[
https://issues.apache.org/jira/browse/DERBY-3193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12660354#action_12660354
]
Dag H. Wanvik commented on DERBY-3193:
--------------------------------------
Thanks for your good work on this issue, Kim!
I looked again at the changes, and have a much shorter list this time, mostly
stuff I missed the first time around:
* rrefsqljrevoke:
> You can also use the REVOKE statement to revoke a role from a user
or from another role.
Thanks for adding this sentence. It should also mention "PUBLIC":
"You can also use the REVOKE statement to revoke a role from a user,
PUBLIC or from another role."
* rrefsqljgrant:
> A role A contains another role B if role B is granted to role A, or
is contained in a role granted to role A. In this case, the
privileges identified by role B are inherited by role A.
Thanks for the improvement, perhaps we can improve it even further:
"A role A contains another role B if role B is granted to role A, or
is contained in a role C granted to role A. Privileges granted to a
contained role are inherited by the containing roles. So, the
privileges identified by role A is the union of privileges granted
to A and privileges granted to any contained roles of A."
* rtoolsijcomrefshow
> whether available or settable
Sorry, I was unclear here. Let's strike out "available":
".. whether settable for the current session or not."
> That is, it shows the current role and any role granted to or
contained in the current role.
Again, we have two way of saying the same thing (almost), so I suggest
we stick to the definition here, and strike out "granted to or":
That is, it shows the current role and any role contained in the
current role.
> SHOW SETTABLE ROLES displays all the roles that the current session
can set, that is, all roles that have been granted to the current
user.
Oops, slight omission here (mea culpa), it should read:
"SHOW SETTABLE_ROLES displays all the roles that the current session
can set, that is, all roles that have been granted to the current user
or to PUBLIC."
Finally, I missed the fact that the syntax has been changed here:
The implemented syntax entry for roles is:
ENABLED_ROLES | SETTABLE_ROLES | ROLES |
Please update all relevant references.
We might also add that the roles shown by these commands are sorted in
ascending order. This means the 2 first examples should be adjusted too:
ij> show roles;
ROLEID
------------------------------
ANYUSER
CASUALUSER
POWERUSER
3 rows selected
ij> show enabled_roles;
ROLEID
------------------------------
ANYUSER
CASUALUSER
2 rows selected
* rdev
> If the exception for an identifier over 128 characters long applies
to all statements, does that mean that it always comes up first?
Yes, with the latest patch I have cooking, it does. We haven't
normally been very specific in our documentation when it comes to
error messages, and specifically not when more than one may
apply. Maybe its best to leave the precedence undefined?
* cdevcsecureroles:
This section is wrong (probably wrong is spec as well):
> If a role loses a privilege to an object, and a session whose
> current user is different from the owner of that object has a
> current role which is that role or a role that contains that role,
> the session also loses that privilege, unless one or more of the
> following is true:
> * The role is granted directly to the current user
> * The role is granted to PUBLIC
> * The role is also granted to another role in the current role's
> contained roles
> * The session's current user is the database owner
If a privilege to an object is revoked from role A, a session will
lose that privilege if it has a current role set to A or a role that
contains A, unless one or more of the
following is true:
* The privilege is granted directly to the current user
* The privilege is granted to PUBLIC
* The privilege is also granted to another role B in the current role's
set of contained roles
* The session's current user is the database owner or the object owner.
> SQL roles: Add documentation
> ----------------------------
>
> Key: DERBY-3193
> URL: https://issues.apache.org/jira/browse/DERBY-3193
> Project: Derby
> Issue Type: Task
> Components: Documentation
> Reporter: Dag H. Wanvik
> Assignee: Kim Haase
> Fix For: 10.5.0.0
>
> Attachments: DERBY-3193-2.diff, DERBY-3193-2.stat, DERBY-3193-2.zip,
> DERBY-3193-3.diff, DERBY-3193-3.zip, DERBY-3193.diff, DERBY-3193.stat,
> DERBY-3193.zip, derby3193-tmp.diff, derby3193-tmp.stat
>
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
