On 1/16/06, Satheesh Bandaram <[EMAIL PROTECTED]> wrote:
Yes it does.
Yes it would indeed.
Francois Orsini wrote:
Great... Would love to see more details.
Yes and I will be posting more details very soon.
This is a good point. Applications would see differences so probably not OK. I was trying to combine both authorization models without having to worry about when to switch the model and to remove ambiguities.If we are proposing combining both authorization models, why not go the whole way and say Grant/Revoke is always enabled in a 10.2 database? If applications want to keep their current authorization model, they don't need to use new fine-grained access control allowed by grant/revoke. This preserves legacy model for them.
If Grant/Revoke is always enabled but there is no metadata (including legacy one), then I believe a user would not have access by default to anything except his/her own schema (objects). By default, when no legacy permissions are set, the default access for a database is full (read-write) access, which would be different for Grant/Revoke whereas explicit privileges have to be granted for a user to access a table that is not his/her - Again we're dealing with different semantics across modes which IMHO should not be mixed.
This matches what Dan proposed as "option A", right?
10.2 databases could use grant/revoke to get more control over access to their objects. Hopefully Derby will also have system privileges and roles to complete this model at some point. This proposal removes the need to have another property, like 'derby.database.sqlAuthorization'. One advantage I see with this is that we don't need to handle the case of someone issuing Grant/Revoke with sqlAuthorization set to false and trying to find appropriate time to switch the authorization scheme.
This case/scenario would indeed be very good for users to prepare and switch to sqlAuthorization when all the metadata is there - meaning they would have issued all the required Grant/Revoke statements to satisfy what they had with the legacy mode (*assuming* there is support for Roles and System privileges which is something I'm working on) - it is a nice way for people to migrate from legacy to grant/revoke IMO.
Yes it does.
Sounds nice... Would love to see more details. Would this satisfy Dan's concerns?Once issue I see is how to handle EXTERNAL SECURITY clause in this combined authorization model. Current legacy databases have EXTERNAL SECURITY set to INVOKER, where as my proposal calls for changing this to DEFINER. This could be seen as changing the behavior of Derby without sufficient warning. We could address this by one of the following:
- Automatically moving existing routines to INVOKER security mode during database upgrade to 10.2 and making all new routine creation mandating specifying this security clause. (No default) Would help users to consider one or the other model. We could add a default for this clause to DEFINER (as specified by ANSI) later.
- Move existing routines to INVOKER during upgrade and by switching default behavior to DEFINER with sufficient warning messages to release notes and by raising SQL warning if a default mode of DEFINER is picked.
- Any other suggestions?
My suggestion would be not to mix 2 different authorization modes unless we absolutely have to, if it does not impact performance and does not add too much complexity to the runtime permission checking logic.
As a first phase for Roles and System privileges support (which are independent), am working on implementing what is required at a minimum to support what's there in legacy to be available with Grant/Revoke as well as adding critical and minimal System privileges that have to be supported in Derby.
Yes it would indeed.
Satheesh
It would be good to drive to a decision soon. I am making progress on second part of Grant/Revoke, implementing the permission scheme enforcement.
Satheesh
