David Van Couvering wrote:
Rick Hillegas (JIRA) wrote:
2) Unfamiliar api. Oracle, DB2, Postgres, and MySQL all handle system
privileges in different ways. Picking one of these models would still
result in an api that's unfamiliar to many people. That said, these
databases do tend to use GRANT/REVOKE for system privileges, albeit
each in its own peculiar fashion. I agree that GRANT/REVOKE is an
easier model to learn than Java Security. I think however, that the
complexity of Java Security is borne by the derby-dev developer, not
by the customer. Creating a policy file is very easy and our user
documentation gives simple examples which the naive user can just
crib. With adequate user documentation, I think this approach would
be straightforward for the customer.
I must respectfully disagree that "creating a policy file is very
easy." I think it's a royal PITA - the syntax is complex,
nonintuitive and unforgiving.
Can we provide a GRANT/REVOKE interface on top of an implementation
that uses JAAS?
Hi David,
Can you describe what you have in mind in greater detail? In our earlier
discussions, we wanted to avoid using GRANT/REVOKE to manage system
privileges. This is because this solution seemed to imply creating a
master database in which to store the system-wide privileges. Are you
suggesting:
1) That we use GRANT/REVOKE to edit the policy file and provide some
VTIs for inspecting it?
2) That we provide a master database and GRANT/REVOKE in addition to the
JAAS solution?
3) Something else?
Thanks,
-Rick
