[ http://issues.apache.org/jira/browse/DERBY-1057?page=comments#action_12427580 ] Satheesh Bandaram commented on DERBY-1057: ------------------------------------------
I am loooking at dev Guide. Here are some of the comments: > Notes on user authorization > > Authorization properties are set when a connection is established. > Changes to any of the authorization properties during a connection, are not > in affect until a new connection is established. I don't think that is correct. I thought we decided authorization would be used to define Derby Authorization or SQL Standard Authorization (with GRANT/REVOKE). Authorization is set for new database by either setting the sqlAuthorization as system property or by connecting to existing database and setting it as database property. Deepa provided a link earlier that describes this better. > User authorization exceptions > > SQL exceptions are returned when errors occur with user authorizations. > > Derby validates the database properties when you set the properties. An > exception is returned if you specify an invalid value > when you set these properties. I think here we need to talk about some of the exceptions. It is possible to set derby.database.sqlAuthorization to true, which enables GRANT/REVOKE, but once the property is set to true as a database property, it cannot be set to FALSE. So once a database is switched to SQL authorization, it can be set back to Derby athorization. > Grant and revoke user authorizations > > When the SQL standard authorization mode is enabled, object owners can use > the GRANT and REVOKE SQL statements > to set the user permissions for specific database objects or for specific SQL > actions. It may be best to describe this section as 'SQL Standard Authorization' In the same page: > The GRANT statement is used to grant specific permissions to users. The > REVOKE statement is used to revoke permissions. > Only the owner of an object can grant or revoke the following privileges on > that object: I am updating functional spec to say 'only the owner of an object or database owner'can grant or revoke ....' > The SELECT privilege is later revoked from harry, but Harry has access to > table t through the PUBLIC privilege. Are we missing an IF in the statement? If Select privilege is later revoked from harry, Harry can still access table t using PUBLIC privilege. > To enable SQL standard authorization, set the derby.database.sqlAuthorization > property to TRUE. For example: > > CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY( > 'derby.database.sqlAuthorization', > 'true') I think we also need to talk about another way to enable SQL Standard authorization... as mentioned above. (Through setting of the property as system property that automatically creates all new databases in SQL Standard authorization) I am assuming topics that talk about 'defaultConnectionMode' should already be in the manuals and are NOT new. If they are new, we would need to review it more carefully. Same with 'Working with Authentication'. Are these new sections? No changes are made here, so there should be no need to added these sections. > User authorizations > > When you specify user authorizations, Derby verifies that a user has been > granted permission to access a system, > database, object, or SQL action. > > There are two types of user authorization in Derby, connection authorization > and grant authorization. > Connection authorization specifies the access that users have to connect to a > system or database. SQL authorization > controls the permissions that users have on database objects or for SQL > actions. You can set the user authorization properties > in Derby as system-level properties or database-level properties. I think we agreed that we will not use 'connection authorization' instead only refer to 'connection access mode' . >The user authorization properties are: I would rather say 'Properties that affect authorization are:' That is all the comments I have on developer guide. Thanks for working on documenting GRANT/REVOKE. > documentation to address Grant/Revoke (Derby-464) > ------------------------------------------------- > > Key: DERBY-1057 > URL: http://issues.apache.org/jira/browse/DERBY-1057 > Project: Derby > Issue Type: Sub-task > Components: Documentation > Affects Versions: 10.0.2.0 > Reporter: Eric Radzinski > Assigned To: Laura Stewart > Fix For: 10.2.0.0 > > Attachments: derby1057_devguide.diff, derby1057_devguide3.diff, > derby1057_devguide_html.zip, derby1057_devguide_html3.zip, > derby1057_ref.diff, derby1057_ref3.diff, derby1057_ref_html.zip, > derby1057_tuning3.diff, derby1057_tuning4.diff, derby1057_tuning_html.zip, > derby1058_ref_html3.zip, devguide_html2.zip, ref_html2.zip, > rtunpropersqlauth.html > > -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
