[
http://issues.apache.org/jira/browse/DERBY-1057?page=comments#action_12427097 ]
Mamta A. Satoor commented on DERBY-1057:
----------------------------------------
Laura, I have some feedback on the doc changes. Also, Deepa recently added a
warning as part of DERBY-1582. We probably should document it wherever we
document other warnings.
Comments on Reference Guide
SYSCOLPERMS
1)The 2nd line should say "All of the permissions for one(GRANTEE, TABLEID,
TYPE, GRANTOR)"
2)TABLEID description says "The name of the table...". It's not the name, it is
the "unique identifier for the table..."
SYSTABLEPERMS
1)The 2nd line should say "All of the permissions for one (GRANTEE, TABLEID,
GRANTOR)"
2)TABLEID description says "The name of the table...". It's not the name, it is
the "unique identifier for the table..."
GRANT statement page
1)Under "Syntax for tables", the "TABLE" keyword should be optional. The syntax
should be
GRANT privilege-type ON [TABLE] { table-Name | view-Name } TO grantees
2)Also, the syntax for grantees is shown as
grantees
{
authorization ID | PUBLIC
}
With this syntax, one can only specify one id at a time. That is not correct.
The syntax should look like following
grantees
{authorization ID | PUBLIC} [,{authorization ID | PUBLIC}]*
3)For the syntax for privilege-type, ALL PRIVILEGES is missing. This has been
correctly included in the REVOKE statement page.
REVOKE statement page
1)Under "Syntax for tables", the "TABLE" keyword should be optional. The syntax
should be
REVOKE privilege-type ON [TABLE] { table-Name | view-Name } FROM
grantees
2)Also, the syntax for grantees is shown as
grantees
{
authorization ID | PUBLIC
}
With this syntax, one can only specify one id at a time. That is not correct.
The syntax should look like following
grantees
{authorization ID | PUBLIC} [,{authorization ID | PUBLIC}]*
3)Following paragraph sounds confusing and incorrect to me
"You must use the RESTRICT clause on REVOKE statements for routines. The
RESTRICT clause specifies that the EXECUTE privilege cannot be revoked if the
specified routine is used in a view, trigger, or constraint, or if the loss of
the EXECUTE privilege would cause the definer of the view, trigger, or
constraint to no longer be able to execute the specified routine."
The correct information is in the functional spec attached to DERBY-464 and it
is as follows
"RESTRICT is mandatory with routine revoke statements. That means that
execute permission on a function may not be revoked if that function is used in
a view, trigger, or constraint, and permission is being revoked from the owner
of the view, trigger, or constraint. "
4)In the paragaraph for explanation of REFERENCES, we currently have following
"If a column list is specified with the REFERENCES privilege, the permission
is valid on only the foreign key reference to the specified columns."
It should be something like following (feel free to reword it)
"If a column list is specified with the REFERENCES privilege, the permission
is revoked on only the foreign key reference to the specified columns."
Same thing applies to the explanation of SELECT and UPDATE.
5)On both grant and revoke pages, when we talk about a specific authorization
ID, we should use the same case for all the references to that user. We talk
about authorization ID harry as "harry" and "Harry". I see this on "Grant and
revoke user authorizations" page also in Developers Guide.
Comments on Developers Guide
User authorizations
1)In the 2nd paragraph, we start with connection authorization and grant
authorization. But on the 2nd line, I think we are referencing grant
authorization as SQL authorization. Might be confusing to the users.
2)Typo on line "Tip: It is possible to configure a database so that the
database cannot be accesses "
accessess should be accessed
Also, that sentence sounds little confusing to me. I think it needs little
rephrasing. My suggestion (feel free to change it)
"Tip: It is possible to configure a database so that the database cannot be
accessed or changed. This can be done using the
derby.database.defaultConnectionMode property. If you set this property to
noAccess or readOnlyAccess, be sure to allow at least one user read-write
access."
3)2nd bullet item under "How user authorization properties work together" says
that "No one but the owner of an object can drop the object. " Actually, it is
the owner and the dbe that can drop a object. I think Dan had suggested some
other name for dba, I can't remember right now what his suggestion was.
4)3rd bullet item "The access mode specified for the
derby.database.sqlAuthorization property " should read as "The access mode
specified for the derby.database.defaultConnectionMode property "
Setting the SQL standard authorization mode
1)Minor suggestion. This page has following sentence
"When you set the derby.database.sqlAuthorization property to TRUE, you
cannot set the property back to FALSE."
The sentence might be little more clearer if we said
"Once you set the derby.database.sqlAuthorization property to TRUE, you
cannot set the property back to FALSE."
Grant and revoke user authorizations
1)This page has following paragraph
"Only the object owner has full privileges on the object. No other user has
any privileges on the object until the object owner grants privileges to them. "
Actually, the object owner and the dba has full privileges on the object.
2)The following paragraph does not portray the entire picture of privilege
dependency at object creation time
"Exception: If you create a view, trigger, or constraint when only the PUBLIC
privilege is active, the object that you create is dependent on the PUBLIC
privilege. If you are subsequently granted the same user privileges as you have
with PUBLIC, the objects that you created remain dependent on the PUBLIC
privilege. If the PUBLIC privilege is later revoked, the objects that you
created when only the PUBLIC privilege was active are dropped. Ensure that you
have user level privileges before you create database objects to avoid this
privilege dependency."
Laura, can you please go through my last comment in DERBY-1330 and if it is
still unclear, please let me know.
Comments on Tuning Guide
1)derby.database.sqlAuthorization
Minor suggestion. This page has following sentence
"When this property is set to TRUE, the property cannot be set back to FALSE."
The sentence might be little more clearer if we said
"Once this property is set to TRUE, the property cannot be set back to FALSE."
Thanks for working on this.
> documentation to address Grant/Revoke (Derby-464)
> -------------------------------------------------
>
> Key: DERBY-1057
> URL: http://issues.apache.org/jira/browse/DERBY-1057
> Project: Derby
> Issue Type: Sub-task
> Components: Documentation
> Affects Versions: 10.0.2.0
> Reporter: Eric Radzinski
> Assigned To: Laura Stewart
> Fix For: 10.2.0.0
>
> Attachments: derby1057_devguide.diff, derby1057_devguide3.diff,
> derby1057_devguide_html.zip, derby1057_devguide_html3.zip,
> derby1057_ref.diff, derby1057_ref3.diff, derby1057_ref_html.zip,
> derby1057_tuning3.diff, derby1057_tuning_html.zip, derby1058_ref_html3.zip,
> devguide_html2.zip, ref_html2.zip
>
>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
