db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dag.Wan...@Sun.COM (Dag H. Wanvik)
Subject max size of authentication ids: lift restriction?
Date Mon, 22 Oct 2007 12:26:19 GMT

Hi,

While working on roles, I notice that there is a max size of 30 on
user ids in derby (authentication identifiers), e.g. the check being
performed in the parser:

private void checkAuthorizationLength( String authorization)
:
   checkIdentifierLengthLimit( authorization, Limits.DB2_MAX_USERID_LENGTH);
:

where Limits.DB2_MAX_USERID_LENGTH == 30. I have checked, and I don't
think there are any fundamental reasons why Derby can't lift this DB2
restriction: Then authentication identifiers would have the same max
limit as other identifiers: 128 (Limits.MAX_IDENTIFIER_LENGTH).

Current, this limit of 30 is enforced for GRANT/REVOKE, i.e. for the
grantees.

However, in the CREATE SCHEMA statement, the clause

         AUTHORIZATION <authorization identifier>

which allows specifying a schema's owner, is *not* subject to this
restriction. This is also reflected in the reference documentation for
system tables:
      
SYS.SYSCHEMAS:

Column Name 	Type 	Length 	Nullability 	Contents
-------------------------------------------------------------------
AUTHORIZATIONID VARCHAR 128     false           the authorization
                                                identifier of the
                                                owner of the schema  

SYS.SYSTABLEPERMS:

Column Name 	Type 	Length 	Nullability 	Contents
-------------------------------------------------------------------
GRANTEE 	VARCHAR 30 	False 	        The authorization ID
                                                of the user to whom
                                                the privilege is
                                                granted.  

Furthermore, the limit is enforced in the authorizer code
(AuthenticationServiceBase#authenticate). It is also reflected in the
metadata: EmbedDatabaseMetaData#getMaxUserNameLength.


I think it would be good to harmonize these two different limits for
authentication identifier and remove the 30 limit.

Does anybody know of a reason why this should not be done/attempted?
If not, I will file an issue for it.

Mime
View raw message