[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12594246#action_12594246 ] Dag H. Wanvik commented on DERBY-3137: -- Uploading a one liner fix for the DERBY-3137-uuid patch: DERBY-3137-uuid-2.diff. RolesTest did not expose this bug, but my experimental patch in DERBY-3223 did. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.5.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-uuid-2.diff, DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, > DERBY-3137.diff, DERBY-3137.diff, DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12594249#action_12594249 ] Dag H. Wanvik commented on DERBY-3137: -- Committed DERBY-3137-uuid-2 as svn 653497. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.5.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-uuid-2.diff, DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, > DERBY-3137.diff, DERBY-3137.diff, DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12600230#action_12600230 ] Rick Hillegas commented on DERBY-3137: -- Thanks for the renaming patch, Dag. Looks good to me. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: Task > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.5.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-rename.diff, DERBY-3137-rename.diff, DERBY-3137-rename.stat, > DERBY-3137-rename.stat, DERBY-3137-uuid-2.diff, DERBY-3137-uuid.diff, > DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, DERBY-3137.stat, > DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12634538#action_12634538 ] Rick Hillegas commented on DERBY-3137: -- Hi Dag, Thanks for the patch. One small comment: LanguageConnectionContext & SetRoleConstantAction: - Some confusion may arise by using the acronym "CNF", which means "Conjunctive Normal Form" elsewhere in our SQL interpreter. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: Task > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.5.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-ijfix.diff, DERBY-3137-ijfix.diff, DERBY-3137-ijfix.stat, > DERBY-3137-ijfix.stat, DERBY-3137-rename-b.diff, DERBY-3137-rename-b.stat, > DERBY-3137-rename.diff, DERBY-3137-rename.diff, DERBY-3137-rename.stat, > DERBY-3137-rename.stat, DERBY-3137-setRoleNoCNF-2.diff, > DERBY-3137-setRoleNoCNF-2.stat, DERBY-3137-setRoleNoCNF.diff, > DERBY-3137-setRoleNoCNF.diff, DERBY-3137-setRoleNoCNF.stat, > DERBY-3137-setRoleNoCNF.stat, DERBY-3137-uuid-2.diff, DERBY-3137-uuid.diff, > DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, DERBY-3137.stat, > DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12634561#action_12634561 ] Dag H. Wanvik commented on DERBY-3137: -- Hi Rick, Rick> Rick Hillegas commented on DERBY-3137: Rick> -- Rick> Rick> Hi Dag, Rick> Rick> Thanks for the patch. One small comment: Just FYI if you didn't notice, there are two pending patched attached to this issue. The other one is DERBY-3137-ijfix. Thanks, Dag > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: Task > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.5.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-ijfix.diff, DERBY-3137-ijfix.diff, DERBY-3137-ijfix.stat, > DERBY-3137-ijfix.stat, DERBY-3137-rename-b.diff, DERBY-3137-rename-b.stat, > DERBY-3137-rename.diff, DERBY-3137-rename.diff, DERBY-3137-rename.stat, > DERBY-3137-rename.stat, DERBY-3137-setRoleNoCNF-2.diff, > DERBY-3137-setRoleNoCNF-2.stat, DERBY-3137-setRoleNoCNF-3.diff, > DERBY-3137-setRoleNoCNF-3.stat, DERBY-3137-setRoleNoCNF.diff, > DERBY-3137-setRoleNoCNF.diff, DERBY-3137-setRoleNoCNF.stat, > DERBY-3137-setRoleNoCNF.stat, DERBY-3137-uuid-2.diff, DERBY-3137-uuid.diff, > DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, DERBY-3137.stat, > DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12634574#action_12634574 ] Rick Hillegas commented on DERBY-3137: -- Thanks for bringing my attention to the DERBY-3137-ijfix patch, Dag. It looks good. For extra credit, someone may want to implement a similar command which shows the session's role closure. It's a useful slug of information--that is, other databases have bothered to implement the enabled_roles view defined in chapter 11 of the SQL standard (InformationSchema). Thanks. