dita Mon Oct 11 13:44:31 2010
@@ -96,6 +96,7 @@ allowed as the type of a column in the d
 | <xref href="rrefcreatefunctionstatement.dita#rrefcreatefunctionstatement/rrefcrfunctiondetchar">DeterministicCharacteristic</xref>
 | EXTERNAL NAME <i>string</i>
 | PARAMETER STYLE <xref href="rrefcreatefunctionstatement.dita#rrefcreatefunctionstatement/rrefcrfunctionparameterstyle">ParameterStyle</xref>
+| EXTERNAL SECURITY { DEFINER | INVOKER }
 | { NO SQL | CONTAINS SQL | READS SQL DATA }
 | { RETURNS NULL ON NULL INPUT | CALLED ON NULL INPUT }
  }</b></codeblock></example>
@@ -130,7 +131,29 @@ and which is mapped to a method which re
 <i>ResultSet</i>. Otherwise, the PARAMETER STYLE must be JAVA.
 </p>
 </section>
-
+<section id="rrefcrfunctiondefrts"><title>EXTERNAL SECURITY</title>
+<p>If SQL authorization mode is enabled, a function runs by default with the
+privileges specified for the user who invokes the function (invoker's rights).
+To specify that the function should run with the privileges specified for the
+user who defines the function (definer's rights), create the function with
+EXTERNAL SECURITY DEFINER. Those privileges include the right to set the current
+role to a role for which the definer has privileges. When the function is first
+invoked, no role is set; even if the invoker has set a current role, the
+function running with definer's rights has no current role set initially.</p>
+<p>See <i><xref href="rrefpropersqlauth.dita#rrefpropersqlauth"></xref></i>
for
+details about setting SQL authorization mode.</p>
+<p>When a function with definer's rights is invoked, the current default schema
+is set to the eponymously named schema of the definer. For example, if the
+defining user is called OWNER, the default schema will also be set to OWNER.</p>
+<p>When a function with invoker's rights is called, the current default
+schema and current role are unchanged initially within the function. Similarly,
+if SQL authorization mode is not enabled, the current default schema is
+unchanged initially within the function.</p>
+<p>When the call returns, any changes made inside the function to the default
+current schema (and current role, if relevant) are reset (popped).</p>
+<p>If SQL authorization mode is not enabled, an attempt to create a function
+with EXTERNAL SECURITY will result in an error.</p>
+</section>
 <section><title>NO SQL, CONTAINS SQL, READS SQL DATA</title> <p>Indicates
 whether the function issues any SQL statements and, if so, what type.</p> <dl>
 <dlentry>

