Satheesh Bandaram wrote: > I am not sure if previous discussion about migrating a legacy mode > database to Grant Revoke model was finalized. It seems there were two > thoughts: > > 1. Keep authorization models separate. Legacy mode database can be > migrated to sqlStandard model by connecting with a URL property. > (sqlAuthorization=true) > 2. Dan proposed combining both models with Grant and Revoke > capability being seen as adding fine-grain access control on top > of current model. While this proposal doesn't impact Grant and > Revoke work being done currently by much, it may have implications > on some future work. (like system privileges) This does make it > easier for existing databases to adapt new capabilities.
I guess I don't understand how 1) is useful. In this mode by adding grant/revoke in its current form you are removing key authorization options. For example if I'm using an LDAP authentication scheme I won't be able to limt the set of authenticated LDAP users who can connect to my database. I can do that now, and with 2) I can do that and have more fine grained authorization. Dan.
