db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dag H. Wanvik (JIRA)" <j...@apache.org>
Subject [jira] Updated: (DERBY-3743) Revoking EXECUTE privilege on a function if used in a CHECK constraint: implementation problem
Date Mon, 11 Aug 2008 16:36:44 GMT

     [ https://issues.apache.org/jira/browse/DERBY-3743?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Dag H. Wanvik updated DERBY-3743:
---------------------------------

    Attachment: derby-3743b-1.stat
                derby-3743b-1.diff

This patch, derby-3743b-1, fixes two problems with the
earlier patch:

- If there were several constraints on a a table, each referencing one
  or more routines for which a privilege was needed, each constraint
  would get a dependency on *all* (potentially; see the next problem!)
  routines needed for the entire table, not just those needed for that
  constraint. As a consequence, if the constraint(s) really needing
  the privileges were dropped, revoking that privilege could risk
  being erroneously RESTRICTed, in spite of no constraint really
  needing that privilege any more.
 
- If the privileges of more than one routine were needed for a single
  constraint, only one dependency got registered due to an
  optimization in storeConstraintDependenciesOnPrivileges that was not
  applicable for CHECK constraints. As a result, a revoke on any
  remaining privileges would then incorrectly be allowed in spite of
  the RESTRICT.

I added two more test cases in GrantRevokeDDLTest to verify that it
works correctly now. Running regressions now, please review. 


> Revoking EXECUTE privilege on a function if used in a CHECK constraint: implementation
problem 
> -----------------------------------------------------------------------------------------------
>
>                 Key: DERBY-3743
>                 URL: https://issues.apache.org/jira/browse/DERBY-3743
>             Project: Derby
>          Issue Type: Improvement
>          Components: Security, SQL
>    Affects Versions: 10.5.0.0
>            Reporter: Dag H. Wanvik
>            Assignee: Dag H. Wanvik
>             Fix For: 10.5.0.0
>
>         Attachments: derby-3743-show-constraint-invalidate-actions.diff, derby-3743-show-constraint-invalidate-actions.stat,
derby-3743.diff, derby-3743.stat, derby-3743b-1.diff, derby-3743b-1.stat
>
>
> The docs say that REVOKE EXECUTE ... RESTRICT should 
> fail if there is a dependent constraint:
> "The RESTRICT clause specifies that the EXECUTE privilege cannot be
>  revoked if the specified routine is used in a view, trigger, or
>  constraint, and the privilege is being revoked from the owner of the
>  view, trigger, or constraint."
>  Revoking the privilege will be correctly restricted, but possibly for the wrong reason.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message