[ http://issues.apache.org/jira/browse/DERBY-866?page=comments#action_12364090 ]
Francois Orsini commented on DERBY-866: --------------------------------------- > Daniel John Debrunner commented on DERBY-866: > --------------------------------------------- > > I see the argument for DDL, maybe the create user could be like > > CREATE USER <username> IDENTIFIED BY PASSWORD <password> > > basically the addition of the PASSWORD keyword would make future enhancements > more in line, e.g. > > CREATE USER <username> IDENTIFIED BY LDAP <ldap stuff> > > Maybe the SYSUSERS table could have a column indicatting the authentication > style, BUILTIN/LDAP/java class name etc. > Yes it could - I somewhat tried to avoid this as we have a pluggable authentication scheme so additional custom-created auth providers would not have the proper grammar defined (unless they are part of Derby where the grammar can always be extended to support a new one) - But a new auth provider can just be implemented outside of Derby, hence we would also need to map to the custom auth providers out there - but if we have a column with the authentication provider name name, then we can expect to have the proper user login info as part of the 'IDENTIFIED BY' clause without any extra specific auth type keyword...In this case, the password column can just be renamed to something else (i.e. AUTH_INFO), in order to support *not* just a password value but other type of info (it would be a VARCHAR after all) for the the other providers. _or_ based on what you're suggesting we could still have: // Built-In CREATE USER <username> IDENTIFIED BY PASSWORD <password> // LDAP (mapping) CREATE USER <username> IDENTIFIED BY LDAP <ldap stuff> // PAM (mapping) CREATE USER <username> IDENTIFIED BY PAM <pam stuff> // CUSTOME Auth Provider (mapping) - External keyword used for that purpose here CREATE USER <username> IDENTIFIED BY EXTERNAL <custom stuff> > BUILT-IN Derby User Management (DDL) Enhancements > ------------------------------------------------- > > Key: DERBY-866 > URL: http://issues.apache.org/jira/browse/DERBY-866 > Project: Derby > Type: Improvement > Components: Security > Versions: 10.2.0.0 > Reporter: Francois Orsini > Fix For: 10.2.0.0 > Attachments: Derby_User_Enhancement.html > > Proposal to enhance Derby's Built-In DDL User Management. (See proposal spec > attached to the JIRA). > Abstract: > This feature aims at improving the way BUILT-IN users are managed in Derby by > providing a more intuitive and familiar DDL interface. Currently (in > 10.1.2.1), Built-In users can be defined at the system and/or database level. > Users created at the system level can be defined via JVM or/and Derby system > properties in the derby.properties file. Built-in users created at the > database level are defined via a call to a Derby system procedure > (SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY) which sets a database property. > Defining a user at the system level is very convenient and practical during > the development phase (EOD) of an application - However, the user's password > is not encrypted and consequently appears in clear in the derby.properties > file. Hence, for an application going into production, whether it is embedded > or not, it is preferable to create users at the database level where the > password is encrypted. > There is no real ANSI SQL standard for managing users in SQL but by providing > a more intuitive and known interface, it will ease Built-In User management > at the database level as well as Derby's adoption. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
