Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm
Precedence: bulk
Reply-To: <derby-dev@db.apache.org>
Message-ID: <770283293.1130369456292.JavaMail.jira@ajax.apache.org>
Date: Thu, 27 Oct 2005 01:30:56 +0200 (CEST)
From: "Satheesh Bandaram (JIRA)" <derby-dev@db.apache.org>
To: derby-dev@db.apache.org
Subject: [jira] Commented: (DERBY-464) Enhance Derby by adding grant/revoke
 support. Grant/Revoke provide finner level of privileges than currently
 provided by Derby that is especially useful in network configurations.
In-Reply-To: <1439014097.1121475009861.JavaMail.jira@ajax.apache.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

    [ http://issues.apache.org/jira/browse/DERBY-464?page=comments#action_12356027 ] 

Satheesh Bandaram commented on DERBY-464:
-----------------------------------------

Good point, Francois, about adding comments in JIRA for this one. I will add comments here.

I agree ROLES would be another great addition to Derby. Like I mentioned, there are many other potential enhancements possible in access control and security areas. I usually propose ideas that I can implement and want to implement in reasonable timeframe. Incremental enhancements is the prefered way in open source. Like Rick mentioned, ROLES could be developed in parallel.

I am not sure about CREATE USER/DROP USER capabilities though.  Databases are not the ideal places to manage users. Derby also provides several ways to authenticate and/or manage users, including LDAP. The property based user management is only one of these options. See: http://db.apache.org/derby/docs/10.1/devguide/cdevcsecure37817.html


> Enhance Derby by adding grant/revoke support. Grant/Revoke provide finner level of privileges than currently provided by Derby that is especially useful in network configurations.
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>          Key: DERBY-464
>          URL: http://issues.apache.org/jira/browse/DERBY-464
>      Project: Derby
>         Type: New Feature
>   Components: SQL
>     Versions: 10.0.2.1, 10.1.1.0, 10.2.0.0
>  Environment: generic
>     Reporter: Satheesh Bandaram
>     Assignee: Satheesh Bandaram
>  Attachments: grant.html
>
> Derby currently provides a very simple permissions scheme, which is quite suitable for an embedded database system. End users of embedded Derby do not see Derby directly; they talk to a application that embeds Derby. So Derby left most of the access control work to the application. Under this scheme, Derby limits access on a per database or per system basis. A user can be granted full, read-only, or no access. 
> This is less suitable in a general purpose SQL server. When end users or diverse applications can issue SQL commands directly against the database, Derby must provide more precise mechanisms to limit who can do what with the database.
> I propose to enhance Derby by implementing a subset of grant/revoke capabilities as specified by the SQL standard. I envision this work to involve the following tasks, at least:
> 1) Develop a specification of what capabilities I would like to add to Derby.
> 2) Provide a high level implementation scheme.
> 3) Pursue a staged development plan, with support for DDL added to Derby first.
> 4) Add support for runtime checking of these privileges.
> 5) Address migration and upgrade issues from previous releases and from old scheme to newer database.
> Since I think this is a large task, I would like to invite any interested people to work with me on this large and important enhancement to Derby.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira