[
https://issues.apache.org/jira/browse/DERBY-3193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12658704#action_12658704
]
Kim Haase commented on DERBY-3193:
----------------------------------
Thanks, Dag, for these really helpful comments. I think I've implemented them
and will file another patch tomorrow. I do have a few comments and questions.
Definition of role containment:
"A role contains another role if that role is granted to it, or is contained in
a role granted to it."
I think this needs to be placed in the Developer's Guide topic
cdevcsecureroles.dita (Using SQL roles) and then in a logical place in the Ref
Manual. I think it's also useful to use "A" and "B" to clarify things, as in
the first definition of containment (in the Dev Guide topic):
"If a role A is granted to another role B, the privileges identified by role A
are inherited by role B. We say that B contains A."
Adapting this to your definition, I think we get the following (A and B get
reversed):
"A role A contains another role B if role B is granted to role A, or is
contained in a role granted to role A. In this case, the privileges identified
by role B are inherited by role A."
Please let me know if further changes would be useful.
--------
The Reference Manual doesn't seem to have any references to the Developer's
Guide for material on roles or on GRANT/REVOKE. I've put some in.
--------
src/ref/rrefsqljrevoke.dita:
I think the first paragraph should have something about revoking a role. I've
added a sentence -- hope it's okay. (Parallel to the sentence for the GRANT
statement.)
I modified the sentence about sqlAuthorization -- you can let me know if that's
okay or if I should just remove it.
The link to grantgrantees instead of revokegrantees was accidental (I probably
copied from the GRANT statement text and forgot to make the change).
-----
src/ref/rrefsqljgrant.dita:
Added link to "database owner" as with revoke.
Added definition of role containment.
-----------
src/ref/rrefsetrole.dita
Added link to definition of role containment.
-------
You ask, "Shouldn't crefsqlj18919.html have an entry for roleName?" It does,
because all the topics under "SQL identifiers" are listed automatically in the
HTML frames version.
----------
The comments on src/devguide/cdevcsecure866060.dita actually refer to text that
is in cdevcsecuregrantrevokeaccess.dita, so I made the changes there.
---------
src/devguide/rdevcsecuresqlauthexceptions.dita
If the exception for an identifier over 128 characters long applies to all
statements, does that mean that it always comes up first? Since you can't
create a role using an identifier over 128 characters long, then using DROP
ROLE with a too-long argument should result in both 0P000 (for a nonexistent
role) and 42622. Would the user see 42622 and not 0P000?
> SQL roles: Add documentation
> ----------------------------
>
> Key: DERBY-3193
> URL: https://issues.apache.org/jira/browse/DERBY-3193
> Project: Derby
> Issue Type: Task
> Components: Documentation
> Reporter: Dag H. Wanvik
> Assignee: Kim Haase
> Fix For: 10.5.0.0
>
> Attachments: DERBY-3193-2.diff, DERBY-3193-2.stat, DERBY-3193-2.zip,
> DERBY-3193.diff, DERBY-3193.stat, DERBY-3193.zip, derby3193-tmp.diff,
> derby3193-tmp.stat
>
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
