db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dag H. Wanvik (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-4680) Add documentation for routines running with definer's rights
Date Mon, 04 Oct 2010 16:30:34 GMT

    [ https://issues.apache.org/jira/browse/DERBY-4680?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12917651#action_12917651

Dag H. Wanvik commented on DERBY-4680:

Hi Kim, 

* rrefcallprocedure.html
* rrefcreatefunctionstatement.html
* rrefcreateprocedurestatement.html

Good. For these three it may be good to call out that the fact that the
privileges include the right to set the current role to a role for
which the definer has privileges. A priori, no role is set, i.e. even
if the invoker has set a current role, the routine running with
definer's rights has no current role set initially.

* rrefsistabs28114.html

The internals for AliasInfo is not public/exposed, so I suggest just
leave this section unchanged (implementation detail).

* rrefsqlj25228.html
* rrefsqlj42324.html
* rrefsqlj42476.html

> If used within a function or procedure created with definer's rights,
> USER and CURRENT_USER return the authorization identifier of the
> definer, whereas SESSION_USER returns the authorization identifier of
> the "first" caller, that is, the user of the top level
> session. [Question: does this mean the invoker?]

Yes, it's better to use "invoker" I guess. Also the quotes around  first look bad.
Maybe we can reword to something like:

"When used outside stored routines, USER alias CURRENT_USER and
SESSION_USER return the same value, i.e. the user identifier of
the user which created the SQL session.

SESSION_USER also always returns this value when used inside stored routines.

USER/CURRENT_USER, however, when used within a routine defined with
EXTERNAL SECURITY DEFINER, will return the user identifier of the user
that owns the schema of the routine. This is usually the creating user
although the database owner could be the creator as well."

* rrefsqljrevoke.html
* cdevspecial28907.html

This verbiage was just a general comment on the fact that we can't track such dependencies.

Actually, it applies for invoker's rights routines as well. I suggest that we just remove
this altogether.

> Add documentation for routines running with definer's rights
> ------------------------------------------------------------
>                 Key: DERBY-4680
>                 URL: https://issues.apache.org/jira/browse/DERBY-4680
>             Project: Derby
>          Issue Type: Improvement
>          Components: Documentation
>            Reporter: Dag H. Wanvik
>            Assignee: Kim Haase
>             Fix For:
>         Attachments: DERBY-4680.diff, DERBY-4680.stat, DERBY-4680.zip

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message