Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 97451 invoked from network); 12 Jul 2006 16:39:32 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 12 Jul 2006 16:39:32 -0000 Received: (qmail 49890 invoked by uid 500); 12 Jul 2006 16:39:31 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 49866 invoked by uid 500); 12 Jul 2006 16:39:31 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 49857 invoked by uid 99); 12 Jul 2006 16:39:31 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Jul 2006 09:39:31 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [209.237.227.198] (HELO brutus.apache.org) (209.237.227.198) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Jul 2006 09:39:29 -0700 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 4155A4104F3 for ; Wed, 12 Jul 2006 16:37:31 +0000 (GMT) Message-ID: <26015811.1152722251221.JavaMail.jira@brutus> Date: Wed, 12 Jul 2006 16:37:31 +0000 (GMT+00:00) From: "Mamta A. Satoor (JIRA)" To: derby-dev@db.apache.org Subject: [jira] Updated: (DERBY-1330) Provide runtime privilege checking for grant/revoke functionality In-Reply-To: <14984243.1147927445981.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N [ http://issues.apache.org/jira/browse/DERBY-1330?page=all ] Mamta A. Satoor updated DERBY-1330: ----------------------------------- Attachment: Derby1330uuidIndexForPermsSystemTablesV6diff.txt Derby1330uuidIndexForPermsSystemTablesV6stat.txt As per Dan's suggestion, I have moved the resetting of permission descriptor's uuid into DataDictionary.addRemovePermissionsDescriptor method. The derbyall runs fine with no new failures. I have also added couple tests to lang\grantRevokeDDL.sql Please find this change in the attached Derby1330uuidIndexForPermsSystemTablesV6diff.txt. svn stat -q output is in Derby1330uuidIndexForPermsSystemTablesV6stat.txt > Provide runtime privilege checking for grant/revoke functionality > ----------------------------------------------------------------- > > Key: DERBY-1330 > URL: http://issues.apache.org/jira/browse/DERBY-1330 > Project: Derby > Type: Sub-task > Components: SQL > Versions: 10.2.0.0 > Reporter: Mamta A. Satoor > Assignee: Mamta A. Satoor > Attachments: AuthorizationModelForDerbySQLStandardAuthorization.html, AuthorizationModelForDerbySQLStandardAuthorizationV2.html, Derby1330PrivilegeCollectionV2diff.txt, Derby1330PrivilegeCollectionV2stat.txt, Derby1330PrivilegeCollectionV3diff.txt, Derby1330PrivilegeCollectionV3stat.txt, Derby1330ViewPrivilegeCollectionV1diff.txt, Derby1330ViewPrivilegeCollectionV1stat.txt, Derby1330uuidIndexForPermsSystemTablesV4diff.txt, Derby1330uuidIndexForPermsSystemTablesV4stat.txt, Derby1330uuidIndexForPermsSystemTablesV5diff.txt, Derby1330uuidIndexForPermsSystemTablesV5stat.txt, Derby1330uuidIndexForPermsSystemTablesV6diff.txt, Derby1330uuidIndexForPermsSystemTablesV6stat.txt > > Additional work needs to be done for grant/revoke to make sure that only users with required privileges can access various database objects. In order to do that, first we need to collect the privilege requirements for various database objects and store them in SYS.SYSREQUIREDPERM. Once we have this information then when a user tries to access an object, the required SYS.SYSREQUIREDPERM privileges for the object will be checked against the user privileges in SYS.SYSTABLEPERMS, SYS.SYSCOLPERMS and SYS.SYSROUTINEPERMS. The database object access will succeed only if the user has the necessary privileges. > SYS.SYSTABLEPERMS, SYS.SYSCOLPERMS and SYS.SYSROUTINEPERMS are already populated by Satheesh's work on DERBY-464. But SYS.SYSREQUIREDPERM doesn't have any information in it at this point and hence no runtime privilege checking is getting done at this point. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira