You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by ba...@apache.org on 2006/03/18 17:59:19 UTC
svn commit: r386867 - in /db/derby/code/trunk/java:
engine/org/apache/derby/iapi/reference/
engine/org/apache/derby/iapi/sql/conn/
engine/org/apache/derby/iapi/sql/dictionary/
engine/org/apache/derby/impl/sql/ engine/org/apache/derby/impl/sql/catalog/
...
Author: bandaram
Date: Sat Mar 18 08:59:16 2006
New Revision: 386867
URL: http://svn.apache.org/viewcvs?rev=386867&view=rev
Log:
DERBY-464: Continuation of Grant & Revoke feature checkins. This batch of changes address:
1) Introduce new property derby.database.sqlAuthorization to turn on SQL standard authorization model. Default authorization is still Derby legacy authorization model, with NO support for GRANT/REVOKE.
2) If this property is set to TRUE as system property, all new databases get created with sqlAuthorization to TRUE. If this property is set at a database level, authorization mode would be switched to SQL standard mode at next database boot time.
3) Remove all changes made to defaultConnectionMode property. This property was the previous way to enable GRANT/REVOKE.
4) Disable any changes to sqlAuthorization property once SQL standard authorization is enabled. This is done to prevent switching back to Derby legacy authorization model.
Submitted by Satheesh Bandaram (satheesh@sourcery.org)
Modified:
db/derby/code/trunk/java/engine/org/apache/derby/iapi/reference/Property.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/LanguageConnectionContext.java
db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/DataDictionary.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/LanguageDbPropertySetter.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/sqlgrammar.jj
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericAuthorizer.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionContext.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionFactory.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/connect.out
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevoke.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL_app.properties
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevoke_derby.properties
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/reference/Property.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/iapi/reference/Property.java?rev=386867&r1=386866&r2=386867&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/reference/Property.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/reference/Property.java Sat Mar 18 08:59:16 2006
@@ -613,6 +613,15 @@
public static final String DEFAULT_USER_NAME = "APP";
public static final String DATABASE_MODULE = "org.apache.derby.database.Database";
+ /*
+ Property to enable Grant & Revoke SQL authorization. Introduced in Derby 10.2
+ release. New databases and existing databases (in Derby 10.2) still use legacy
+ authorization by default and by setting this property to true could request for
+ SQL standard authorization model.
+ */
+ public static final String
+ SQL_AUTHORIZATION_PROPERTY = "derby.database.sqlAuthorization";
+
public static final String
DEFAULT_CONNECTION_MODE_PROPERTY = "derby.database.defaultConnectionMode";
@@ -620,16 +629,12 @@
public static final String READ_ONLY_ACCESS = "readOnlyAccess";
public static final String FULL_ACCESS = "fullAccess";
public static final String DEFAULT_ACCESS = FULL_ACCESS;
- public static final String SQL_STANDARD_ACCESS = "sqlStandard";
public static final String
READ_ONLY_ACCESS_USERS_PROPERTY = "derby.database.readOnlyAccessUsers";
public static final String
FULL_ACCESS_USERS_PROPERTY = "derby.database.fullAccessUsers";
-
- public static final String
- SQL_AUTHORIZATION = "derby.database.sqlAuthorization";
/*
** Authentication
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/LanguageConnectionContext.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/LanguageConnectionContext.java?rev=386867&r1=386866&r2=386867&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/LanguageConnectionContext.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/conn/LanguageConnectionContext.java Sat Mar 18 08:59:16 2006
@@ -1116,5 +1116,5 @@
*
* @return True if SQL standard permissions are being used
*/
- public boolean usesSqlStandardPermissions();
+ public boolean usesSqlAuthorization();
}
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/DataDictionary.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/DataDictionary.java?rev=386867&r1=386866&r2=386867&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/DataDictionary.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/sql/dictionary/DataDictionary.java Sat Mar 18 08:59:16 2006
@@ -266,6 +266,13 @@
public String getAuthorizationDBA();
/**
+ * Get authorization model in force, SqlStandard or legacy mode
+ *
+ * @return Whether sqlAuthorization is being used
+ */
+ public boolean usesSqlAuthorization();
+
+ /**
* Get the tabinfo of a system catalog. Paw through the tabinfo arrays looking for the tabinfo
* corresponding to this table name.
*
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/LanguageDbPropertySetter.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/LanguageDbPropertySetter.java?rev=386867&r1=386866&r2=386867&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/LanguageDbPropertySetter.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/LanguageDbPropertySetter.java Sat Mar 18 08:59:16 2006
@@ -23,8 +23,10 @@
import org.apache.derby.iapi.services.property.PropertySetCallback;
import org.apache.derby.iapi.services.property.PropertyUtil;
import org.apache.derby.iapi.reference.Property;
+import org.apache.derby.iapi.reference.SQLState;
import org.apache.derby.iapi.services.daemon.Serviceable;
import org.apache.derby.iapi.services.sanity.SanityManager;
+import org.apache.derby.iapi.services.context.ContextService;
import org.apache.derby.iapi.error.StandardException;
import org.apache.derby.iapi.sql.conn.LanguageConnectionContext;
import org.apache.derby.iapi.store.access.TransactionController;
@@ -47,6 +49,18 @@
Dictionary p
) throws StandardException
{
+ // Disallow changing sqlAuthorization from true to false or null after
+ // switching to Standard authorization
+ if (key.trim().equals(Property.SQL_AUTHORIZATION_PROPERTY))
+ {
+ LanguageConnectionContext lcc = (LanguageConnectionContext)
+ ContextService.getContext(LanguageConnectionContext.CONTEXT_ID);
+
+ if (lcc.usesSqlAuthorization() && !Boolean.valueOf((String)value).booleanValue())
+ throw StandardException.newException(SQLState.PROPERTY_UNSUPPORTED_CHANGE,
+ key, value);
+ }
+
if (key.equals(Property.LANGUAGE_STALE_PLAN_CHECK_INTERVAL)) {
PropertyUtil.intPropertyValue(
Property.LANGUAGE_STALE_PLAN_CHECK_INTERVAL,
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java?rev=386867&r1=386866&r2=386867&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java Sat Mar 18 08:59:16 2006
@@ -330,6 +330,7 @@
private DD_Version softwareVersion;
private String authorizationDBA;
+ private boolean usesSqlAuthorization;
/*
** This property and value are written into the database properties
@@ -664,12 +665,28 @@
DataDictionary.CREATE_DATA_DICTIONARY_VERSION,
dictionaryVersion, true);
+ // If SqlAuthorization is set as system property during database
+ // creation, set it as database property also, so it gets persisted.
