Re: [Firebird-devel] usage privileges
29.03.2015 16:31, Alex Peshkoff wrote: The main problem I see in current code is that we already have a command: grant usage on sequence gen_name to some_user; but it does not affect user rights to access gen_name - generators may be access with this command or without it (i.e. as it was before). Isn't this the first grant in database?.. Full access to everything till the first grant is the legacy behaviour. -- WBR, SD. -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] usage privileges
On 03/29/15 17:19, Ann Harrison wrote: On Mar 29, 2015, at 8:58 AM, Alex Peshkoff peshk...@mail.ru wrote: Currently access to sequences/generators and exceptions is not limited, i.e. user not granted explicitly any rights can access sequences and exceptions. I wonder - who added that privileges in such way? Is it WIP or a bug that requires fixing? I can only speak to generators which were added a long time ago. At that time, InterBase had two security models - a permissive mode that assumed all usage and allowed the administrator to restrict access, and the beginning of the SQL model which was used only to the extent it was defined in the standard, which didn't recognize generators. So all access was allowed to generators by default. I guess if somebody had asked, we'd have added the ability to restrict access. Adding SQL style permissions will require some thought, since nobody has granted all rights to all on generators and suddenly restricting access to them will be a serious nuisance. I remember that GDML security model enabled all access by default. And we live with all generators available by default for many years. The main problem I see in current code is that we already have a command: grant usage on sequence gen_name to some_user; but it does not affect user rights to access gen_name - generators may be access with this command or without it (i.e. as it was before). I.e. looks like somebody started with limiting access to generators but did not complete that job. -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] usage privileges
On 03/29/15 17:35, Dimitry Sibiryakov wrote: 29.03.2015 16:31, Alex Peshkoff wrote: The main problem I see in current code is that we already have a command: grant usage on sequence gen_name to some_user; but it does not affect user rights to access gen_name - generators may be access with this command or without it (i.e. as it was before). Isn't this the first grant in database?.. No. Full access to everything till the first grant is the legacy behaviour. -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] usage privileges
On Mar 29, 2015, at 8:58 AM, Alex Peshkoff peshk...@mail.ru wrote: Currently access to sequences/generators and exceptions is not limited, i.e. user not granted explicitly any rights can access sequences and exceptions. I wonder - who added that privileges in such way? Is it WIP or a bug that requires fixing? I can only speak to generators which were added a long time ago. At that time, InterBase had two security models - a permissive mode that assumed all usage and allowed the administrator to restrict access, and the beginning of the SQL model which was used only to the extent it was defined in the standard, which didn't recognize generators. So all access was allowed to generators by default. I guess if somebody had asked, we'd have added the ability to restrict access. Adding SQL style permissions will require some thought, since nobody has granted all rights to all on generators and suddenly restricting access to them will be a serious nuisance. Cheers, Ann -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
