db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dag H. Wanvik (JIRA)" <j...@apache.org>
Subject [jira] Updated: (DERBY-3673) Add checks that a new role isn't already a user authorization id
Date Tue, 13 May 2008 15:18:55 GMT

     [ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Dag H. Wanvik updated DERBY-3673:

    Attachment: derby-3673-1.stat

This patch is a first attempt to check that a proposed new role name
is not already a user name. 

Checks performed:
       - the proposed name does not already figure as a grantee in a
         permission descriptor.

       - the proposed name is not the user id of the current session

       - if we are using Derby built-in users, check that the proposed
         role name is not a built-in user. If authentication is
         external, we have no way of knowing, alas.       

Still missing is a check that a connection is not made with a user id
that is a role name.

Patch details:

M      java/engine/org/apache/derby/impl/sql/execute/CreateRoleConstantAction.java

Added the above checks. I found no way of systematically going through
all properties which start with the string "derby.user", so present
method tries to guess the property name on the basis of the internal
role name, and then look up that property, which if it exists,
represents a user id. This would fail if the user property is
specified in a non-canonical way, cf logic in
IdUtil.SQLIdentifier2CanonicalPropertyUsername. Any ideas here are

I am not really happy with this solution, so I will see if I can find
a way to run through all "derby.user" properties instead. 

Also, instead of just checking the authorization id of the current
session, it would be better to check all current sessions of course. I
will see if I can find a way to do that. Again, suggestions are

M      java/engine/org/apache/derby/iapi/sql/dictionary/DataDictionary.java
M      java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java

Added code to look for permission grants to a specific grantee. Did
some refactoring here too to avoid code duplication.

M      java/engine/org/apache/derby/iapi/util/IdUtil.java

Added SQLIdentifier2CanonicalPropertyUsername. See also comments above.

M      java/testing/org/apache/derbyTesting/functionTests/tests/lang/RolesTest.java

Added some test cases, including a case which currently fails
(commented out for now).

M      java/storeless/org/apache/derby/impl/storeless/EmptyDictionary.java

stub added

> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>                 Key: DERBY-3673
>                 URL: https://issues.apache.org/jira/browse/DERBY-3673
>             Project: Derby
>          Issue Type: Sub-task
>            Reporter: Dag H. Wanvik
>             Fix For:
>         Attachments: derby-3673-1.diff, derby-3673-1.stat
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids).  Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message