You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by ch...@apache.org on 2009/01/07 16:36:42 UTC
svn commit: r732365 - in /db/derby/docs/trunk/src:
devguide/cdevcsecureroles.dita devguide/rdevcsecuresqlauthexceptions.dita
ref/rrefsqljgrant.dita ref/rrefsqljrevoke.dita tools/rtoolsijcomrefshow.dita
Author: chaase3
Date: Wed Jan 7 07:36:42 2009
New Revision: 732365
URL: http://svn.apache.org/viewvc?rev=732365&view=rev
Log:
DERBY-3193: SQL roles: Add documentation
This patch makes a few additional final corrections to the SQL roles
documentation.
Patch: DERBY-3193-4.diff
Modified:
db/derby/docs/trunk/src/devguide/cdevcsecureroles.dita
db/derby/docs/trunk/src/devguide/rdevcsecuresqlauthexceptions.dita
db/derby/docs/trunk/src/ref/rrefsqljgrant.dita
db/derby/docs/trunk/src/ref/rrefsqljrevoke.dita
db/derby/docs/trunk/src/tools/rtoolsijcomrefshow.dita
Modified: db/derby/docs/trunk/src/devguide/cdevcsecureroles.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/devguide/cdevcsecureroles.dita?rev=732365&r1=732364&r2=732365&view=diff
==============================================================================
--- db/derby/docs/trunk/src/devguide/cdevcsecureroles.dita (original)
+++ db/derby/docs/trunk/src/devguide/cdevcsecureroles.dita Wed Jan 7 07:36:42 2009
@@ -54,8 +54,10 @@
statement to grant a role to one or more users, to PUBLIC, or to another role.
</p>
<p>A role A <i>contains</i> another role B if role B is granted to role A, or is
-contained in a role granted to role A. In this case, the privileges identified
-by role B are inherited by role A.</p>
+contained in a role C granted to role A. Privileges granted to a contained role
+are inherited by the containing roles. So the set of privileges identified by
+role A is the union of the privileges granted to role A and the privileges
+granted to any contained roles of role A.</p>
<p>For example, suppose the database owner issued the following statements:</p>
<codeblock> create role readUser;
create role updateUser;
@@ -129,21 +131,20 @@
role.</p>
<p>When a privilege is revoked from a role A, that privilege is no longer held
by role A, unless A otherwise inherits that privilege from a contained role.</p>
-<p>If a role loses a privilege to an object, and a session whose current user is
-different from the owner of that object has a current role which is that role
-or a role that contains that role, the session also loses that privilege,
-unless one or more of the following is true:</p>
+<p>If a privilege to an object is revoked from role A, a session will lose that
+privilege if it has a current role set to A or a role that contains A, unless
+one or more of the following is true:</p>
<ul>
-<li>The role is granted directly to the current user</li>
-<li>The role is granted to PUBLIC</li>
-<li>The role is also granted to another role in the current role's contained
-roles</li>
-<li>The session's current user is the database owner</li>
+<li>The privilege is granted directly to the current user</li>
+<li>The privilege is granted to PUBLIC</li>
+<li>The privilege is also granted to another role B in the current role's set of
+contained roles</li>
+<li>The session's current user is the database owner or the object owner</li>
</ul>
</section>
<section><title>Revoking roles</title>
-<p>The database owner can use the REVOKE statement to revoke a role from a user
-or from another role.</p>
+<p>The database owner can use the REVOKE statement to revoke a role from a user,
+from PUBLIC, or from another role.</p>
<p>When a role is revoked from a user, that session can no longer keep that
role, nor can it take on that role in a SET ROLE statement, unless the role is
also granted to PUBLIC. If that role is the current role of an existing session,
Modified: db/derby/docs/trunk/src/devguide/rdevcsecuresqlauthexceptions.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/devguide/rdevcsecuresqlauthexceptions.dita?rev=732365&r1=732364&r2=732365&view=diff
==============================================================================
--- db/derby/docs/trunk/src/devguide/rdevcsecuresqlauthexceptions.dita (original)
+++ db/derby/docs/trunk/src/devguide/rdevcsecuresqlauthexceptions.dita Wed Jan 7 07:36:42 2009
@@ -85,7 +85,7 @@
<i>SQLException</i> 4251B.</li>
</ul>
<p>For all statements, an attempt to specify an identifier argument more than
-128 characters long raises the <i>SQLException</i> 42622.</p>.
+128 characters long raises the <i>SQLException</i> 42622.</p>
</section>
</refbody>
</reference>
Modified: db/derby/docs/trunk/src/ref/rrefsqljgrant.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefsqljgrant.dita?rev=732365&r1=732364&r2=732365&view=diff
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefsqljgrant.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefsqljgrant.dita Wed Jan 7 07:36:42 2009
@@ -24,7 +24,8 @@
<title>GRANT statement </title>
<shortdesc>Use the GRANT statement to give permissions to a specific user or
role, or to all users, to perform actions on database objects. You can also use
-the GRANT statement to grant a role to a user or to another role.</shortdesc>
+the GRANT statement to grant a role to a user, to PUBLIC, or to another role.