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: Task > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.5.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-ijfix.diff, DERBY-3137-ijfix.diff, DERBY-3137-ijfix.stat, > DERBY-3137-ijfix.stat, DERBY-3137-rename-b.diff, DERBY-3137-rename-b.stat, > DERBY-3137-rename.diff, DERBY-3137-rename.diff, DERBY-3137-rename.stat, > DERBY-3137-rename.stat, DERBY-3137-setRoleNoCNF-2.diff, > DERBY-3137-setRoleNoCNF-2.stat, DERBY-3137-setRoleNoCNF-3.diff, > DERBY-3137-setRoleNoCNF-3.stat, DERBY-3137-setRoleNoCNF.diff, > DERBY-3137-setRoleNoCNF.diff, DERBY-3137-setRoleNoCNF.stat, > DERBY-3137-setRoleNoCNF.stat, DERBY-3137-uuid-2.diff, DERBY-3137-uuid.diff, > DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, DERBY-3137.stat, > DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12634893#action_12634893 ] Dag H. Wanvik commented on DERBY-3137: -- Committed patch DERBY-3137-ijfix as svn 699366. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: Task > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.5.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-ijfix.diff, DERBY-3137-ijfix.diff, DERBY-3137-ijfix.stat, > DERBY-3137-ijfix.stat, DERBY-3137-rename-b.diff, DERBY-3137-rename-b.stat, > DERBY-3137-rename.diff, DERBY-3137-rename.diff, DERBY-3137-rename.stat, > DERBY-3137-rename.stat, DERBY-3137-setRoleNoCNF-2.diff, > DERBY-3137-setRoleNoCNF-2.stat, DERBY-3137-setRoleNoCNF-3.diff, > DERBY-3137-setRoleNoCNF-3.stat, DERBY-3137-setRoleNoCNF.diff, > DERBY-3137-setRoleNoCNF.diff, DERBY-3137-setRoleNoCNF.stat, > DERBY-3137-setRoleNoCNF.stat, DERBY-3137-uuid-2.diff, DERBY-3137-uuid.diff, > DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, DERBY-3137.stat, > DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12634906#action_12634906 ] Dag H. Wanvik commented on DERBY-3137: -- Committed DERBY-3137-setRoleNoCN-3 as svn 699374, closing. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: Task > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.5.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-ijfix.diff, DERBY-3137-ijfix.diff, DERBY-3137-ijfix.stat, > DERBY-3137-ijfix.stat, DERBY-3137-rename-b.diff, DERBY-3137-rename-b.stat, > DERBY-3137-rename.diff, DERBY-3137-rename.diff, DERBY-3137-rename.stat, > DERBY-3137-rename.stat, DERBY-3137-setRoleNoCNF-2.diff, > DERBY-3137-setRoleNoCNF-2.stat, DERBY-3137-setRoleNoCNF-3.diff, > DERBY-3137-setRoleNoCNF-3.stat, DERBY-3137-setRoleNoCNF.diff, > DERBY-3137-setRoleNoCNF.diff, DERBY-3137-setRoleNoCNF.stat, > DERBY-3137-setRoleNoCNF.stat, DERBY-3137-uuid-2.diff, DERBY-3137-uuid.diff, > DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, DERBY-3137.stat, > DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12634974#action_12634974 ] Dag H. Wanvik commented on DERBY-3137: -- Rick> For extra credit, someone may want to implement a similar Rick> command which shows the session's role closure. It's a useful slug of Rick> information--that is, other databases have bothered to implement the Rick> enabled_roles view defined in chapter 11 of the SQL standard Rick> (InformationSchema). I made a new JIRA for this, DERBY-3886, and have uploaded a patch suggestion. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: Task > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.5.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-ijfix.diff, DERBY-3137-ijfix.diff, DERBY-3137-ijfix.stat, > DERBY-3137-ijfix.stat, DERBY-3137-rename-b.diff, DERBY-3137-rename-b.stat, > DERBY-3137-rename.diff, DERBY-3137-rename.diff, DERBY-3137-rename.stat, > DERBY-3137-rename.stat, DERBY-3137-setRoleNoCNF-2.diff, > DERBY-3137-setRoleNoCNF-2.stat, DERBY-3137-setRoleNoCNF-3.diff, > DERBY-3137-setRoleNoCNF-3.stat, DERBY-3137-setRoleNoCNF.diff, > DERBY-3137-setRoleNoCNF.diff, DERBY-3137-setRoleNoCNF.stat, > DERBY-3137-setRoleNoCNF.stat, DERBY-3137-uuid-2.diff, DERBY-3137-uuid.diff, > DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, DERBY-3137.stat, > DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12639411#action_12639411 ] Rick Hillegas commented on DERBY-3137: -- Thanks for the patch, Dag. +1 to being restrictive. