db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dag H. Wanvik (JIRA)" <j...@apache.org>
Subject [jira] Updated: (DERBY-3223) SQL roles: make use of privileges granted to roles in actual privilege checking
Date Thu, 10 Jul 2008 12:00:31 GMT

     [ https://issues.apache.org/jira/browse/DERBY-3223?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Dag H. Wanvik updated DERBY-3223:

    Attachment: derby-3223-activate-roles-1.stat

This patch, derby-3223-activate-roles-1, enables permissions granted
to applicable roles to actually confer privileges to a user who has
set the current role.

No revocation logic has been added in this patch, that will be added
in a separate patch.

Patch details:

M      java/engine/org/apache/derby/iapi/sql/dictionary/StatementRoutinePermission.java
M      java/engine/org/apache/derby/iapi/sql/dictionary/StatementTablePermission.java
M      java/engine/org/apache/derby/iapi/sql/dictionary/StatementColumnPermission.java

These three classes implement the extra checking for privileges via
roles which is the essence of this patch. After looking for privileges
granted to the current user or to public, if there are still
unresolved permissions, we look at roles for fulfillment.

M      java/engine/org/apache/derby/iapi/sql/dictionary/StatementRolePermission.java
M      java/engine/org/apache/derby/iapi/sql/dictionary/StatementSchemaPermission.java
M      java/engine/org/apache/derby/impl/sql/conn/GenericAuthorizer.java
M      java/engine/org/apache/derby/iapi/sql/dictionary/StatementPermission.java

Added activation to the check method signature of
StatementPermission. Needed to get at current role.

Also added toString methods to all Statement<object>Permission classes
to help debugging. I can remove these if someones feels they just add

M      java/engine/org/apache/derby/impl/sql/execute/DDLConstantAction.java

Added extra checks since now that roles may confer privileges, an
existing invariant no longer holds. This code will change with the
next patch which adds dependencies on roles and revocation logic, so
this is just a temporary measure.

A      java/testing/org/apache/derbyTesting/functionTests/tests/lang/RolesConferredPrivilegesTest.java

A new test which attempt to exercise all kinds of Derby privileges
using roles, when privileges are granted to the current role as well
as inherited roles, and roles granted to PUBLIC as well as to the
current user, i.e. the cross product:

        {current role, some inherited role} X
        {role granted to current user, role granted to PUBLIC} X
        {set of Derby privileges}

M      java/testing/org/apache/derbyTesting/junit/JDBC.java

Added a utility method: identifierToCNF used by RolesConferredPrivilegesTest.

Regressions passed, please review.

> SQL roles: make use of privileges granted to roles in actual privilege checking
> -------------------------------------------------------------------------------
>                 Key: DERBY-3223
>                 URL: https://issues.apache.org/jira/browse/DERBY-3223
>             Project: Derby
>          Issue Type: Task
>          Components: Security, SQL
>            Reporter: Dag H. Wanvik
>            Assignee: Dag H. Wanvik
>             Fix For:
>         Attachments: derby-3223-1a.diff, derby-3223-1a.stat, derby-3223-1b.diff, derby-3223-1b.stat,
derby-3223-1c.diff, derby-3223-1c.stat, derby-3223-1d.diff, derby-3223-1d.stat, derby-3223-activate-roles-1.diff,
derby-3223-activate-roles-1.stat, derby-3223-revise-iterator-api-b.diff, derby-3223-revise-iterator-api-b.stat,
derby-3223-revise-iterator-api.diff, derby-3223-revise-iterator-api.stat, roles.sql, roles2.sql,
> Pushing out to 10.5

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message