Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 13859 invoked from network); 15 Mar 2006 15:19:56 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 15 Mar 2006 15:19:54 -0000 Received: (qmail 59489 invoked by uid 500); 15 Mar 2006 15:19:53 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 59251 invoked by uid 500); 15 Mar 2006 15:19:51 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 59242 invoked by uid 99); 15 Mar 2006 15:19:51 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 Mar 2006 07:19:51 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (asf.osuosl.org: local policy) Received: from [68.142.198.212] (HELO smtp113.sbc.mail.mud.yahoo.com) (68.142.198.212) by apache.org (qpsmtpd/0.29) with SMTP; Wed, 15 Mar 2006 07:19:51 -0800 Received: (qmail 91773 invoked from network); 15 Mar 2006 15:19:29 -0000 Received: from unknown (HELO ?127.0.0.1?) (ddebrunner@sbcglobal.net@71.131.237.204 with plain) by smtp113.sbc.mail.mud.yahoo.com with SMTP; 15 Mar 2006 15:19:22 -0000 Message-ID: <44183066.1080107@apache.org> Date: Wed, 15 Mar 2006 07:19:02 -0800 From: Daniel John Debrunner User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en, de MIME-Version: 1.0 To: derby-dev@db.apache.org Subject: Re: [Grant/Revoke]Proposal for invoker/definer model References: <441625D8.1070904@apache.org> In-Reply-To: X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Mamta Satoor wrote: > Here is the proposal for invoker/definer model based on StatementContext. Thanks for the changes, this looks like the correct direction. > > I am proposing that we continue to keep the "invoker" authorizer > information in GenericeLanguageConnectionContext. In addition to that, > we will keep a stack of authorizers and corresponding default schema > descriptors in a StatementContext. When authorizer information (like > getAuthorizationId, getDefaultSchema, getCurrentSchemaName etc) will be > requested from LanguageConnectionContext, it will check if it has an > active StatementContext. If it does have an active > StatementContext, then the authorization information requested will be > obtained from authorizer at the top of StatementContext's authorizer > stack. But if there is no active StatementContext, then authorization > information requested will come from LanguageConnectionContext's invoker > authorizer. This paragraph talks about a stack of default schemas and current schemas, but there are no more details of how this will be implemented. Also, I don't remember anything in the functional spec about how current or default schema was changing, but I can't get to Jira to check & I don't have a local copy of the functional spec from DEBRY-464. Just want to understand what functionality you are proposing to be implemented. > When authorizer information (like > getAuthorizationId, getDefaultSchema, getCurrentSchemaName etc) The etc. is a little worrying in a design spec, which methods are you changing the behaviour of, is LCC.getAuthorizationId one of them? Might I suggest some method name changes, for readability and clarity of meaning? addAuthorizerToTopOfStack -> pushAuthorizer removeAuthorizerFromTopOfStack -> popAuthorizer Also, I think for the term "invoker", you really mean "session" in some cases. E.g. it's not the invoker user identifier or Authorizer, it's the session's user identifier or Authorizer. > If an object needs to switch to invoker's authorization, code should be > generated to get the invoker authorizer from > GenericLanguageConnectionContext and put that authorizer to the top of > authorizer stack by generating code addAuthorizerToTopOfStack(Authorizer > invokerAuthorizer). To get the invoker authorizer, I am planning on > adding method getInvokerAuthorizer to GenericLanguageConnectionContext. When can this happen? I don't think this code and the associated new methods (getInvokeAuthorizer and addAuthorizerToTopOfStack(Authorizer) are required. Thanks, Dan.