db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kim Haase (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-3193) SQL roles: Add documentation
Date Mon, 22 Dec 2008 22:41:44 GMT

    [ https://issues.apache.org/jira/browse/DERBY-3193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12658704#action_12658704

Kim Haase commented on DERBY-3193:

Thanks, Dag, for these really helpful comments. I think I've implemented them and will file
another patch tomorrow. I do have a few comments and questions.

Definition of role containment:

"A role contains another role if that role is granted to it, or is contained in a role granted
to it."

I think this needs to be placed in the Developer's Guide topic cdevcsecureroles.dita (Using
SQL roles) and then in a logical place in the Ref Manual. I think it's also useful to use
"A" and "B" to clarify things, as in the first definition of containment (in the Dev Guide

"If a role A is granted to another role B, the privileges identified by role A are inherited
by role B. We say that B contains A."

Adapting this to your definition, I think we get the following (A and B get reversed):

"A role A contains another role B if role B is granted to role A, or is contained in a role
granted to role A. In this case, the privileges identified by role B are inherited by role

Please let me know if further changes would be useful.


The Reference Manual doesn't seem to have any references to the Developer's Guide for material
on roles or on GRANT/REVOKE. I've put some in.



I think the first paragraph should have something about revoking a role. I've added a sentence
-- hope it's okay. (Parallel to the sentence for the GRANT statement.)

I modified the sentence about sqlAuthorization -- you can let me know if that's okay or if
I should just remove it.

The link to grantgrantees instead of revokegrantees was accidental (I probably copied from
the GRANT statement text and forgot to make the change).



Added link to "database owner" as with revoke.

Added definition of role containment.



Added link to definition of role containment.


You ask, "Shouldn't crefsqlj18919.html have an entry for roleName?" It does, because all the
topics under "SQL identifiers" are listed automatically in the HTML frames version.


The comments on src/devguide/cdevcsecure866060.dita actually refer to text that is in cdevcsecuregrantrevokeaccess.dita,
so I made the changes there.



If the exception for an identifier over 128 characters long applies to all statements, does
that mean that it always comes up first? Since you can't create a role using an identifier
over 128 characters long, then using DROP ROLE with a too-long argument should result in both
0P000 (for a nonexistent role) and 42622. Would the user see 42622 and not 0P000?

> SQL roles: Add documentation
> ----------------------------
>                 Key: DERBY-3193
>                 URL: https://issues.apache.org/jira/browse/DERBY-3193
>             Project: Derby
>          Issue Type: Task
>          Components: Documentation
>            Reporter: Dag H. Wanvik
>            Assignee: Kim Haase
>             Fix For:
>         Attachments: DERBY-3193-2.diff, DERBY-3193-2.stat, DERBY-3193-2.zip, DERBY-3193.diff,
DERBY-3193.stat, DERBY-3193.zip, derby3193-tmp.diff, derby3193-tmp.stat

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message