You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Dag H. Wanvik (JIRA)" <ji...@apache.org> on 2008/04/11 18:44:04 UTC
[jira] Updated: (DERBY-3223) SQL roles: make use of privileges
granted to roles in actual privilege checking
[ https://issues.apache.org/jira/browse/DERBY-3223?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik updated DERBY-3223:
---------------------------------
Attachment: derby-3223-1a.stat
derby-3223-1a.diff
Uploading an experimental patch, 3223-1a, which adds privileges
granted to roles to the set of privileges available to a session user,
in addition to privileges granted to that user and to PUBLIC.
Code to handle revocation logic when role grants are revoked,
privileges grants are revoked from roles, modifying the current role,
and dropping roles is included.
- Role descriptors are still not cached in memory. This is/may be a
performance issue, of course. The present implementation naively
fetches role descriptors from disk as needed.
- If an execute privilege is conferred via a role, and that role is
revoked from a user (directly or indirectly via inheritance), the
dependent object (constraint, trigger, view) will be dropped, that
is, the RESTRICT semantics is not used. This is in contrast to when
such a privilege is revoked from a role (or user), in this case, the
RESTRICT semantics apply. Since privilege revocation for the
different privileges are not compatible with regards to
RESTRICT/CASCADE, I need to find a workable solution for this choice
when revoking roles (which can confer all kinds of privileges).
- Resetting the current role role for the current session leads to
invalidation of dependent prepared statements (they need to be
checked again), which is too expensive, cf discussion with Dan on
this. I will look into if I can invalidate just the activations
instead.
- Similar to the present solution fopr GRANT/REVOKE, when privileges
are revoked, for dependent persistent objects (constraint, trigger,
view), there is no attempt to find an alternative privilege which
can apply: For example, if the discretionary privilege to user U is
revoked, there is no attempt to find an applicable privilege granted
to PUBLIC instead; the object is dropped, or RESTRICT kicks in as
the case may be. This holds when privileges are revoked from roles
as well.
This situation is bad for roles, since, in the general case, when
dependencies are inherited through a role grant graph, the present
implementation records dependencies on the current role set (it does
not record not the entire path of grant descriptors leading through
the role grant graph from the current role up to the role which
received the privilege grant). This has the consequence that when a
revoke is performed on a role high up in a role inheritance graph,
all downstream roles in the transitive closure of the grant relation
of that role are invalidated, which may lead to excessive
invalidations (and hence objects drops) in some cases.
For dependent prepared statements, this is only a performance issue,
since DDL operations are rare enough that some extra recompilations
should be ok.
- Roles are applied only after discretionary and public privileges are
exhausted, with one exception: A full table select permission to a
role will be preferred over column selects to user or public. This
order determines the behavior at revoke time for persistent objects,
cf previous bullet.
The usual disclaimers for experimental code; bugs, lacking comments,
lacking tests, code reduncancy which need refactoring, etc, etc apply :)
Please kick the tires and see if the behavior is what you would
expect.
> SQL roles: make use of privileges granted to roles in actual privilege checking
> -------------------------------------------------------------------------------
>
> Key: DERBY-3223
> URL: https://issues.apache.org/jira/browse/DERBY-3223
> Project: Derby
> Issue Type: New Feature
> Components: Security, SQL
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3223-1a.diff, derby-3223-1a.stat
>
>
> Pushing out to 10.5
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.