Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm
Precedence: bulk
Reply-To: <derby-dev@db.apache.org>
Received-SPF: pass (athena.apache.org: domain of hiranya911@gmail.com
 designates 74.125.92.26 as permitted sender)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        b=o395oEScytezA5dIRQ5Nw4pGqmsIhfb/96lGhLhhRRxTd+7GyefpFLuTddvxSkvbu4
         eWIN/FL7OCOKu5lRKDxSPTZwkPrCpF1PPjp+Iht6hGbKObhBe5yhQnpfDsK52QeAUH+Z
         OKRfyf/YLJ4OHNEtP7dBCkC+t4IoLj9IJIwBo=
MIME-Version: 1.0
In-Reply-To: <x1oxd4adc6fs.fsf@sun.com>
References: <558af1840905092155t7c0fb4a3rea54ea713e0080ff@mail.gmail.com>
	 <x1oxd4adc6fs.fsf@sun.com>
Date: Thu, 14 May 2009 10:30:31 +0530
Message-ID: <558af1840905132200kc1d7fb2y9a9ab75fcbb5d986@mail.gmail.com>
Subject: Re: Wiki Page for dblook SQL Authorization Support Project
From: Hiranya Jayathilaka <hiranya911@gmail.com>
To: derby-dev@db.apache.org
Content-Type: multipart/alternative; boundary=0016361e81341f8e590469d83541

--0016361e81341f8e590469d83541
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Hi Dag,

Thanks a lot for taking time to go through the wiki page and providing your
valuable insight. I'll soon update the wiki with the things you have
mentioned here. See my comments in-line.

On Wed, May 13, 2009 at 9:59 PM, Dag H. Wanvik <Dag.Wanvik@sun.com> wrote:

>
> Hi Hiranya,
>
> Hiranya Jayathilaka <hiranya911@gmail.com> writes:
>
> > Hi Folks,
> >
> > I'll be using the wiki page at [1] as the documentation space for dblook
> SQL
> > Authorization support implementation, during the design phase of the
> > project. I've already updated the wiki page with some information that
> I've
> > discussed with Dag off-line. Feel free to add your own ideas to the wiki
> > page regarding this project and also feel free to discuss the matters
> > mentioned in the wiki on the mailing list.
> >
> > Your feedback and comments are most appreciated.
>
> Thanks for starting a wiki page for this design, Hiranya! This is a
> good way to go.  I think the approach looks good.
>
> Here are some answers to your questions and comments.
>
> > Design
> >
> > We intend to use a directed graph as the means of tracking and
> > representing the dependencies among various persistent objects in a
> > database. Let's call it the dblook dependency graph. When dblook is
> > fired off against a database, it would create the dependency graph in
> > memory and 'walk' the graph step-by-step while producing DDL
> > statements required to reconstruct those objects.
>
> To do this, we have to use several connections, one for each
> authorized user that owns database objects, so that they can be
> recreated with the correct owner. It could be useful to keep them open
> (or you could open them on demand; slower) since object creation for
> one user could be interleaved with an other user's objects, if
> dependencies go in both directions between users. But this is probably
> not so common that it warrants optimizing of connection openings?
>
> >
> > All persistent objects of a database would be vertices in the
> > dependency graph. If A and B are two persistent objects in a database
> > and if B is a dependent object of A then there will be a directed edge
> > from A to B in the dependency graph (A --> B). Information required to
> > construct the dependency graph will be fetched from the system tables
> > (specially from the SYSDEPENDS table which effectively captures all
> > such dependencies among persistent objects). The graph construction
> > algorithm should also associate each vertex with a database user as
> > the owner. (what is the right way to find the object owner?)
>
> For example, for a view, the SYSVIEWS table contains a reference to
> the owning schema in the column COMPILATIONSCHEMAID.  The system table
> for schemas, SYSSCHEMAS, contains AUTHORIZATIONID for each
> schema. This is the owning user user (since Derby does not yet support
> a schema being owned by a role, although the SQL standard does allow
> that). So joining COMPILATIONSCHEMAID with SYSSCHEMAS.SCHEMAID gives
> the owning user of a view. The case is similar for triggers and
> constraints.