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: Task > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.5.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-ijfix.diff, DERBY-3137-ijfix.diff, DERBY-3137-ijfix.stat, > DERBY-3137-ijfix.stat, DERBY-3137-rename-b.diff, DERBY-3137-rename-b.stat, > DERBY-3137-rename.diff, DERBY-3137-rename.diff, DERBY-3137-rename.stat, > DERBY-3137-rename.stat, DERBY-3137-setRoleNoCNF-2.diff, > DERBY-3137-setRoleNoCNF-2.stat, DERBY-3137-setRoleNoCNF-3.diff, > DERBY-3137-setRoleNoCNF-3.stat, DERBY-3137-setRoleNoCNF.diff, > DERBY-3137-setRoleNoCNF.diff, DERBY-3137-setRoleNoCNF.stat, > DERBY-3137-setRoleNoCNF.stat, DERBY-3137-setRoleNoDynamicNone.diff, > DERBY-3137-setRoleNoDynamicNone.stat, DERBY-3137-uuid-2.diff, > DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, > DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12658106#action_12658106 ] Rick Hillegas commented on DERBY-3137: -- Thanks for the patch, Dag. I notice that the other cases (USER, CURRENT USER, SESSION USER, SYSTEM USER, CURRENT SCHEMA) use DataDictionary.TYPE_SYSTEM_IDENTIFIER as the type of a SQL identifier. Do you think that these other cases should agree with CURRENT ROLE? Do we need to log a bug against the other cases and recommend CURRENT ROLE as a better model? > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: Task > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.5.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-current_role_type.diff, DERBY-3137-current_role_type.stat, > DERBY-3137-ijfix.diff, DERBY-3137-ijfix.diff, DERBY-3137-ijfix.stat, > DERBY-3137-ijfix.stat, DERBY-3137-moreTests-b.diff, > DERBY-3137-moreTests-b.stat, DERBY-3137-moreTests.diff, > DERBY-3137-moreTests.stat, DERBY-3137-rename-b.diff, > DERBY-3137-rename-b.stat, DERBY-3137-rename.diff, DERBY-3137-rename.diff, > DERBY-3137-rename.stat, DERBY-3137-rename.stat, > DERBY-3137-setRoleNoCNF-2.diff, DERBY-3137-setRoleNoCNF-2.stat, > DERBY-3137-setRoleNoCNF-3.diff, DERBY-3137-setRoleNoCNF-3.stat, > DERBY-3137-setRoleNoCNF.diff, DERBY-3137-setRoleNoCNF.diff, > DERBY-3137-setRoleNoCNF.stat, DERBY-3137-setRoleNoCNF.stat, > DERBY-3137-setRoleNoDynamicNone.diff, DERBY-3137-setRoleNoDynamicNone.stat, > DERBY-3137-uuid-2.diff, DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, > DERBY-3137.diff, DERBY-3137.diff, DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12658115#action_12658115 ] Dag H. Wanvik commented on DERBY-3137: -- This is because the other functions still return internal case normal form, in violation of the standard. We decided to go with the standard for roles. So, yes, I guess we could file an improvement issue for those others. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: Task > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.5.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-current_role_type.diff, DERBY-3137-current_role_type.stat, > DERBY-3137-ijfix.diff, DERBY-3137-ijfix.diff, DERBY-3137-ijfix.stat, > DERBY-3137-ijfix.stat, DERBY-3137-moreTests-b.diff, > DERBY-3137-moreTests-b.stat, DERBY-3137-moreTests.diff, > DERBY-3137-moreTests.stat, DERBY-3137-rename-b.diff, > DERBY-3137-rename-b.stat, DERBY-3137-rename.diff, DERBY-3137-rename.diff, > DERBY-3137-rename.stat, DERBY-3137-rename.stat, > DERBY-3137-setRoleNoCNF-2.diff, DERBY-3137-setRoleNoCNF-2.stat, > DERBY-3137-setRoleNoCNF-3.diff, DERBY-3137-setRoleNoCNF-3.stat, > DERBY-3137-setRoleNoCNF.diff, DERBY-3137-setRoleNoCNF.diff, > DERBY-3137-setRoleNoCNF.stat, DERBY-3137-setRoleNoCNF.stat, > DERBY-3137-setRoleNoDynamicNone.diff, DERBY-3137-setRoleNoDynamicNone.stat, > DERBY-3137-uuid-2.diff, DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, > DERBY-3137.diff, DERBY-3137.diff, DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12658137#action_12658137 ] Rick Hillegas commented on DERBY-3137: -- Thanks for the setRoleAsStringFix patch, Dag. Looks good to me. