[ http://issues.apache.org/jira/browse/DERBY-1330?page=all ]
Mamta A. Satoor updated DERBY-1330: ----------------------------------- Attachment: Derby1330uuidIndexForPermsSystemTablesV5diff.txt Derby1330uuidIndexForPermsSystemTablesV5stat.txt With the earlier (uncommitted) patch, one of the tests in derbyall was failing for following sql grant execute on function f_abs to mamata2, mamata3; The execution of grant above needs to add 2 rows into SYSTABLEPERMS. And each one of those rows need to have a unique uuid. In my earlier patch, I had forgotten to reset the uuid in TablePrivilegeInfo.executeGrantRevoke and that is why the test above was failing. Similar change is required in RoutinePrivilegeInfo.executeGrantRevoke for grant on a function to multiple users in one statement. Also, I had said in the comments for earlier patch that there is no need for a constructor in ColPermsDescriptor which takes permission types in the form of an int. While prototyping revoke references privilege, I realized that we do need that constructor. So I am going to leave the constructor as it is and it's usage will be clear once I have the patch fo revoke references privilege ready. Can someone review the patch (Derby1330uuidIndexForPermsSystemTablesV5diff.txt) for me and commit it if it looks good? > Provide runtime privilege checking for grant/revoke functionality > ----------------------------------------------------------------- > > Key: DERBY-1330 > URL: http://issues.apache.org/jira/browse/DERBY-1330 > Project: Derby > Type: Sub-task > Components: SQL > Versions: 10.2.0.0 > Reporter: Mamta A. Satoor > Assignee: Mamta A. Satoor > Attachments: AuthorizationModelForDerbySQLStandardAuthorization.html, > AuthorizationModelForDerbySQLStandardAuthorizationV2.html, > Derby1330PrivilegeCollectionV2diff.txt, > Derby1330PrivilegeCollectionV2stat.txt, > Derby1330PrivilegeCollectionV3diff.txt, > Derby1330PrivilegeCollectionV3stat.txt, > Derby1330ViewPrivilegeCollectionV1diff.txt, > Derby1330ViewPrivilegeCollectionV1stat.txt, > Derby1330uuidIndexForPermsSystemTablesV4diff.txt, > Derby1330uuidIndexForPermsSystemTablesV4stat.txt, > Derby1330uuidIndexForPermsSystemTablesV5diff.txt, > Derby1330uuidIndexForPermsSystemTablesV5stat.txt > > Additional work needs to be done for grant/revoke to make sure that only > users with required privileges can access various database objects. In order > to do that, first we need to collect the privilege requirements for various > database objects and store them in SYS.SYSREQUIREDPERM. Once we have this > information then when a user tries to access an object, the required > SYS.SYSREQUIREDPERM privileges for the object will be checked against the > user privileges in SYS.SYSTABLEPERMS, SYS.SYSCOLPERMS and > SYS.SYSROUTINEPERMS. The database object access will succeed only if the user > has the necessary privileges. > SYS.SYSTABLEPERMS, SYS.SYSCOLPERMS and SYS.SYSROUTINEPERMS are already > populated by Satheesh's work on DERBY-464. But SYS.SYSREQUIREDPERM doesn't > have any information in it at this point and hence no runtime privilege > checking is getting done at this point. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira