db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francois Orsini <francois.ors...@gmail.com>
Subject Re: Grant and Revoke, Part II ... DERBY-464...
Date Wed, 15 Feb 2006 23:51:21 GMT
Hi Satheesh,

Please find my comments enclosed below:

On 2/8/06, Satheesh Bandaram <satheesh@sourcery.org> wrote:
>  I am not sure if previous discussion about migrating a legacy mode database
> to Grant Revoke model was finalized. It seems there were two thoughts:
> 1. Keep authorization models separate. Legacy mode database can be migrated to
> sqlStandard model by connecting with a URL property. (sqlAuthorization=true)

How to restrict anyone to specify this new URL property? This is a
system privilege by itself that would need to be granted unless it is
a user with an 'ADMIN' role (which we don't have yet). Are we also
going to allow users to move from legacy to grant/revoke during the
database upgrade phase? I thought so.

> 2. Dan proposed combining both models with Grant and Revoke capability being
> seen as adding fine-grain access control on top of current model. While this
> proposal doesn't impact Grant and Revoke work being done currently by much,
> it may have implications on some future work. (like system privileges) This
> does make it easier for existing databases to adapt new capabilities.

I remember we discussed this - This sounds good if Ansi ROLES are not
there but when they are, then equivalent roles for the various legacy
authorization modes can be defined to act the same way. For instance,
a role for a 'read-only' authorization identifier (i.e. user/role) can
be defined to act the same as legacy
'derby.database.readOnlyAccessUsers', etc - you just assign some
defined 'READ_ONLY' role to the users that you reference as part of
the derby.database.readOnlyAccessUsers' derby property...Hence, no
need to mix 2 authorization modes of different standards but until
ROLES are there I agree with Dan this is a *must* to have...

>  Satheesh
>  Daniel John Debrunner wrote:
>  Satheesh Bandaram wrote:
>  I think mixing both will lead to confusion to users many already
> familiar with the ansi subset model being proposed. This will also
> create hurdles as we expand authorization scheme to support roles and
> "system privileges" as Francois calls them and other security capabilities.
>  I'm more proposing this to deal with existing Derby applications and
> finding an easy way to bring them into the new world of grant revoke.
> Users familiar with the ansi subset model would just use that, no need
> to get involved with the defaultConnectionModel. Though until roles and
> system privileges is supported, they might need to to ensure a secure
> system. I haven't seen any proposal on these roles or system privileges
> so I'm looking at how secure Derby will be in its next release given
> what has been proposed and is being worked on.
> Dan.

View raw message