db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Francois Orsini (JIRA)" <derby-...@db.apache.org>
Subject [jira] Commented: (DERBY-866) BUILT-IN Derby User Management (DDL) Enhancements
Date Thu, 26 Jan 2006 16:04:10 GMT
    [ http://issues.apache.org/jira/browse/DERBY-866?page=comments#action_12364090 ] 

Francois Orsini commented on DERBY-866:
---------------------------------------

> Daniel John Debrunner commented on DERBY-866:
> ---------------------------------------------
> 
> I see the argument for DDL, maybe the create user could be like
> 
> CREATE USER <username> IDENTIFIED BY PASSWORD <password>
> 
> basically the addition of the PASSWORD keyword would make future enhancements more in
line, e.g.
> 
> CREATE USER <username> IDENTIFIED BY LDAP  <ldap stuff>
> 
> Maybe the SYSUSERS table could have a column indicatting the authentication style, BUILTIN/LDAP/java
class name etc.
> 

Yes it could - I somewhat tried to avoid this as we have a pluggable authentication scheme
so additional custom-created auth providers would not have the proper grammar defined (unless
they are part of Derby where the grammar can always be extended to support a new one) - But
a new auth provider can just be implemented outside of Derby, hence we would also need to
map to the custom auth providers out there - but if we have a column with the authentication
provider name name, then we can expect to have the proper user login info as part of the 'IDENTIFIED
BY' clause without any extra specific auth type keyword...In this case, the password column
can just be renamed to something else (i.e. AUTH_INFO), in order to support *not* just a password
value but other type of info (it would be a VARCHAR after all) for the the other providers.

_or_ based on what you're suggesting we could still have:

// Built-In
CREATE USER <username> IDENTIFIED BY PASSWORD <password>

// LDAP (mapping)
CREATE USER <username> IDENTIFIED BY LDAP  <ldap stuff>

// PAM (mapping)
CREATE USER <username> IDENTIFIED BY PAM <pam stuff>

// CUSTOME Auth Provider (mapping) - External keyword used for that purpose here
CREATE USER <username> IDENTIFIED BY EXTERNAL <custom stuff>

> BUILT-IN Derby User Management (DDL) Enhancements
> -------------------------------------------------
>
>          Key: DERBY-866
>          URL: http://issues.apache.org/jira/browse/DERBY-866
>      Project: Derby
>         Type: Improvement
>   Components: Security
>     Versions: 10.2.0.0
>     Reporter: Francois Orsini
>      Fix For: 10.2.0.0
>  Attachments: Derby_User_Enhancement.html
>
> Proposal to enhance Derby's Built-In DDL User Management. (See proposal spec attached
to the JIRA).
> Abstract:
> This feature aims at improving the way BUILT-IN users are managed in Derby by providing
a more intuitive and familiar DDL interface. Currently (in 10.1.2.1), Built-In users can be
defined at the system and/or database level. Users created at the system level can be defined
via JVM or/and Derby system properties in the derby.properties file. Built-in users created
at the database level are defined via a call to a Derby system procedure (SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY)
which sets a database property.
> Defining a user at the system level is very convenient and practical during the development
phase (EOD) of an application - However, the user's password is not encrypted and consequently
appears in clear in the derby.properties file. Hence, for an application going into production,
whether it is embedded or not, it is preferable to create users at the database level where
the password is encrypted.
> There is no real ANSI SQL standard for managing users in SQL but by providing a more
intuitive and known interface, it will ease Built-In User management at the database level
as well as Derby's adoption.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message