Modified: db/derby/docs/trunk/src/ref/rrefcreateprocedurestatement.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefcreateprocedurestatement.dita?rev=1021346&r1=1021345&r2=1021346&view=diff
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefcreateprocedurestatement.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefcreateprocedurestatement.dita Mon Oct 11 13:44:31 2010
@@ -65,6 +65,7 @@ allowed as parameters in a CREATE PROCED
 | <xref href="rrefcreateprocedurestatement.dita#rrefcreateprocedurestatement/rrefcrproceduredetchar">DeterministicCharacteristic</xref>
 | EXTERNAL NAME <i>string</i>
 | PARAMETER STYLE JAVA
+| EXTERNAL SECURITY { DEFINER | INVOKER }
 | { NO SQL | MODIFIES SQL DATA | CONTAINS SQL | READS SQL DATA }
  }
 </b></codeblock></example>
@@ -93,6 +94,29 @@ additional parameters to the Java method
 are passed single entry arrays.</p> <p><ph conref="../conrefs.dita#prod/productshortname"></ph>
does
 not support long column types (for example Long Varchar, BLOB, and so on).
 An error will occur if you try to use one of these long column types. </p></section>
+<section id="rrefcrprodefrts"><title>EXTERNAL SECURITY</title>
+<p>If SQL authorization mode is enabled, a procedure runs by default with the
+privileges specified for the user who invokes the procedure (invoker's rights).
+To specify that the procedure should run with the privileges specified for the
+user who defines the procedure (definer's rights), create the procedure with
+EXTERNAL SECURITY DEFINER. Those privileges include the right to set the current
+role to a role for which the definer has privileges. When the procedure is first
+invoked, no role is set; even if the invoker has set a current role, the
+procedure running with definer's rights has no current role set initially.</p>
+<p>See <i><xref href="rrefpropersqlauth.dita#rrefpropersqlauth"></xref></i>
for
+details about setting SQL authorization mode.</p>
+<p>When a procedure with definer's rights is called, the current default schema
+is set to the eponymously named schema of the definer. For example, if the
+defining user is called OWNER, the default schema will also be set to OWNER.</p>
+<p>When a procedure with invoker's rights is called, the current default
+schema and current role are unchanged initially within the procedure. Similarly,
+if SQL authorization mode is not enabled, the current default schema is
+unchanged initially within the procedure.</p>
+<p>When the call returns, any changes made inside the procedure to the default
+current schema (and current role, if relevant) are reset (popped).</p>
+<p>If SQL authorization mode is not enabled, an attempt to create a procedure
+with EXTERNAL SECURITY will result in an error.</p>
+</section>
 <section><title>NO SQL, CONTAINS SQL, READS SQL DATA, MODIFIES SQL DATA </title>
<p>Indicates
         whether the stored procedure issues any SQL statements and, if so, what type.
     MODIFIES SQL DATA is the default value.

Modified: db/derby/docs/trunk/src/ref/rrefsqlj25228.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefsqlj25228.dita?rev=1021346&r1=1021345&r2=1021346&view=diff
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefsqlj25228.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefsqlj25228.dita Mon Oct 11 13:44:31 2010
@@ -24,10 +24,23 @@ limitations under the License.
 <keywords><indexterm>SESSION_USER function</indexterm></keywords>
 </metadata></prolog>
 <refbody>
-<section> <p>SESSION_USER returns the authorization identifier or name of
-the current user. If there is no current user, it returns <i>APP.</i></p>
 <p><xref
-href="rrefsqlj42476.dita#rrefsqlj42476">USER</xref>, <xref href="rrefsqlj42324.dita#rrefsqlj42324">CURRENT_USER</xref>,
-and SESSION_USER are synonyms.</p></section>
+<section> <p>When used outside stored routines, SESSION_USER,
+<xref href="rrefsqlj42476.dita#rrefsqlj42476">USER</xref>, and 
+<xref href="rrefsqlj42324.dita#rrefsqlj42324">CURRENT_USER</xref> all
+return the authorization identifier of the user that created the SQL
+session.</p>
+<p>SESSION_USER also always returns this value when used within stored
+routines.</p>
+<p>If used within a stored routine created with EXTERNAL SECURITY DEFINER,
+however, USER and CURRENT_USER return the authorization identifier of the user
+that owns the schema of the routine. This is usually the creating user,
+although the database owner could be the creator as well.</p>
+<p>For information about definer's and invoker's rights, see
+<xref href="rrefcreateprocedurestatement.dita#rrefcreateprocedurestatement"></xref>
+or
+<xref href="rrefcreatefunctionstatement.dita#rrefcreatefunctionstatement"></xref>.
+</p>
+</section>
 <refsyn><title>Syntax</title> <codeblock><b>SESSION_USER</b></codeblock>
</refsyn>
 <example> <codeblock><b>VALUES SESSION_USER</b></codeblock>
</example>
 </refbody>

Modified: db/derby/docs/trunk/src/ref/rrefsqlj42324.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefsqlj42324.dita?rev=1021346&r1=1021345&r2=1021346&view=diff
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefsqlj42324.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefsqlj42324.dita Mon Oct 11 13:44:31 2010
@@ -24,10 +24,23 @@ limitations under the License.
 <keywords><indexterm>CURRENT_USER function</indexterm></keywords>
 </metadata></prolog>
 <refbody>
-<section> <p>CURRENT_USER returns the authorization identifier of the current
-user (the name of the user passed in when the user connected to the database).
-If there is no current user, it returns <i>APP.</i></p>  <p><xref
href="rrefsqlj42476.dita#rrefsqlj42476">USER</xref> and <xref href="rrefsqlj25228.dita#rrefsqlj25228">SESSION_USER</xref>
are
-synonyms.</p>  <p>These functions return a string of up to 128 characters.</p></section>
+<section> <p>When used outside stored routines, CURRENT_USER,
+<xref href="rrefsqlj42476.dita#rrefsqlj42476">USER</xref>, and 
+<xref href="rrefsqlj25228.dita#rrefsqlj25228">SESSION_USER</xref> all
+return the authorization identifier of the user that created the SQL
+session.</p>
+<p>SESSION_USER also always returns this value when used within stored
+routines.</p>
+<p>If used within a stored routine created with EXTERNAL SECURITY DEFINER,
+however, CURRENT_USER and USER return the authorization identifier of the user
+that owns the schema of the routine. This is usually the creating user,
+although the database owner could be the creator as well.</p>
+<p>For information about definer's and invoker's rights, see
+<xref href="rrefcreateprocedurestatement.dita#rrefcreateprocedurestatement"></xref>
+or
+<xref href="rrefcreatefunctionstatement.dita#rrefcreatefunctionstatement"></xref>.
+</p>  
+<p>These functions return a string of up to 128 characters.</p></section>
 <refsyn><title>Syntax</title> <codeblock><b>CURRENT_USER</b></codeblock>
</refsyn>
 <example> <codeblock><b>VALUES CURRENT_USER</b></codeblock>
</example>
 </refbody>

Modified: db/derby/docs/trunk/src/ref/rrefsqlj42476.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefsqlj42476.dita?rev=1021346&r1=1021345&r2=1021346&view=diff
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefsqlj42476.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefsqlj42476.dita Mon Oct 11 13:44:31 2010
@@ -24,9 +24,23 @@ limitations under the License.
 <keywords><indexterm>USER function</indexterm></keywords>
 </metadata></prolog>
 <refbody>
-<section> <p>USER returns the authorization identifier or name of the current
-user. If there is no current user, it returns <i>APP.</i></p><p>USER,
<xref href="rrefsqlj42324.dita#rrefsqlj42324">CURRENT_USER</xref>,
-and <xref href="rrefsqlj25228.dita#rrefsqlj25228">SESSION_USER</xref> are synonyms.</p></section>
+<section> <p>When used outside stored routines, USER,
+<xref href="rrefsqlj42324.dita#rrefsqlj42324">CURRENT_USER</xref>, and 
+<xref href="rrefsqlj25228.dita#rrefsqlj25228">SESSION_USER</xref> all
+return the authorization identifier of the user that created the SQL
+session.</p>
+<p>SESSION_USER also always returns this value when used within stored
+routines.</p>
+<p>If used within a stored routine created with EXTERNAL SECURITY DEFINER,
+however, USER and CURRENT_USER return the authorization identifier of the user
+that owns the schema of the routine. This is usually the creating user,
+although the database owner could be the creator as well.</p>
+<p>For information about definer's and invoker's rights, see
+<xref href="rrefcreateprocedurestatement.dita#rrefcreateprocedurestatement"></xref>
+or
+<xref href="rrefcreatefunctionstatement.dita#rrefcreatefunctionstatement"></xref>.
+</p>  
+</section>
 <refsyn><title>Syntax</title><codeblock><b>USER</b></codeblock>
</refsyn>
 <example> <codeblock><b>VALUES USER</b></codeblock> </example>
 </refbody>



Mime
View raw message