db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hiranya Jayathilaka <hiranya...@gmail.com>
Subject Re: Roles Support for dblook
Date Sat, 25 Jul 2009 05:21:59 GMT
Hi Rick,
Thanks for the explanation. See my comments inline.

On Mon, Jul 20, 2009 at 9:45 PM, Rick Hillegas <Richard.Hillegas@sun.com>wrote:

> Hiranya Jayathilaka wrote:
>> One more question.
>> We initially intended to use a dependency graph to capture the
>> dependencies among different roles. But looking at the SYSROLES table and
>> the existing role handling code I'm not sure whether we really need that.
>> Isn't creating all the roles in one swoop and then performing all the grants
>> (also recorded in SYSROLES table) sufficient? I can't seem to realize how
>> this will break any inter-dependencies among roles.
> Hi Hiranya,
> I think that the creating of roles and granting of roles to roles can all
> be done at once.

+1. This is handled by the existing code as well (According to DERBY-3877 it
was implemented by Dag). So I should be able to reuse it as it is. All the
role creation and granting of roles will be carried out as the DBO.

> It is the granting of privileges to the roles that has to be interleaved
> with the creation of other objects.

I'm a little bit confused about this requirement. From the discussion in
DERBY-3877 I got the impression that if all the objects are created by its
actual owner with the proper roles set, then object should get created
correctly with all dependencies intact. Isn't that sufficient? Do I need to
explicitly grant privileges to roles at different stages of the script?
Where in the system tables these privileges are recorded so I can retrieve
them in dblook?


> The issues are discussed on this jira:
> https://issues.apache.org/jira/browse/DERBY-3877
> Hope this helps,
> -Rick
>> Thanks,
>> Hiranya
>> On Sun, Jul 19, 2009 at 4:21 PM, Hiranya Jayathilaka <
>> hiranya911@gmail.com <mailto:hiranya911@gmail.com>> wrote:
>>    Hi Folks,
>>    I'm now into implementing roles support for the improved dblook
>>    implementation. Current dblook implementation simply creates all
>>    the roles and does the necessary role grants, before start
>>    creating other persistent objects. I guess I could do the same
>>    reusing most if not all of the existing code. However I think in
>>    the new implementation we need to capture the dependency a
>>    persistent object may have on a role. Can somebody please let me
>>    know where these dependencies are recorded? Is it in the SYSDEPENDS?
>>    Secondly we need to set the necessary role before going on to
>>    creating any object. What is the SQL for this? Is it something
>>    like SET ROLE {ROLENAME}? Also I guess I might have to 'unset'
>>    roles after creating an object? Is that correct?
>>    Thanks,    Hiranya Jayathilaka
>> --
>> Hiranya Jayathilaka
>> Software Engineer;
>> WSO2 Inc.;  http://wso2.org
>> E-mail: hiranya@wso2.com <mailto:hiranya@wso2.com>;  Mobile: +94 77 633
>> 3491
>> Blog: http://techfeast-hiranya.blogspot.com

Hiranya Jayathilaka
Software Engineer;
WSO2 Inc.;  http://wso2.org
E-mail: hiranya@wso2.com;  Mobile: +94 77 633 3491
Blog: http://techfeast-hiranya.blogspot.com

View raw message