db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kim Haase (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-3193) SQL roles: Add documentation
Date Mon, 22 Dec 2008 22:41:44 GMT

    [ https://issues.apache.org/jira/browse/DERBY-3193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12658704#action_12658704
] 

Kim Haase commented on DERBY-3193:
----------------------------------

Thanks, Dag, for these really helpful comments. I think I've implemented them and will file
another patch tomorrow. I do have a few comments and questions.

Definition of role containment:

"A role contains another role if that role is granted to it, or is contained in a role granted
to it."

I think this needs to be placed in the Developer's Guide topic cdevcsecureroles.dita (Using
SQL roles) and then in a logical place in the Ref Manual. I think it's also useful to use
"A" and "B" to clarify things, as in the first definition of containment (in the Dev Guide
topic):

"If a role A is granted to another role B, the privileges identified by role A are inherited
by role B. We say that B contains A."

Adapting this to your definition, I think we get the following (A and B get reversed):

"A role A contains another role B if role B is granted to role A, or is contained in a role
granted to role A. In this case, the privileges identified by role B are inherited by role
A."

Please let me know if further changes would be useful.

--------

The Reference Manual doesn't seem to have any references to the Developer's Guide for material
on roles or on GRANT/REVOKE. I've put some in.

--------

src/ref/rrefsqljrevoke.dita:

I think the first paragraph should have something about revoking a role. I've added a sentence
-- hope it's okay. (Parallel to the sentence for the GRANT statement.)

I modified the sentence about sqlAuthorization -- you can let me know if that's okay or if
I should just remove it.

The link to grantgrantees instead of revokegrantees was accidental (I probably copied from
the GRANT statement text and forgot to make the change).

-----

src/ref/rrefsqljgrant.dita:

Added link to "database owner" as with revoke.

Added definition of role containment.

-----------

src/ref/rrefsetrole.dita

Added link to definition of role containment.

-------

You ask, "Shouldn't crefsqlj18919.html have an entry for roleName?" It does, because all the
topics under "SQL identifiers" are listed automatically in the HTML frames version.

----------

The comments on src/devguide/cdevcsecure866060.dita actually refer to text that is in cdevcsecuregrantrevokeaccess.dita,
so I made the changes there.

---------

src/devguide/rdevcsecuresqlauthexceptions.dita

If the exception for an identifier over 128 characters long applies to all statements, does
that mean that it always comes up first? Since you can't create a role using an identifier
over 128 characters long, then using DROP ROLE with a too-long argument should result in both
0P000 (for a nonexistent role) and 42622. Would the user see 42622 and not 0P000?


> SQL roles: Add documentation
> ----------------------------
>
>                 Key: DERBY-3193
>                 URL: https://issues.apache.org/jira/browse/DERBY-3193
>             Project: Derby
>          Issue Type: Task
>          Components: Documentation
>            Reporter: Dag H. Wanvik
>            Assignee: Kim Haase
>             Fix For: 10.5.0.0
>
>         Attachments: DERBY-3193-2.diff, DERBY-3193-2.stat, DERBY-3193-2.zip, DERBY-3193.diff,
DERBY-3193.stat, DERBY-3193.zip, derby3193-tmp.diff, derby3193-tmp.stat
>
>


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message