db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mamta A. Satoor (JIRA)" <derby-...@db.apache.org>
Subject [jira] Commented: (DERBY-1330) Provide runtime privilege checking for grant/revoke functionality
Date Fri, 30 Jun 2006 16:46:32 GMT
    [ http://issues.apache.org/jira/browse/DERBY-1330?page=comments#action_12418678 ] 

Mamta A. Satoor commented on DERBY-1330:
----------------------------------------

Based on Dan's feedback on QueryNode, I am proposing the method name to be changed from "isExecutingWithInvokerPrivileges"
to  "isPrivilegeCollectionRequired". I tend to get too verbose with my method names, so if
anyone has another suggestion for more appropriate method name, please suggest so. As for
the comments for that method, I am suggesting following
	/**
	 * Return true from this method means that we need to collect privilege 
	 * requirement for this node. For following cases, this method will
	 * return true.
	 *  1)execute view - collect privilege to access view but do not collect
	 *  privilege requirements for objects accessed by actual view uqery
	 *  2)execute select - collect privilege requirements for objects accessed
	 *  by select statement
	 *  3)create view -  collect privileges for select statement : the select 
	 *  statement for create view falls under 2) category above.
	 *  
	 * @return true if need to collect privilege requirement for this node
	 */


> Provide runtime privilege checking for grant/revoke functionality
> -----------------------------------------------------------------
>
>          Key: DERBY-1330
>          URL: http://issues.apache.org/jira/browse/DERBY-1330
>      Project: Derby
>         Type: Sub-task

>   Components: SQL
>     Versions: 10.2.0.0
>     Reporter: Mamta A. Satoor
>     Assignee: Mamta A. Satoor
>  Attachments: AuthorizationModelForDerbySQLStandardAuthorization.html, AuthorizationModelForDerbySQLStandardAuthorizationV2.html,
Derby1330ViewPrivilegeCollectionV1diff.txt, Derby1330ViewPrivilegeCollectionV1stat.txt
>
> Additional work needs to be done for grant/revoke to make sure that only users with required
privileges can access various database objects. In order to do that, first we need to collect
the privilege requirements for various database objects and store them in SYS.SYSREQUIREDPERM.
Once we have this information then when a user tries to access an object, the required SYS.SYSREQUIREDPERM
privileges for the object will be checked against the user privileges in SYS.SYSTABLEPERMS,
SYS.SYSCOLPERMS and SYS.SYSROUTINEPERMS. The database object access will succeed only if the
user has the necessary privileges.
> SYS.SYSTABLEPERMS, SYS.SYSCOLPERMS and SYS.SYSROUTINEPERMS are already populated by Satheesh's
work on DERBY-464. But SYS.SYSREQUIREDPERM doesn't have any information in it at this point
and hence no runtime privilege checking is getting done at this point.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message