Thanks. That answers it :)

>
>
> > In addition it should capture all the permissions associated with
> > each object and the users involved with those permissions.
>
> More precisely, all permissions granted for an object, be it to a
> user, to a role or to PUBLIC, should be recorded with the object, so
> those permissions can be granted once the object has been recreated.
>
> If a persistent object depends on a role, that should be recorded as
> well, so that the needed role can be set before recreating the object.


+1


>
>
> >
> > Once we have the full dblook dependency graph in memory we can create
> > all the roles required (should be done as the dbo).
>
> And all the role grants should be performed in this step, that is,
> grant to users, to other roles and to PUBLIC. Only dbo can do these
> things presently. Note that in order to do this step successfully, you
> need to create a GRANT dependency graph of the roles'
> interrelationships as well.


Yes. Thanks for pointing that out. So I guess we need to add this as a step
of our overall execution (may be prior to creating the dependency graph?). I
think we can find all the necessary data by just looking at the SYSROLES
table to do this.


>
> >
> > When dblook finally walks the graph it will need to produce an
> > authentication statement prior to producing the actual DDL statement
> > required to create each object.
>
> I am not sure what you mean by authentication statement here; I think
> we need to open a connection per user that owns a persistent object
> and use that connection to create that object.


Yes. That's what I meant. Basically we need to generate a statement which
establishes the necessary database connection, when executed. I'll rephrase
this on the wiki so it's more clear to the reader.


> So the walk would have
> to switch between the different connections as needed? In addition, if
> this persistent object ("soon-to-be-created") depends on a role, the
> connection should SET that role first, too, so we can make sure we
> have the required permissions to create the object.
>
> > For an example if there is an object O associated with the user U in
>
> I assume you mean "owned by" user U here.


+1


>
>
> > the graph, dblook will first output an authentication statement for
> > user U before producing the DDL statement for O. After producing the
> > creation statement necessary grant statements should be created
> > related to the object.
>
> Yes, this seems the right time!
>
> > Basically all the permissions related to the object should be
> > granted to the associated users.
>
> .. and roles and PUBLIC.
>
>
> > Walking the graph should start from a node which does not have any
> > in bound edges (i.e. it does not depend on any other object). As the
> > graph walk continues objects are removed from the graph along with
> > all edges incident on them. The walk continues until the graph's set
> > of vertices is empty.
>
> Dependency Graph Design
> >
> > The datastructures used to store the elements of the dependency graph
> > should be lightweight. This graph will be held in memory and its size
> > will be proportional to the number of persistent objects in the
> > database. Therefore larger the database, larger the dependency
> > graph. We need to be conservative in memory usage to efficiently deal
> > with large databases.
> >
> > Each vertex in the graph should store a set of in bound edges, set of
> > out bound edges, an associated user ID (might also need to store
> > authentication credentials of the user) and a set of permissions.
>
> Yes, and you will need to store if an object depends on a role, too.
> The set of permissions is those that should be granted for that object
> (vertex; I presume you intend for the vertex to represent a persistent
> object here?)


Indeed. Each persistent object will be a vertex in the graph.

Thanks,
Hiranya


>
> Dag
>


-- 
Hiranya Jayathilaka
E-mail: hiranya@apache.org;  Mobile: +94 77 633 3491
Blog: http://techfeast-hiranya.blogspot.com