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: Task > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.5.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-current_role_type.diff, DERBY-3137-current_role_type.stat, > DERBY-3137-ijfix.diff, DERBY-3137-ijfix.diff, DERBY-3137-ijfix.stat, > DERBY-3137-ijfix.stat, DERBY-3137-moreTests-b.diff, > DERBY-3137-moreTests-b.stat, DERBY-3137-moreTests.diff, > DERBY-3137-moreTests.stat, DERBY-3137-rename-b.diff, > DERBY-3137-rename-b.stat, DERBY-3137-rename.diff, DERBY-3137-rename.diff, > DERBY-3137-rename.stat, DERBY-3137-rename.stat, > DERBY-3137-setRoleAsStringFix.diff, DERBY-3137-setRoleAsStringFix.stat, > DERBY-3137-setRoleNoCNF-2.diff, DERBY-3137-setRoleNoCNF-2.stat, > DERBY-3137-setRoleNoCNF-3.diff, DERBY-3137-setRoleNoCNF-3.stat, > DERBY-3137-setRoleNoCNF.diff, DERBY-3137-setRoleNoCNF.diff, > DERBY-3137-setRoleNoCNF.stat, DERBY-3137-setRoleNoCNF.stat, > DERBY-3137-setRoleNoDynamicNone.diff, DERBY-3137-setRoleNoDynamicNone.stat, > DERBY-3137-uuid-2.diff, DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, > DERBY-3137.diff, DERBY-3137.diff, DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12658538#action_12658538 ] Dag H. Wanvik commented on DERBY-3137: -- Committed DERBY-3137-current_role_type as svn 728691. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: Task > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.5.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-current_role_type.diff, DERBY-3137-current_role_type.stat, > DERBY-3137-ijfix.diff, DERBY-3137-ijfix.diff, DERBY-3137-ijfix.stat, > DERBY-3137-ijfix.stat, DERBY-3137-moreTests-b.diff, > DERBY-3137-moreTests-b.stat, DERBY-3137-moreTests.diff, > DERBY-3137-moreTests.stat, DERBY-3137-rename-b.diff, > DERBY-3137-rename-b.stat, DERBY-3137-rename.diff, DERBY-3137-rename.diff, > DERBY-3137-rename.stat, DERBY-3137-rename.stat, > DERBY-3137-setRoleAsStringFix.diff, DERBY-3137-setRoleAsStringFix.stat, > DERBY-3137-setRoleNoCNF-2.diff, DERBY-3137-setRoleNoCNF-2.stat, > DERBY-3137-setRoleNoCNF-3.diff, DERBY-3137-setRoleNoCNF-3.stat, > DERBY-3137-setRoleNoCNF.diff, DERBY-3137-setRoleNoCNF.diff, > DERBY-3137-setRoleNoCNF.stat, DERBY-3137-setRoleNoCNF.stat, > DERBY-3137-setRoleNoDynamicNone.diff, DERBY-3137-setRoleNoDynamicNone.stat, > DERBY-3137-uuid-2.diff, DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, > DERBY-3137.diff, DERBY-3137.diff, DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12540294 ] Rick Hillegas commented on DERBY-3137: -- Hi Dag, Thanks for the extensive patch description and regression tests. Also, thanks for adding the SHOW ROLES command. I think it's very useful. 1) ij.jj: Comment on showRoles() refers to SYSTABLES. I think SYSROLES is intended. 2) SetRoleNode: By the time you get to this node, NONE is understood to mean the same thing as NULL Role. I wonder if this is the solution to your question about disambiguating NONE and "NONE". Maybe NONE should be what's meant when someone sets the ? to NULL in a dynamic "SET ROLE ?" statement. 3) SetRoleConstantAction: Ditto that. You could then eliminate the paragraph which translates "NONE" to NULL. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Attachments: DERBY-3137.diff, DERBY-3137.diff, DERBY-3137.stat, > DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12540465 ] Dag H. Wanvik commented on DERBY-3137: -- Thanks for the comments, Rick! 1) Thanks for catching that! 2, 3) I think this is a reasonable thing to do. I didn't do it at first because I wasn't able to read this possibility as legal from the wording of the standard: Setting a Java null amounts to a SQL NULL on the SQL level (JDBC 4.0, §13.2.2.4, p 102), and SQL §18.3 doesn't seem to allow for NULL, cf. for example GR 3. Still, I think it is a reasonable thing to do, so unless people object, I'll implement that solution: a Java null value to a dynamic set role parameter effectively sets the role to NONE (no current role set). A dynamic parameter string of "NONE" will