db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Satheesh Bandaram <sathe...@Sourcery.Org>
Subject Re: Question about Grant/Revoke
Date Fri, 17 Mar 2006 18:58:12 GMT


Oystein Grovlen - Sun Norway wrote:

> Satheesh Bandaram wrote:
>
> At some time in the future when GRANT/REVOKE support is more complete,
> would it be possible to have some way to turn on SQL authorization
> automatically when GRANT/REVOKE is used for the first time?  I think
> that could improve ease of use without breaking backward compatibility.

Derby could, but it would break backward compatibility... Currently all
users with 'fullAccess' mode (for defaultConnectionMode) can read/write
to any table in any schema. Switching to SQL authorization would mean
they would only be able to access their objects by default, so many
applications would see a break in functionality. Users have to change
their applications anyway, to explicitly grant privileges, so why not
make them set 'sqlAuthorization' flag also?

There are many differences in functionality between legacy authorization
model (should this be referred to as 'Derby Authorization' in docs?) to
SQL standard authorization model. (Is 'SQL Standard Authorization' or
'Standard Authorization' correct term for docs?) These differences will
force applications to change anyway, so not sure if we gain much by
automatically switching modes. Better to make it explicit, I think.

> I am not suggesting we do this for 10.2 since I think the limitations
> enforced to be able to guarantee backward compatibility for future
> releases, will probably lead to more confusions that the lack of
> GRANT/REVOKE.
>
I agree... Even if we didn't have these limitations, the authorization
model differences are enough to require marking them  explicitly, in my
opinion.

Satheesh



Mime
View raw message