Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 98190 invoked from network); 15 Jun 2006 04:51:47 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 15 Jun 2006 04:51:47 -0000 Received: (qmail 58173 invoked by uid 500); 15 Jun 2006 04:51:47 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 58135 invoked by uid 500); 15 Jun 2006 04:51:46 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 58118 invoked by uid 99); 15 Jun 2006 04:51:46 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 14 Jun 2006 21:51:46 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [209.237.227.198] (HELO brutus.apache.org) (209.237.227.198) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 14 Jun 2006 21:51:45 -0700 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id AE38E714204 for ; Thu, 15 Jun 2006 04:50:31 +0000 (GMT) Message-ID: <779051.1150347031710.JavaMail.jira@brutus> Date: Thu, 15 Jun 2006 04:50:31 +0000 (GMT+00:00) From: "Mamta A. Satoor (JIRA)" To: derby-dev@db.apache.org Subject: [jira] Updated: (DERBY-1330) Provide runtime privilege checking for grant/revoke functionality In-Reply-To: <14984243.1147927445981.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N [ http://issues.apache.org/jira/browse/DERBY-1330?page=all ] Mamta A. Satoor updated DERBY-1330: ----------------------------------- Attachment: AuthorizationModelForDerbySQLStandardAuthorizationV2.html I did a little research on Dan's suggestion about using existing system table SYS.SYSDEPENDS rather than introducing a new system table to keep track of views'/triggers'/constraints' dependencies on privileges. I think SYS.SYSDEPENDS should serve the purpose. Based on that, I have updated the functional spec(1st 2 paragraphs under section "DDL support for views, triggers and constraints") and attached it as AuthorizationModelForDerbySQLStandardAuthorizationV2.html. Any feedback will be appreciated. > Provide runtime privilege checking for grant/revoke functionality > ----------------------------------------------------------------- > > Key: DERBY-1330 > URL: http://issues.apache.org/jira/browse/DERBY-1330 > Project: Derby > Type: Sub-task > Components: SQL > Versions: 10.2.0.0 > Reporter: Mamta A. Satoor > Attachments: AuthorizationModelForDerbySQLStandardAuthorization.html, AuthorizationModelForDerbySQLStandardAuthorizationV2.html > > Additional work needs to be done for grant/revoke to make sure that only users with required privileges can access various database objects. In order to do that, first we need to collect the privilege requirements for various database objects and store them in SYS.SYSREQUIREDPERM. Once we have this information then when a user tries to access an object, the required SYS.SYSREQUIREDPERM privileges for the object will be checked against the user privileges in SYS.SYSTABLEPERMS, SYS.SYSCOLPERMS and SYS.SYSROUTINEPERMS. The database object access will succeed only if the user has the necessary privileges. > SYS.SYSTABLEPERMS, SYS.SYSCOLPERMS and SYS.SYSROUTINEPERMS are already populated by Satheesh's work on DERBY-464. But SYS.SYSREQUIREDPERM doesn't have any information in it at this point and hence no runtime privilege checking is getting done at this point. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira