db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel John Debrunner <...@apache.org>
Subject Re: [Grant/Revoke]Proposal for invoker/definer model
Date Wed, 15 Mar 2006 21:29:11 GMT
Satheesh Bandaram wrote:

> Mamta Satoor wrote:

[ design spec for pushing/popping current authorization id snipped]

> It seems to me we need two different solutions... one for views and
> another for triggers/constraints. It is possible to extend what we may
> do for triggers/constraints later to routines, but views need to be
> handled differently.

I don't think it's that simple, the implementation of views leads to
some differences, but fundamentally the model that Mamta is proposing
has to apply. Thus views have to interact with the pushing & popping model.

Take this example:

-- view owned by dan
create viewdan as
select TC.name, F(HA) FA from viewsatheesh vs, TC where TC.id = VS.ID

-- view owned by satheesh
create viewsatheesh as
select id, H(a) HA from TO

-- connection with user identifier mamta.

executes 'select name, G(FA) from viewdan'

This is expanded to, something like:

select select TC.name, G(F(H(a))) from TO, TC
                where TC.id = TO.ID

Required permissions:

viewdan select by mamta
viewsatheesh select by dan (implicit in view definition?)
TO select by sateesh (implicit in view definition?)
TC select by dan (implicit in view definition?)
H execute by sateesh (implicit in view definition?)
F execute by dan (implicit in view definition?)
G execute by mamta

Current user when executing functions:

H() is executed as satheesh (invoker in viewsatheesh)
f() is executed as dan (invoker in viewdan)
G() is executed as mamta (invoker in outer query)

The 'executed as' is important, it gets reflected in any server-side
JDBC accessed by the function. Those server-side JBDC calls are invoked
with the permissions of the invoker of the function. The invoker of the
function is defined by the view or the outer select.


View raw message