be interpreted as a role called NONE. BTW: GR2 requires that we trim away blanks at both ends of a string value before applying it. I don't do that presently for SET ROLE, because neither does SET SCHEMA. Do we want to become conformant on this detail? Unless we prohibit delimited identifiers from having leading or trailing spaces, its seems unwise do do it. We don't presently prohibit that, nor could I find support for prohibiting it in the standard, checking syntax rules in §5.2 (Token and separator). > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Attachments: DERBY-3137.diff, DERBY-3137.diff, DERBY-3137.stat, > DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12541072 ] Rick Hillegas commented on DERBY-3137: -- Thanks for the new patch, Dag. Looks good to me. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137.diff, > DERBY-3137.diff, DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12541792 ] Dag H. Wanvik commented on DERBY-3137: -- Patch DERBY-3137-2 committed as svn 594158. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137.diff, DERBY-3137.diff, DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12560552#action_12560552 ] Rick Hillegas commented on DERBY-3137: -- Thanks for the patch, Dag. It looks good to me. You may need to warn people to drop their previously created 10.4 databases after you check in this fix. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.4.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, > DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12560599#action_12560599 ] Dag H. Wanvik commented on DERBY-3137: -- Thanks for reviewing this, Rick! Yes, you are right. I plan to post a heads-up to derby-dev and hold off the commit to after the week-end: Old trunk databases will be incompatible after this patch is committed. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.4.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, > DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12561395#action_12561395 ] Dag H. Wanvik commented on DERBY-3137: -- Committed DERBY-3137-uuid as svn 614273. This change will make existing trunk databases invalid, so please recreate any trunk database you might have before trying to run with 614273 or higher. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.4.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, > DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12563731#action_12563731 ] Daniel John Debrunner commented on DERBY-3137: -- I think it would be unwise to vary from the standard here: If NULL is disallowed as a role name in SET ROLE then Derby should follow that rule, not use NULL to mean NONE, especially when the SQL standard was corrected to not allow the value expression to resolve to the special meaning of NONE. Also for the TRIM case, I can't see any benefit to deviating from the standard. Making the code stricter (and follow the standard) is an easier path forwards, than less strict and then having backwards compatibility issues if it's needed later to strictly enforce the standard. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.4.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, > DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12563760#action_12563760 ] Daniel John Debrunner commented on DERBY-3137: -- In SpecialFunctionNode.java the data type for CURRENT_ROLE indicates it is not nullable, but I thought CURRENT_ROLE returned NULL if no role had been set? > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.4.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, > DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12563793#action_12563793 ] Dag H. Wanvik commented on DERBY-3137: -- > In SpecialFunctionNode.java the data type for CURRENT_ROLE indicates it is > not nullable... Thanks for catching this! It's a bug. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.4.