db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Satheesh Bandaram (JIRA)" <derby-...@db.apache.org>
Subject [jira] Commented: (DERBY-1057) documentation to address Grant/Revoke (Derby-464)
Date Fri, 11 Aug 2006 18:38:15 GMT
    [ http://issues.apache.org/jira/browse/DERBY-1057?page=comments#action_12427580 ] 
Satheesh Bandaram commented on DERBY-1057:

I am loooking at dev Guide. Here are some of the comments:

> Notes on user authorization
> Authorization properties are set when a connection is established.
> Changes to any of the authorization properties during a connection, are not in affect
until a new connection is established.

I don't think that is correct. I thought we decided authorization would be used to define
Derby Authorization or SQL Standard Authorization (with GRANT/REVOKE). Authorization is set
for new database by either setting the sqlAuthorization as system property or by connecting
to existing database and setting it as database property. Deepa provided a link earlier that
describes this better.

> User authorization exceptions
> SQL exceptions are returned when errors occur with user authorizations.
> Derby validates the database properties when you set the properties. An exception is
returned if you specify an invalid value
> when you set these properties.

I think here we need to talk about some of the exceptions. It is possible to set derby.database.sqlAuthorization
to true, which enables GRANT/REVOKE, but once the property is set to true as a database property,
it cannot be set to FALSE. So once a database is switched to SQL authorization, it can be
set back to Derby athorization.

> Grant and revoke user authorizations
> When the SQL standard authorization mode is enabled, object owners can use the GRANT
and REVOKE SQL statements
> to set the user permissions for specific database objects or for specific SQL actions.

It may be best to describe this section as 'SQL Standard Authorization'

In the same page:

> The GRANT statement is used to grant specific permissions to users. The REVOKE statement
is used to revoke permissions.
> Only the owner of an object can grant or revoke the following privileges on that object:

I am updating functional spec to say 'only the owner of an object or database owner'can grant
or revoke ....'

> The SELECT privilege is later revoked from harry, but Harry has access to table t through
the PUBLIC privilege.

Are we missing an IF in the statement? If Select privilege is later revoked from harry, Harry
can still access table t using PUBLIC privilege.

> To enable SQL standard authorization, set the derby.database.sqlAuthorization property
to TRUE. For example:
>    'derby.database.sqlAuthorization',
>   'true')

I think we also need to talk about another way to enable SQL Standard authorization... as
mentioned above. (Through setting of the property as system property that automatically creates
all new databases in SQL Standard authorization)

I am assuming topics that talk about 'defaultConnectionMode' should already be in the manuals
and are NOT new. If they are new, we would need to review it more carefully.

Same with 'Working with Authentication'. Are these new sections? No changes are made here,
so there should be no need to added these sections.

> User authorizations
> When you specify user authorizations, Derby verifies that a user has been granted permission
to access a system,
> database, object, or SQL action.
> There are two types of user authorization in Derby, connection authorization and grant
> Connection authorization specifies the access that users have to connect to a system
or database. SQL authorization
> controls the permissions that users have on database objects or for SQL actions. You
can set the user authorization properties
> in Derby as system-level properties or database-level properties.

I think we agreed that we will not use 'connection authorization' instead only refer to 'connection
access mode' . 

>The user authorization properties are:

I would rather say 'Properties that affect authorization are:'

That is all the comments I have on developer guide. Thanks for working on documenting GRANT/REVOKE.

> documentation to address Grant/Revoke (Derby-464)
> -------------------------------------------------
>                 Key: DERBY-1057
>                 URL: http://issues.apache.org/jira/browse/DERBY-1057
>             Project: Derby
>          Issue Type: Sub-task
>          Components: Documentation
>    Affects Versions:
>            Reporter: Eric Radzinski
>         Assigned To: Laura Stewart
>             Fix For:
>         Attachments: derby1057_devguide.diff, derby1057_devguide3.diff, derby1057_devguide_html.zip,
derby1057_devguide_html3.zip, derby1057_ref.diff, derby1057_ref3.diff, derby1057_ref_html.zip,
derby1057_tuning3.diff, derby1057_tuning4.diff, derby1057_tuning_html.zip, derby1058_ref_html3.zip,
devguide_html2.zip, ref_html2.zip, rtunpropersqlauth.html

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message