db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mamta A. Satoor (JIRA)" <derby-...@db.apache.org>
Subject [jira] Updated: (DERBY-1330) Provide runtime privilege checking for grant/revoke functionality
Date Wed, 12 Jul 2006 03:48:32 GMT
     [ http://issues.apache.org/jira/browse/DERBY-1330?page=all ]

Mamta A. Satoor updated DERBY-1330:
-----------------------------------

    Attachment: Derby1330uuidIndexForPermsSystemTablesV5diff.txt
                Derby1330uuidIndexForPermsSystemTablesV5stat.txt

With the earlier (uncommitted) patch, one of the tests in derbyall was failing for following
sql
grant execute on function f_abs to mamata2, mamata3;
The execution of grant above needs to add 2 rows into SYSTABLEPERMS. And each one of those
rows need to have a unique uuid. In my earlier patch, I had forgotten to reset the uuid in
TablePrivilegeInfo.executeGrantRevoke and that is why the test above was failing. Similar
change is required in RoutinePrivilegeInfo.executeGrantRevoke for grant on a function to multiple
users in one statement. 

Also, I had said in the comments for earlier patch that there is no need for a constructor
in ColPermsDescriptor which takes permission types in the form of an int. While prototyping
revoke references privilege, I realized that we do need that constructor. So I am going to
leave the constructor as it is and it's usage will be clear once I have the patch fo revoke
references privilege ready.

Can someone review the patch (Derby1330uuidIndexForPermsSystemTablesV5diff.txt) for me and
commit it if it looks good?


> Provide runtime privilege checking for grant/revoke functionality
> -----------------------------------------------------------------
>
>          Key: DERBY-1330
>          URL: http://issues.apache.org/jira/browse/DERBY-1330
>      Project: Derby
>         Type: Sub-task

>   Components: SQL
>     Versions: 10.2.0.0
>     Reporter: Mamta A. Satoor
>     Assignee: Mamta A. Satoor
>  Attachments: AuthorizationModelForDerbySQLStandardAuthorization.html, AuthorizationModelForDerbySQLStandardAuthorizationV2.html,
Derby1330PrivilegeCollectionV2diff.txt, Derby1330PrivilegeCollectionV2stat.txt, Derby1330PrivilegeCollectionV3diff.txt,
Derby1330PrivilegeCollectionV3stat.txt, Derby1330ViewPrivilegeCollectionV1diff.txt, Derby1330ViewPrivilegeCollectionV1stat.txt,
Derby1330uuidIndexForPermsSystemTablesV4diff.txt, Derby1330uuidIndexForPermsSystemTablesV4stat.txt,
Derby1330uuidIndexForPermsSystemTablesV5diff.txt, Derby1330uuidIndexForPermsSystemTablesV5stat.txt
>
> Additional work needs to be done for grant/revoke to make sure that only users with required
privileges can access various database objects. In order to do that, first we need to collect
the privilege requirements for various database objects and store them in SYS.SYSREQUIREDPERM.
Once we have this information then when a user tries to access an object, the required SYS.SYSREQUIREDPERM
privileges for the object will be checked against the user privileges in SYS.SYSTABLEPERMS,
SYS.SYSCOLPERMS and SYS.SYSROUTINEPERMS. The database object access will succeed only if the
user has the necessary privileges.
> SYS.SYSTABLEPERMS, SYS.SYSCOLPERMS and SYS.SYSROUTINEPERMS are already populated by Satheesh's
work on DERBY-464. But SYS.SYSREQUIREDPERM doesn't have any information in it at this point
and hence no runtime privilege checking is getting done at this point.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message