[ http://issues.apache.org/jira/browse/DERBY-1330?page=comments#action_12430565 ] Yip Ng commented on DERBY-1330: -------------------------------
Yes, it is unfortunate indeed. The permissions cache won't work properly when we are dealing with 2 types of keys associated with PermissionDescriptors. It looks like when calling getXXXPermissions(UUID), there is no choice but to load it from sys.sysdepends and bypass the cache mechanism since: 1. The UUID of the PermissionDescriptor as a key will always miss the cache because the identity of the object is determined by the grantee and other related fields currently. 2. The UUID of the PermissionDescriptor is not part of the equations of equals and hashCode method. It cannot because Derby do not know the "other" key value upfront during compilation of a statement until we retrieve it from the stored dependencies. > Provide runtime privilege checking for grant/revoke functionality > ----------------------------------------------------------------- > > Key: DERBY-1330 > URL: http://issues.apache.org/jira/browse/DERBY-1330 > Project: Derby > Issue Type: Sub-task > Components: SQL > Affects Versions: 10.2.1.0 > Reporter: Mamta A. Satoor > Assigned To: Mamta A. Satoor > Fix For: 10.2.1.0 > > Attachments: AuthorizationModelForDerbySQLStandardAuthorization.html, > AuthorizationModelForDerbySQLStandardAuthorizationV2.html, > DERBY1330javaDocWarningsDiffV9.txt, DERBY1330javaDocWarningsStatV9.txt, > Derby1330MinorCleanupV7diff.txt, Derby1330MinorCleanupV7stat.txt, > Derby1330PrivilegeCollectionV2diff.txt, > Derby1330PrivilegeCollectionV2stat.txt, > Derby1330PrivilegeCollectionV3diff.txt, > Derby1330PrivilegeCollectionV3stat.txt, > Derby1330setUUIDinDataDictionaryV10diff.txt, > Derby1330setUUIDinDataDictionaryV10stat.txt, > Derby1330setUUIDinDataDictionaryV8diff.txt, > Derby1330setUUIDinDataDictionaryV8stat.txt, > Derby1330uuidIndexForPermsSystemTablesV4diff.txt, > Derby1330uuidIndexForPermsSystemTablesV4stat.txt, > Derby1330uuidIndexForPermsSystemTablesV5diff.txt, > Derby1330uuidIndexForPermsSystemTablesV5stat.txt, > Derby1330uuidIndexForPermsSystemTablesV6diff.txt, > Derby1330uuidIndexForPermsSystemTablesV6stat.txt, > Derby1330ViewPrivilegeCollectionV1diff.txt, > Derby1330ViewPrivilegeCollectionV1stat.txt > > > Additional work needs to be done for grant/revoke to make sure that only > users with required privileges can access various database objects. In order > to do that, first we need to collect the privilege requirements for various > database objects and store them in SYS.SYSREQUIREDPERM. Once we have this > information then when a user tries to access an object, the required > SYS.SYSREQUIREDPERM privileges for the object will be checked against the > user privileges in SYS.SYSTABLEPERMS, SYS.SYSCOLPERMS and > SYS.SYSROUTINEPERMS. The database object access will succeed only if the user > has the necessary privileges. > SYS.SYSTABLEPERMS, SYS.SYSCOLPERMS and SYS.SYSROUTINEPERMS are already > populated by Satheesh's work on DERBY-464. But SYS.SYSREQUIREDPERM doesn't > have any information in it at this point and hence no runtime privilege > checking is getting done at this point. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
