[
https://issues.apache.org/jira/browse/DERBY-2250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12466088
]
Rick Hillegas commented on DERBY-2250:
--------------------------------------
Thanks for the quick feedback, Dan. Another set of eyes on the SQL spec would
be very helpful. This was my reading of the spec and my reasoning:
I was looking at the Syntax Rules in section 10.3 (Revoke Statement) of part 13
of the SQL Standard.
o As I read this section, item (3) says that a jar file A is "impacted" by
REVOKE USAGE ON JAR B if B appears in A's JAVA_CLASS_PATH.
o Item (5) says that REVOKE USAGE ON B ... RESTRICT should fail if any jar
files are "impacted".
o I thought that Derby only supported RESTRICTed REVOKEs today
o So, until we support cascaded REVOKEs, a REVOKE USAGE statement should fail
if it "impacts" other jar files.
If this reasoning seems correct, then your question suggests that the spec for
this JIRA needs to require the RESTRICT clause on REVOKE USAGE statements.
> Implement USAGE privilege for Jar files
> ---------------------------------------
>
> Key: DERBY-2250
> URL: https://issues.apache.org/jira/browse/DERBY-2250
> Project: Derby
> Issue Type: New Feature
> Components: Security, SQL
> Reporter: Rick Hillegas
> Fix For: 10.3.0.0
>
> Attachments: jarUsage.html
>
>
> Implement the USAGE privilege for jar files and require this privilege on
> jars wired into the derby.database.classpath. These are the first two tasks
> in the closing "Improving Java Routine Security in 10.3 onwards" section of
> the wiki page on Java routine security:
> http://wiki.apache.org/db-derby/JavaRoutineSecurity
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
