[
http://issues.apache.org/jira/browse/DERBY-464?page=comments#action_12367255 ]
Satheesh Bandaram commented on DERBY-464:
-----------------------------------------
Dan asked:
Another quote from the spec
<quote>
A table may only be created or dropped by the owner of the table's schema.
Table creation
permission is not grantable. (This is the SQL2003 spec)
</quote>
Is there a reference, page number section number, for the comment about the
SQL2003 spec?
This is the best reference I can find in SQL 2003 spec. It is indirectly
implied.... says persistent objects described by the (schema) descriptors are
said to be owned by or to have been created by the authorizationID of the
schema. Also, I couldn't find a privilege that can be granted to create tables.
4.20 SQL-schemas
An SQL-schema is a persistent descriptor that includes:
— The name of the SQL-schema.
— The <authorization identifier> of the owner of the SQL-schema.
...........................................
In this part of ISO/IEC 9075, the term "schema" is used only in the sense of
SQL-schema. The persistent objects
described by the descriptors are said to be owned by or to have been created by
the <authorization identifier>
of the schema. Each component descriptor is one of:
— A domain descriptor.
— A base table descriptor.
— A view descriptor.
— A constraint descriptor.
> Enhance Derby by adding grant/revoke support. Grant/Revoke provide finner
> level of privileges than currently provided by Derby that is especially
> useful in network configurations.
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: DERBY-464
> URL: http://issues.apache.org/jira/browse/DERBY-464
> Project: Derby
> Type: New Feature
> Components: SQL
> Versions: 10.0.2.1, 10.1.1.0, 10.2.0.0
> Environment: generic
> Reporter: Satheesh Bandaram
> Assignee: Satheesh Bandaram
> Attachments: GrantRevokePartII.txt, grantRevoke.patch.Dec5,
> grantRevoke.stat.Dec5, grantRevokeSpec.html
>
> Derby currently provides a very simple permissions scheme, which is quite
> suitable for an embedded database system. End users of embedded Derby do not
> see Derby directly; they talk to a application that embeds Derby. So Derby
> left most of the access control work to the application. Under this scheme,
> Derby limits access on a per database or per system basis. A user can be
> granted full, read-only, or no access.
> This is less suitable in a general purpose SQL server. When end users or
> diverse applications can issue SQL commands directly against the database,
> Derby must provide more precise mechanisms to limit who can do what with the
> database.
> I propose to enhance Derby by implementing a subset of grant/revoke
> capabilities as specified by the SQL standard. I envision this work to
> involve the following tasks, at least:
> 1) Develop a specification of what capabilities I would like to add to Derby.
> 2) Provide a high level implementation scheme.
> 3) Pursue a staged development plan, with support for DDL added to Derby
> first.
> 4) Add support for runtime checking of these privileges.
> 5) Address migration and upgrade issues from previous releases and from old
> scheme to newer database.
> Since I think this is a large task, I would like to invite any interested
> people to work with me on this large and important enhancement to Derby.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