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, > DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12563798#action_12563798 ] Dag H. Wanvik commented on DERBY-3137: -- > If NULL is disallowed as a role name in SET ROLE then Derby should > follow that rule, not use NULL to mean NONE, especially when the SQL > standard was corrected to not allow the value expression to resolve to > the special meaning of NONE. So this would mean one could not set a role to NONE using a prepared statement with a ? marker, one would need a separate prepared statement for the NONE case. I don't see why the standard needs to be so strict here.. But I can tighten this up, sure. I agree with your general point thats its better to be tight now and then loosen up rather than vice versa. > Also for the TRIM case, I can't see any benefit to deviating from the > standard. Right, I did consider this, but was I stumped by the case of delimited identifiers: If such identifiers could legally contain leading or trailing blanks, one could not use them in a in set role statement? I chose to follow the example of the SET SCHEMA case, which is similary not compliant in this matter, AFAICT. Should that be tightened up as well? > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.4.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, > DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12563830#action_12563830 ] Daniel John Debrunner commented on DERBY-3137: -- For the TRIM issue the standard says: 3a) Let S be and let V be the character string that is the value of TRIM ( BOTH ' ' FROM S ) 3b) If V does not conform to the Format and Syntax Rules of a , then an exception condition is raised: invalid role specification. Note V needs to conform to the *format and syntax rules* of a which is an . The discussion over system authorization and user names (DERBY-2109) made the case that this means the format of V is either a regular identifier or a delimited identifier. Ie. the value V needs to contain a regular or delimited identifier with delimited identifiers using double quotes, This would mean examples of valid parameters to a SET ROLE ? in a prepared statement are: ps.setString(1, "payadmin"); // Role CNF of PAYADMIN ps.setString(1, "PAYADMIN"); // Role CNF of PAYADMIN ps.setString(1, "\"salesadmin\""); // Role CNF of salesadmin ps.setString(1, "\" SPACEADMIN \""); // Role CNF of SPACEADMIN (surrounded by spaces on each side) Thus any valid identifier can be used in a value specification for SET ROLE. Now that doesn't match what SET SCHEMA does (which should follow the same rules as the SET ROLE) and thus SET SCHEMA is non-standard. If this is correct then it's a choice of following the standard or existing behaviour for a similar command. If we follow then standard then we would eventually reach a state where 9/10 follow the standard, if we follow the existing behaviour then we reach a state where 1/10 follow the standard. (Assuming they have similar syntax requirements, I haven't checked them all). > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.4.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, > DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[
https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12563842#action_12563842
]
Daniel John Debrunner commented on DERBY-3137:
--
As a comparison SET ROLE behaves as follows for:
Postgres : Supports NONE. Role name is an identifier or a literal
quote: "PostgreSQL allows identifier syntax ("rolename"), while the SQL
standard requires the role name to be written as a string literal."
Oracle: Supports NONE. Role name seems to be only an identifier.
DB2: Does not support NONE. Role name seems to be only an identifier.
Also DB2's SET ROLE is used to verify membership of a role, it doesn't set
the current role (DB2 performs authorization based upon the user id).
The only commonality seems to be use of an identifier, which is not SQL
standard, though it's ok for Derby as a "de-facto" standard.
DB2 also reserves some roles for use as system roles, ie. any role beginning
with SYS. If we imagine a day when Derby might need builtin roles for system
administration it would be good to protect a namespace now, rather than
introducing one later.