--0016361e81341f8e590469d83541
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi Dag,<br><br>Thanks a lot for taking time to go through the wiki page and=
 providing your valuable insight. I&#39;ll soon update the wiki with the th=
ings you have mentioned here. See my comments in-line.<br><br><div class=3D=
"gmail_quote">
On Wed, May 13, 2009 at 9:59 PM, Dag H. Wanvik <span dir=3D"ltr">&lt;<a hre=
f=3D"mailto:Dag.Wanvik@sun.com">Dag.Wanvik@sun.com</a>&gt;</span> wrote:<br=
><blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204,=
 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
Hi Hiranya,<br>
<div class=3D"im"><br>
Hiranya Jayathilaka &lt;<a href=3D"mailto:hiranya911@gmail.com">hiranya911@=
gmail.com</a>&gt; writes:<br>
<br>
&gt; Hi Folks,<br>
&gt;<br>
&gt; I&#39;ll be using the wiki page at [1] as the documentation space for =
dblook SQL<br>
&gt; Authorization support implementation, during the design phase of the<b=
r>
&gt; project. I&#39;ve already updated the wiki page with some information =
that I&#39;ve<br>
&gt; discussed with Dag off-line. Feel free to add your own ideas to the wi=
ki<br>
&gt; page regarding this project and also feel free to discuss the matters<=
br>
&gt; mentioned in the wiki on the mailing list.<br>
&gt;<br>
&gt; Your feedback and comments are most appreciated.<br>
<br>
</div>Thanks for starting a wiki page for this design, Hiranya! This is a<b=
r>
good way to go. =A0I think the approach looks good.<br>
<br>
Here are some answers to your questions and comments.<br>
<br>
&gt; Design<br>
&gt;<br>
&gt; We intend to use a directed graph as the means of tracking and<br>
&gt; representing the dependencies among various persistent objects in a<br=
>
&gt; database. Let&#39;s call it the dblook dependency graph. When dblook i=
s<br>
&gt; fired off against a database, it would create the dependency graph in<=
br>
&gt; memory and &#39;walk&#39; the graph step-by-step while producing DDL<b=
r>
&gt; statements required to reconstruct those objects.<br>
<br>
To do this, we have to use several connections, one for each<br>
authorized user that owns database objects, so that they can be<br>
recreated with the correct owner. It could be useful to keep them open<br>
(or you could open them on demand; slower) since object creation for<br>
one user could be interleaved with an other user&#39;s objects, if<br>
dependencies go in both directions between users. But this is probably<br>
not so common that it warrants optimizing of connection openings?<br>
<br>
&gt;<br>
&gt; All persistent objects of a database would be vertices in the<br>
&gt; dependency graph. If A and B are two persistent objects in a database<=
br>
&gt; and if B is a dependent object of A then there will be a directed edge=
<br>
&gt; from A to B in the dependency graph (A --&gt; B). Information required=
 to<br>
&gt; construct the dependency graph will be fetched from the system tables<=
br>
&gt; (specially from the SYSDEPENDS table which effectively captures all<br=
>
&gt; such dependencies among persistent objects). The graph construction<br=
>
&gt; algorithm should also associate each vertex with a database user as<br=
>
&gt; the owner. (what is the right way to find the object owner?)<br>
<br>
For example, for a view, the SYSVIEWS table contains a reference to<br>
the owning schema in the column COMPILATIONSCHEMAID. =A0The system table<br=
>
for schemas, SYSSCHEMAS, contains AUTHORIZATIONID for each<br>
schema. This is the owning user user (since Derby does not yet support<br>
a schema being owned by a role, although the SQL standard does allow<br>
that). So joining COMPILATIONSCHEMAID with SYSSCHEMAS.SCHEMAID gives<br>
the owning user of a view. The case is similar for triggers and<br>
constraints.</blockquote><div><br>Thanks. That answers it :) <br></div><blo=
ckquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204,=
 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
<br>
&gt; In addition it should capture all the permissions associated with<br>
&gt; each object and the users involved with those permissions.<br>
<br>
More precisely, all permissions granted for an object, be it to a<br>
user, to a role or to PUBLIC, should be recorded with the object, so<br>
those permissions can be granted once the object has been recreated.<br>
<br>
If a persistent object depends on a role, that should be recorded as<br>
well, so that the needed role can be set before recreating the object.</blo=
ckquote><div><br>+1<br>=A0<br></div><blockquote class=3D"gmail_quote" style=
=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; p=
adding-left: 1ex;">
<br>
<br>
&gt;<br>
&gt; Once we have the full dblook dependency graph in memory we can create<=
br>
&gt; all the roles required (should be done as the dbo).<br>
<br>
And all the role grants should be performed in this step, that is,<br>
grant to users, to other roles and to PUBLIC. Only dbo can do these<br>
things presently. Note that in order to do this step successfully, you<br>
need to create a GRANT dependency graph of the roles&#39;<br>
interrelationships as well.</blockquote><div><br>Yes. Thanks for pointing t=
hat out. So I guess we need to add this as a step of our overall execution =
(may be prior to creating the dependency graph?). I think we can find all t=
he necessary data by just looking at the SYSROLES table to do this.<br>
<br></div><blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid=
 rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
<br>
&gt;<br>
&gt; When dblook finally walks the graph it will need to produce an<br>
&gt; authentication statement prior to producing the actual DDL statement<b=
r>
&gt; required to create each object.<br>
<br>
I am not sure what you mean by authentication statement here; I think<br>
we need to open a connection per user that owns a persistent object<br>
and use that connection to create that object. </blockquote><div><br>Yes. T=
hat&#39;s what I meant. Basically we need to generate a statement which est=
ablishes the necessary database connection, when executed. I&#39;ll rephras=
e this on the wiki so it&#39;s more clear to the reader.<br>
=A0</div><blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid =
rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">So the w=
alk would have<br>
to switch between the different connections as needed? In addition, if<br>
this persistent object (&quot;soon-to-be-created&quot;) depends on a role, =
the<br>
connection should SET that role first, too, so we can make sure we<br>
have the required permissions to create the object.<br>
<br>
&gt; For an example if there is an object O associated with the user U in<b=
r>
<br>
I assume you mean &quot;owned by&quot; user U here.</blockquote><div><br>+1=
<br>=A0<br></div><blockquote class=3D"gmail_quote" style=3D"border-left: 1p=
x solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">=
<br>

