Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 29471 invoked from network); 14 Jul 2008 22:37:00 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 14 Jul 2008 22:37:00 -0000 Received: (qmail 70674 invoked by uid 500); 14 Jul 2008 22:36:52 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 70649 invoked by uid 500); 14 Jul 2008 22:36:52 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 70628 invoked by uid 99); 14 Jul 2008 22:36:52 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 14 Jul 2008 15:36:52 -0700 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 14 Jul 2008 22:36:07 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id DC622234C16C for ; Mon, 14 Jul 2008 15:36:31 -0700 (PDT) Message-ID: <190580084.1216074991901.JavaMail.jira@brutus> Date: Mon, 14 Jul 2008 15:36:31 -0700 (PDT) From: "Dag H. Wanvik (JIRA)" To: derby-dev@db.apache.org Subject: [jira] Updated: (DERBY-3223) SQL roles: make use of privileges granted to roles in actual privilege checking In-Reply-To: <32775328.1195739983462.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/DERBY-3223?page=3Dcom.atlassia= n.jira.plugin.system.issuetabpanels:all-tabpanel ] Dag H. Wanvik updated DERBY-3223: --------------------------------- Attachment: derby-3223-activate-roles-2.stat derby-3223-activate-roles-2.diff Thanks for looking at this patch, Knut! The new version of this patch, derby-3223-activate-roles-2, addresses most of your comments, except as noted below: - if the current role is not granted to the user, would it be more=20 appropriate to raise an exception saying that than to set the role=20 to null?=20 No, this is the way I handle role revocation; the session(s) which has a role set "discover" that they have lost the right the next time they attempt to make use of it ("lazily"); the revoking session (data base owner) is thus relieved of synchronizing with these session threads to set their current roles to none. - (in old code that is moved, not new code - same in=20 StatementTablePermission and StatementColumnPermission) error=20 messages are created with hard-coded strings "routine" and=20 "schema" that won't be localized=20 Right, I leave that for another issue. I am not sure it needs fixing though, since both strings are used in SQL syntax (ROUTINE is valid SQL, although not in the Derby syntax). Maybe it would be good to make them uppercase to underscore that fact. - perhaps the code will be slightly simpler if the role check in=20 hasPermissionOnTable() is factored out into a separate method?=20 I chose to let this method be as it is.. - assertPrivilegeMetadata(): is JDBC.identifierToCNF() needed around=20 the literal "test_dbo"?=20 Well, either that or use upper case literal; I chose to use identifierToCNF throughout when comparing against strings from metadata queries which are in CNF. - assertPrivilegeMetadata(): garbage in comment (=C2=B9)=20 I removed this. It was originally a ISO-8859-1 superscript "1" which is legal in Java comments, but I think the JIRA attachment mangled it to what you saw. I'll stick to 7-bit ASCII... ;) - setRole() looks like a useful helper method. Should it be moved to=20 JDBC?=20 Good idea, but I think I will postpone this until I have resolved the semantics of SET ROLE, cf. the discussion in DERBY-3137. As for the close method of the iterator, I originally planned to use this for decrementing a usage counter if/when I get to caching the grant graphs, but you are right, right now it is totally useless, so I remove it for now. Better to re-introduce it later if needed. > SQL roles: make use of privileges granted to roles in actual privilege ch= ecking > -------------------------------------------------------------------------= ------ > > Key: DERBY-3223 > URL: https://issues.apache.org/jira/browse/DERBY-3223 > Project: Derby > Issue Type: Task > Components: Security, SQL > Reporter: Dag H. Wanvik > Assignee: Dag H. Wanvik > Fix For: 10.5.0.0 > > Attachments: derby-3223-1a.diff, derby-3223-1a.stat, derby-3223-1= b.diff, derby-3223-1b.stat, derby-3223-1c.diff, derby-3223-1c.stat, derby-3= 223-1d.diff, derby-3223-1d.stat, derby-3223-activate-roles-1.diff, derby-32= 23-activate-roles-1.stat, derby-3223-activate-roles-2.diff, derby-3223-acti= vate-roles-2.stat, derby-3223-revise-iterator-api-b.diff, derby-3223-revise= -iterator-api-b.stat, derby-3223-revise-iterator-api.diff, derby-3223-revis= e-iterator-api.stat, roles.sql, roles2.sql, roles3.sql > > > Pushing out to 10.5 --=20 This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.