> SQL roles: add catalog support
> --
>
> Key: DERBY-3137
> URL: https://issues.apache.org/jira/browse/DERBY-3137
> Project: Derby
> Issue Type: New Feature
> Components: Security, SQL
>Reporter: Dag H. Wanvik
>Assignee: Dag H. Wanvik
> Fix For: 10.4.0.0
>
> Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt,
> DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff,
> DERBY-3137.stat, DERBY-3137.txt
>
>
> As a next step after adding support for the roles syntax, I intend to
> make a patch which implements catalog support for roles,
> cf. SYS.SYSROLES described in the specification (attached to
> DERBY-2207). Also the patch should tie this support up to the parser
> support, so the role statements can be executed. Any privileges
> granted to roles would still have no effect at run-time.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12564039#action_12564039 ] Dag H. Wanvik commented on DERBY-3137: -- So, to clarify further, the following would be equivalent: ps.setString(1, "\" SPACEADMIN \""); // Role CNF of SPACEADMIN (surrounded by spaces on each side) ps.setString(1, " \" SPACEADMIN \" "); // Role CNF of SPACEADMIN (surrounded by spaces on each side). TRIMable space in value string I am OK with moving towards stricter adherence here; I'll make an update patch. Thanks for the suggestion on reserving namespace. Since Derby uses SYS as a reserved schema name, I guess the "SYS-" prefix is as good as any. I'll add this to the specification and make an update patch. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.4.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, > DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12564101#action_12564101 ] Daniel John Debrunner commented on DERBY-3137: -- SYS- (with the hyphen) means the reserved system roles would be delimited identifiers, would it not be simpler to have ones that can be described using regular identifiers? > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.4.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, > DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12564133#action_12564133 ] Daniel John Debrunner commented on DERBY-3137: -- I'm still struggling with the SQL Standard here for SET ROLE (and identifiers in general): 3a) Let S be and let V be the character string that is the value of TRIM ( BOTH ' ' FROM S ) 3b) If V does not conform to the Format and Syntax Rules of a , then an exception condition is raised: invalid role specification. DERBY-2109 discussion implied that this means the format of V needs to be that of a SQL identifier (regular or delimited). Now CURRENT_ROLE is a valid , does this mean CURRENT_ROLE needs to return the role name as SQL identifier, instead of the CNF of the role name? The spec says "value of the current role". I'm not convinced that the conclusion in DERBY-2109 is correct, seems more logical to me that V here should be the CNF of the role name. Section 5.2 SR 24) says the CNF of a regular identifier is used in the system catalogs, thus if CURRENT_ROLE is to be used in queries against the catalogs it has to return the CNF of the role name. Which then contradicts SET ROLE and value specification. I can't see any explicit statement about what the "value of the current role" means, or the more general "value of an identifier". > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.4.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, > DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12564259#action_12564259 ] Dag H. Wanvik commented on DERBY-3137: -- > SYS- (with the hyphen) means the reserved system roles would be delimited > identifiers, would it not be simpler to have ones that can be described using > regular identifiers? Sorry for the confusion, thats what I meant: "SYS". No hyphen. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.4.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, > DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12564270#action_12564270 ] Dag H. Wanvik commented on DERBY-3137: -- Re: identifiers vs CNF: Indeed confusing. I think I was under the impression the would yield a CNF value, which is why I added the extra syntax for using identifers also, like SET SCHEMA does. This is why I was wary of the TRIM I think; a CNF value would not have any protective text quotes around it. One interpretation of 5.2 SR 24 could be that CNF values is only ever available as a string value in queries against the system tables? It would then behoove the app to take into account when comparing, but perhaps it would simplify things on the whole? Or maybe the standard intends for a comparison of CURRENT_ROLE against information schemas to be an identifer comparison, not a string comparison.. in which case the standard is inconsistent I think. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.4.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, > DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3137) SQL roles: add catalog support
[ https://issues.apache.org/jira/browse/DERBY-3137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12571353#action_12571353 ] Dag H. Wanvik commented on DERBY-3137: -- Bug fix in CreateRoleConstantAction committed as svn 630150. > SQL roles: add catalog support > -- > > Key: DERBY-3137 > URL: https://issues.apache.org/jira/browse/DERBY-3137 > Project: Derby > Issue Type: New Feature > Components: Security, SQL >Reporter: Dag H. Wanvik >Assignee: Dag H. Wanvik > Fix For: 10.4.0.0 > > Attachments: DERBY-3137-2.diff, DERBY-3137-2.stat, DERBY-3137-2.txt, > DERBY-3137-uuid.diff, DERBY-3137-uuid.stat, DERBY-3137.diff, DERBY-3137.diff, > DERBY-3137.stat, DERBY-3137.txt > > > As a next step after adding support for the roles syntax, I intend to > make a patch which implements catalog support for roles, > cf. SYS.SYSROLES described in the specification (attached to > DERBY-2207). Also the patch should tie this support up to the parser > support, so the role statements can be executed. Any privileges > granted to roles would still have no effect at run-time. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
