Return-Path: X-Original-To: apmail-db-derby-user-archive@www.apache.org Delivered-To: apmail-db-derby-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 733D5D8BE for ; Thu, 27 Sep 2012 13:13:46 +0000 (UTC) Received: (qmail 59735 invoked by uid 500); 27 Sep 2012 13:13:46 -0000 Delivered-To: apmail-db-derby-user-archive@db.apache.org Received: (qmail 59446 invoked by uid 500); 27 Sep 2012 13:13:39 -0000 Mailing-List: contact derby-user-help@db.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Reply-To: "Derby Discussion" Delivered-To: mailing list derby-user@db.apache.org Received: (qmail 59412 invoked by uid 99); 27 Sep 2012 13:13:38 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Sep 2012 13:13:38 +0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests=FSL_RCVD_USER,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of lists@nabble.com designates 216.139.236.26 as permitted sender) Received: from [216.139.236.26] (HELO sam.nabble.com) (216.139.236.26) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Sep 2012 13:13:32 +0000 Received: from telerig.nabble.com ([192.168.236.162]) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1THDtv-0003ny-Li for derby-user@db.apache.org; Thu, 27 Sep 2012 06:13:11 -0700 Message-ID: <34486830.post@talk.nabble.com> Date: Thu, 27 Sep 2012 06:13:11 -0700 (PDT) From: JHead To: derby-user@db.apache.org Subject: Re: Grant Schema Privileges In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: pocze.z@gmail.com References: <34485890.post@talk.nabble.com> Knut Anders Hatlen-5 wrote: > > I don't think you can do that right now. > > One alternative approach might be to put the upgrade logic in a stored > procedure owned by the database owner, declare the procedure with > EXTERNAL SECURITY DEFINER, and grant execute privilege on the procedure > to Frank. Frank would then be allowed to execute the procedure, and the > procedure would run with the privileges of the database owner. > > This approach would have the added benefit of limiting Frank's extra > privileges to upgrading the schema, instead of giving him carte blanche > to do whatever he'd like with the objects in the schema. > > Hope this helps, > > -- > Knut Anders > > Thanks for your help. It seems to be a good solution, I will investigate, how the program could do the whole thing automatically. I know the most secure and simplest way is to allow to upgrade of the database only the database owner (e.g. system administrator). If there are more clients the database related part of the software upgrade need to be done only once. After the database is upgraded on the server, clients need to do only the non-database part of the upgrade. Thanks, Best regards, Zsolt Pocze -- View this message in context: http://old.nabble.com/Grant-Schema-Privileges-tp34485890p34486830.html Sent from the Apache Derby Users mailing list archive at Nabble.com.