+</shortdesc>
<prolog><metadata>
<keywords><indexterm>GRANT statement</indexterm><indexterm>SQL statements<indexterm>GRANT</indexterm></indexterm>
</keywords>
@@ -67,8 +68,10 @@
<xref href="rrefattrib26867.dita#rrefattrib26867">database owner</xref> can
grant a role.</p>
<p>A role A <i>contains</i> another role B if role B is granted to role A, or is
-contained in a role granted to role A. In this case, the privileges identified
-by role B are inherited by role A.</p>
+contained in a role C granted to role A. Privileges granted to a contained role
+are inherited by the containing roles. So the set of privileges identified by
+role A is the union of the privileges granted to role A and the privileges
+granted to any contained roles of role A.</p>
</section>
<section id="grantprivtype"><title>privilege-types</title><codeblock><b> ALL PRIVILEGES |
privilege-list
Modified: db/derby/docs/trunk/src/ref/rrefsqljrevoke.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/ref/rrefsqljrevoke.dita?rev=732365&r1=732364&r2=732365&view=diff
==============================================================================
--- db/derby/docs/trunk/src/ref/rrefsqljrevoke.dita (original)
+++ db/derby/docs/trunk/src/ref/rrefsqljrevoke.dita Wed Jan 7 07:36:42 2009
@@ -21,8 +21,8 @@
<title>REVOKE statement </title>
<shortdesc>Use the REVOKE statement to remove permissions from a specific
user or role, or from all users, to perform actions on database objects. You can
-also use the REVOKE statement to revoke a role from a user or from another
-role.</shortdesc>
+also use the REVOKE statement to revoke a role from a user, from PUBLIC, or from
+another role.</shortdesc>
<prolog><metadata>
<keywords><indexterm>REVOKE statement<indexterm>syntax</indexterm></indexterm>
<indexterm>SQL statements<indexterm>REVOKE</indexterm></indexterm><indexterm>REVOKE
@@ -185,7 +185,7 @@
revoked, dependent objects will be dropped. Note that dropping may be too
pessimistic. This is because
<ph conref="../conrefs.dita#prod/productshortname"></ph> does not currently make
-an attempt to re-check if the necessary privileges are still available in such
+an attempt to recheck if the necessary privileges are still available in such
cases.</dd></dlentry></dl></section>
<example> <title>Revoke examples</title><p>To revoke the SELECT privilege
on table <codeph>t</codeph> from the authorization IDs <codeph>maria</codeph> and <codeph>harry</codeph>,
Modified: db/derby/docs/trunk/src/tools/rtoolsijcomrefshow.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/tools/rtoolsijcomrefshow.dita?rev=732365&r1=732364&r2=732365&view=diff
==============================================================================
--- db/derby/docs/trunk/src/tools/rtoolsijcomrefshow.dita (original)
+++ db/derby/docs/trunk/src/tools/rtoolsijcomrefshow.dita Wed Jan 7 07:36:42 2009
@@ -28,9 +28,9 @@
Procedures command</indexterm><indexterm>Show Synonyms command</indexterm><indexterm>Show
Indexes in Schema command</indexterm><indexterm>Show Indexes from Table command</indexterm>
<indexterm>Roles<indexterm>displaying</indexterm></indexterm>
-<indexterm>Show Roles command</indexterm>
-<indexterm>Show Enabled Roles command</indexterm>
-<indexterm>Show Settable Roles command</indexterm>
+<indexterm>SHOW ROLES command</indexterm>
+<indexterm>SHOW ENABLED_ROLES command</indexterm>
+<indexterm>SHOW SETTABLE_ROLES command</indexterm>
</keywords>
</metadata></prolog>
<refbody>
@@ -39,7 +39,9 @@
CONNECTIONS |
INDEXES [ IN <i>schemaName</i> | FROM <i>table-Name</i> ] |
PROCEDURES [ IN <i>schemaName</i> ] |
- [ENABLED | SETTABLE] ROLES |
+ ROLES |
+ ENABLED_ROLES |
+ SETTABLE_ROLES |
SCHEMAS |
SYNONYMS [ IN <i>schemaName</i> ] |
TABLES [ IN <i>schemaName</i> ] |
@@ -118,34 +120,33 @@
18 rows selected</codeblock>
-<p id="showroles"><b>SHOW ROLES</b></p>
-<p>SHOW ROLES displays the names of all roles created, whether available or
-settable for the current session or not.</p>
-<p>SHOW ENABLED ROLES displays the names of all the roles whose privileges are
+<p id="showroles"><b>SHOW ROLES, SHOW ENABLED_ROLES, SHOW SETTABLE_ROLES</b></p>
+<p>SHOW ROLES displays the names of all roles created, whether settable for the
+current session or not.</p>
+<p>SHOW ENABLED_ROLES displays the names of all the roles whose privileges are
available for the current session. That is, it shows the current role and any
-role granted to or contained in the current role. (For a definition of role
-containment, see "Using SQL roles" in the
-<ph conref="../conrefs.dita#pub/citdevelop"></ph>.)
-</p>
-<p>SHOW SETTABLE ROLES displays all the roles that the current session can set,
-that is, all roles that have been granted to the current user.</p>
+role contained in the current role. (For a definition of role containment, see
+"Using SQL roles" in the <ph conref="../conrefs.dita#pub/citdevelop"></ph>.)</p>
+<p>SHOW SETTABLE_ROLES displays all the roles that the current session can set,
+that is, all roles that have been granted to the current user or to PUBLIC.</p>
+<p>The roles shown by these commands are sorted in ascending order.</p>
<p><b>Example</b></p>
<codeblock>ij> <b>show roles;</b>
ROLEID
------------------------------
-CASUALUSER
ANYUSER
+CASUALUSER
POWERUSER
3 rows selected
-ij> <b>show enabled roles;</b>
+ij> <b>show enabled_roles;</b>
ROLEID
------------------------------
-CASUALUSER
ANYUSER
+CASUALUSER
2 rows selected
-ij> <b>show settable roles;</b>
+ij> <b>show settable_roles;</b>
ROLEID
------------------------------
CASUALUSER