Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 79091 invoked from network); 10 Feb 2006 18:30:26 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 10 Feb 2006 18:30:26 -0000 Received: (qmail 16015 invoked by uid 500); 10 Feb 2006 18:30:22 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 15901 invoked by uid 500); 10 Feb 2006 18:30:21 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 15878 invoked by uid 99); 10 Feb 2006 18:30:21 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Feb 2006 10:30:21 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (asf.osuosl.org: local policy) Received: from [32.97.182.141] (HELO e1.ny.us.ibm.com) (32.97.182.141) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Feb 2006 10:30:19 -0800 Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236]) by e1.ny.us.ibm.com (8.12.11/8.12.11) with ESMTP id k1AITv8G031050 for ; Fri, 10 Feb 2006 13:29:57 -0500 Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64]) by d01relay04.pok.ibm.com (8.12.10/NCO/VERS6.8) with ESMTP id k1AITwkP215004 for ; Fri, 10 Feb 2006 13:29:58 -0500 Received: from d01av04.pok.ibm.com (loopback [127.0.0.1]) by d01av04.pok.ibm.com (8.12.11/8.13.3) with ESMTP id k1AITwuC003742 for ; Fri, 10 Feb 2006 13:29:58 -0500 Received: from [9.72.133.58] (DMCSDJDT41P.usca.ibm.com [9.72.133.58]) by d01av04.pok.ibm.com (8.12.11/8.12.11) with ESMTP id k1AITwZC003721 for ; Fri, 10 Feb 2006 13:29:58 -0500 Message-ID: <43ECDBA6.9080204@apache.org> Date: Fri, 10 Feb 2006 10:29:58 -0800 From: Daniel John Debrunner User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en, de MIME-Version: 1.0 To: derby-dev@db.apache.org Subject: Re: Grant and Revoke, Part II ... DERBY-464... References: <435FCD22.3050607@Sourcery.Org> <43909A64.5020205@Sourcery.Org> <7921d3e40512220208u44bb2a54se440d79de684be1@mail.gmail.com> <43AAC668.5080401@debrunners.com> <43AB1471.2090109@Sourcery.Org> <43BEFBF1.9000901@Sourcery.Org> <7921d3e40601061559r288367cco9e572d4602ed7d2e@mail.gmail.com> <43C21400.7010703@Sourcery.Org> <7921d3e40601100912n75b8570bh8f5b5672799f7324@mail.gmail.com> <43C3F711.4010804@apache.org> <43C4A03C.8030603@apache.org> <43C4DE91.8050207@Sourcery.Org> <43C52573.4020508@apache.org> <43EA75CE.3040203@Sourcery.Org> In-Reply-To: <43EA75CE.3040203@Sourcery.Org> X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Satheesh Bandaram wrote: > I am not sure if previous discussion about migrating a legacy mode > database to Grant Revoke model was finalized. It seems there were two > thoughts: > > 1. Keep authorization models separate. Legacy mode database can be > migrated to sqlStandard model by connecting with a URL property. > (sqlAuthorization=true) > 2. Dan proposed combining both models with Grant and Revoke > capability being seen as adding fine-grain access control on top > of current model. While this proposal doesn't impact Grant and > Revoke work being done currently by much, it may have implications > on some future work. (like system privileges) This does make it > easier for existing databases to adapt new capabilities. I guess I don't understand how 1) is useful. In this mode by adding grant/revoke in its current form you are removing key authorization options. For example if I'm using an LDAP authentication scheme I won't be able to limt the set of authenticated LDAP users who can connect to my database. I can do that now, and with 2) I can do that and have more fine grained authorization. Dan.