[ http://issues.apache.org/jira/browse/DERBY-1522?page=comments#action_12425338 ] Satheesh Bandaram commented on DERBY-1522: ------------------------------------------
1) Mamta says: "after the upgrade, all the existing schemas and objects in them should be owned by the dba and any other users will need to have permissions granted to them by the dba." Don't think that is true... Even in Derby authorization mode, schemas created by regular users have their authorizationId recorded in sysschemas. Derby authorization mode only recognises fullAccessUsers (who can modify any object owned by anyone) or readOnlyAccess or no access. But once switching to SQL authorization mode, only schema owners would have access to objects in their schema and others would need explicit GRANT from schema owner to be able to access them. As far as additional testing for switching from Derby authorization mode to SQL mode, tests to cover include new restrictions we currently have on SQL authorization mode and to make sure they are actually enforced correctly. Some of the items to check, after switching to SQL authorization mode, include 1) Only owners can access their objects 2) regular users can only create a schema that matches their authorizationId 3) Database owner can access any object in the system 4) definer model being correctly enforced etc. 5) Access to many system routines are restricted 6) Cann't switch mode back to Derby authorization Thanks Deepa for looking at DERBY-1544. > Switch(if supported) from Derby Authorization to Derby SQL Standard > Authorization needs to be tested > ---------------------------------------------------------------------------------------------------- > > Key: DERBY-1522 > URL: http://issues.apache.org/jira/browse/DERBY-1522 > Project: Derby > Issue Type: Task > Components: JDBC > Affects Versions: 10.2.0.0 > Reporter: Mamta A. Satoor > Fix For: 10.2.0.0 > > > There has been discussions on the Derby-dev list about switch from Derby > Authorization to Derby SQL Standard Authorization for existing databases. If > we do decide to support a switch like that, testing needs to be done/added to > make sure everything works fine after the switch. > ps I have added this JIRA entry to JDBC component but I am not 100% sure if > that is the right component. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
