db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rick Hillegas (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-3673) Add checks that a new role isn't already a user authorization id
Date Wed, 14 May 2008 17:36:55 GMT

    [ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12596842#action_12596842

Rick Hillegas commented on DERBY-3673:

Thanks for this patch, Dag. It also looks good. I have a couple comments:


When creating a LANG_OBJECT_ALREADY_EXISTS exception, I recommend
calling rd.getDescriptorType() rather than hard-coding "User". This is
a small point but it may help us better localize this message in the

I'm also curious about the check being performed in knownUser(). Are
we already checking that the new role name is not the same as an
existing authorization id in SYS.SYSSCHEMAS? Off the top of my head it
seems that we want to forbid those collisions and it seems likely to
me that such a check would catch a very broad class of collisions,
including most of the cases caught by the current knownUser() code.


I am a little troubled that a method with this innocent name may have
the side-effect of dropping a role descriptor. At the very least, I
think that the header comment for this method should document the

> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>                 Key: DERBY-3673
>                 URL: https://issues.apache.org/jira/browse/DERBY-3673
>             Project: Derby
>          Issue Type: Sub-task
>            Reporter: Dag H. Wanvik
>            Assignee: Dag H. Wanvik
>             Fix For:
>         Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids).  Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message