<br>
&gt; the graph, dblook will first output an authentication statement for<br=
>
&gt; user U before producing the DDL statement for O. After producing the<b=
r>
&gt; creation statement necessary grant statements should be created<br>
&gt; related to the object.<br>
<br>
Yes, this seems the right time!<br>
<br>
&gt; Basically all the permissions related to the object should be<br>
&gt; granted to the associated users.<br>
<br>
.. and roles and PUBLIC.<br>
<br>
<br>
&gt; Walking the graph should start from a node which does not have any<br>
&gt; in bound edges (i.e. it does not depend on any other object). As the<b=
r>
&gt; graph walk continues objects are removed from the graph along with<br>
&gt; all edges incident on them. The walk continues until the graph&#39;s s=
et<br>
&gt; of vertices is empty.<br>
<br>
Dependency Graph Design<br>
&gt;<br>
&gt; The datastructures used to store the elements of the dependency graph<=
br>
&gt; should be lightweight. This graph will be held in memory and its size<=
br>
&gt; will be proportional to the number of persistent objects in the<br>
&gt; database. Therefore larger the database, larger the dependency<br>
&gt; graph. We need to be conservative in memory usage to efficiently deal<=
br>
&gt; with large databases.<br>
&gt;<br>
&gt; Each vertex in the graph should store a set of in bound edges, set of<=
br>
&gt; out bound edges, an associated user ID (might also need to store<br>
&gt; authentication credentials of the user) and a set of permissions.<br>
<br>
Yes, and you will need to store if an object depends on a role, too.<br>
The set of permissions is those that should be granted for that object<br>
(vertex; I presume you intend for the vertex to represent a persistent<br>
object here?)</blockquote><div><br>Indeed. Each persistent object will be a=
 vertex in the graph.<br><br>Thanks,<br>Hiranya<br><br></div><blockquote cl=
ass=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); mar=
gin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
<font color=3D"#888888"><br>
Dag<br>
</font></blockquote></div><br><br clear=3D"all"><br>-- <br>Hiranya Jayathil=
aka<br>E-mail: <a href=3D"mailto:hiranya@apache.org">hiranya@apache.org</a>=
; =A0Mobile: +94 77 633 3491<br>Blog: <a href=3D"http://techfeast-hiranya.b=
logspot.com">http://techfeast-hiranya.blogspot.com</a><br>


--0016361e81341f8e590469d83541--