GRANT ADMIN ROLE (in CREATE USER statement) can be specified only before 'USING PLUGIN' if clause TAGS present --------------------------------------------------------------------------------------------------------------
Key: CORE-5826 URL: http://tracker.firebirdsql.org/browse/CORE-5826 Project: Firebird Core Issue Type: Bug Components: Engine, Security Affects Versions: 3.0.3, 4.0 Alpha 1 Reporter: Pavel Zotov Consider following samples: SQL> create user foo password '123' grant admin role using plugin Srp; SQL> drop user foo using plugin srp; SQL> create user foo password '123' using plugin Srp grant admin role; SQL> drop user foo using plugin Srp; -- all above will be performed without errors. Note that we can specify 'GRANT ADMIN ROLE' both *before* and *after* 'USING PLUGIN' clause. This also works Ok: SQL> create user foo password '123' grant admin role using plugin Srp tags( key1 = 'val1' ); SQL> drop user foo using plugin srp; But this fails: SQL> create user foo password '123' using plugin Srp tags( key1 = 'val1' ) grant admin role; Statement failed, SQLSTATE = 42000 Dynamic SQL Error -SQL error code = -104 -Token unknown - line 1, column 71 -grant So, 'GRANT ADMIN ROLE' can be specified only BEFORE 'using plugin Srp' if TAGS clause present in the statement. It seems that this contradicts to syntax from langref30.pdf & langref40.pdf (unfortunately, this docs still only in russian): CREATE USER username PASSWORD 'password' [FIRSTNAME 'firstname'] [MIDDLENAME 'middlename'] [LASTNAME 'lastname'] [ACTIVE | INACTIVE] [USING PLUGIN pluginname] --------------------------------- [1] [TAGS (<tag>[, <tag>[, <tag>...]] )] [GRANT ADMIN ROLE] ------------------------------------------ [2] Checked on: * WI-V3.0.4.32972 * WI-T4.0.0.977 PS. Please look in: * https://firebirdsql.org/file/documentation/reference_manuals/user_manuals/html/qsg3-config.html#qsg3-config-gsec * https://firebirdsql.org/file/documentation/reference_manuals/user_manuals/Firebird-3-QuickStart.pdf * %FB_HOME%\doc\sql.extensions\README.user_management IMO, existing documentation of 'CREATE/ALTER USER' should explicitly point about necessity of USING PLUGIN clause if we want to use any new features that appeared in 3.0+ (TAGS clause; ALTER USER INACTIVE / ACTIVE etc). All of them will be ignored if user is created / altered with legacy plugin. Currently we have only phrase: "*some* options are ignored when using legacy user management plugin." (see %FB_HOME%\doc\sql.extensions\README.user_management ) Only langref30.pdf & langref40.pdf (rus) have warnings about necessity to use plugin that differs from legacy one -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://tracker.firebirdsql.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel