db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel John Debrunner <...@apache.org>
Subject Re: Grant and Revoke, Part II ... DERBY-464...
Date Fri, 10 Feb 2006 18:29:58 GMT
Satheesh Bandaram wrote:

> I am not sure if previous discussion about migrating a legacy mode
> database to Grant Revoke model was finalized. It seems there were two
> thoughts:
> 
>    1. Keep authorization models separate. Legacy mode database can be
>       migrated to sqlStandard model by connecting with a URL property.
>       (sqlAuthorization=true)
>    2. Dan proposed combining both models with Grant and Revoke
>       capability being seen as adding fine-grain access control on top
>       of current model. While this proposal doesn't impact Grant and
>       Revoke work being done currently by much, it may have implications
>       on some future work. (like system privileges) This does make it
>       easier for existing databases to adapt new capabilities.

I guess I don't understand how 1) is useful. In this mode by adding
grant/revoke in its current form you are removing key authorization
options. For example if I'm using an LDAP authentication scheme I won't
be able to limt the set of authenticated LDAP users who can connect to
my database. I can do that now, and with 2) I can do that and have more
fine grained authorization.

Dan.

Mime
View raw message