+ if (PropertyUtil.getSystemBoolean(Property.SQL_AUTHORIZATION_PROPERTY))
+ {
+ bootingTC.setProperty(Property.SQL_AUTHORIZATION_PROPERTY,"true",true);
+ usesSqlAuthorization=true;
+ }
+
} else {
// Get the ids for non-core tables
loadDictionaryTables(bootingTC, ddg, startParams);
SchemaDescriptor sd = locateSchemaRow(SchemaDescriptor.IBM_SYSTEM_SCHEMA_NAME,
bootingTC);
authorizationDBA = sd.getAuthorizationId();
+ String sqlAuth = PropertyUtil.getDatabaseProperty(bootingTC,
+ Property.SQL_AUTHORIZATION_PROPERTY);
+ if (Boolean.valueOf(sqlAuth).booleanValue())
+ {
+ // SQL authorization requires 10.2 or higher database
+ checkVersion(DataDictionary.DD_VERSION_DERBY_10_2, "sqlAuthorization");
+ usesSqlAuthorization=true;
+ }
}
if (SanityManager.DEBUG)
@@ -1152,6 +1169,14 @@
public String getAuthorizationDBA()
{
return authorizationDBA;
+ }
+
+ /**
+ * @see DataDictionary#usesSqlAuthorization
+ */
+ public boolean usesSqlAuthorization()
+ {
+ return usesSqlAuthorization;
}
/**
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java?rev=386867&r1=386866&r2=386867&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/CompilerContextImpl.java Sat Mar 18 08:59:16 2006
@@ -694,7 +694,7 @@
requiredRoutinePrivileges = null;
LanguageConnectionContext lcc = (LanguageConnectionContext)
getContextManager().getContext(LanguageConnectionContext.CONTEXT_ID);
- if( lcc.usesSqlStandardPermissions())
+ if( lcc.usesSqlAuthorization())
{
requiredColumnPrivileges = new HashMap();
requiredTablePrivileges = new HashMap();
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/sqlgrammar.jj
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/sqlgrammar.jj?rev=386867&r1=386866&r2=386867&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/sqlgrammar.jj (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/compile/sqlgrammar.jj Sat Mar 18 08:59:16 2006
@@ -326,13 +326,13 @@
*/
private void checkSqlStandardAccess( String command) throws StandardException
{
- if( getLanguageConnectionContext().usesSqlStandardPermissions())
+ if( getLanguageConnectionContext().usesSqlAuthorization())
return;
throw StandardException.newException(SQLState.LANG_GRANT_REVOKE_WITH_LEGACY_ACCESS,
command,
- Property.DEFAULT_CONNECTION_MODE_PROPERTY,
- Property.SQL_STANDARD_ACCESS);
+ Property.SQL_AUTHORIZATION_PROPERTY,
+ "TRUE");
}
/*
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericAuthorizer.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericAuthorizer.java?rev=386867&r1=386866&r2=386867&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericAuthorizer.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericAuthorizer.java Sat Mar 18 08:59:16 2006
@@ -48,7 +48,6 @@
private static final int NO_ACCESS = 0;
private static final int READ_ACCESS = 1;
private static final int FULL_ACCESS = 2;
- private static final int SQL_STANDARD_ACCESS = 3;
//
//Configurable userAccessLevel - derived from Database level
@@ -227,8 +226,6 @@
return READ_ACCESS;
else if(StringUtil.SQLEqualsIgnoreCase(modeS, Property.FULL_ACCESS))
return FULL_ACCESS;
- else if(StringUtil.SQLEqualsIgnoreCase(modeS, Property.SQL_STANDARD_ACCESS))
- return FULL_ACCESS;
else
{
if (SanityManager.DEBUG)
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionContext.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionContext.java?rev=386867&r1=386866&r2=386867&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionContext.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionContext.java Sat Mar 18 08:59:16 2006
@@ -189,7 +189,6 @@
protected String userName = null; //The name the user connects with.
//May still be quoted.
- protected boolean usesSqlPermissions = false;
protected SchemaDescriptor sd;
// RESOLVE - How do we want to set the default.
@@ -304,17 +303,6 @@
"derby.language.logQueryPlan");
logQueryPlan = Boolean.valueOf(logQueryPlanProperty).booleanValue();
- // GrantRevoke TODO: May need to make database property value override system value
- String modeS = PropertyUtil.getServiceProperty(getTransactionCompile(),
- Property.DEFAULT_CONNECTION_MODE_PROPERTY);
- if (modeS != null &&
- StringUtil.SQLEqualsIgnoreCase(modeS, Property.SQL_STANDARD_ACCESS))
- {
- // Raise error if DD version is not less than 10.2
- getDataDictionary().checkVersion(DataDictionary.DD_VERSION_DERBY_10_2, "sqlAuthorization");
- usesSqlPermissions = true;
- }
-
setRunTimeStatisticsMode(logQueryPlan);
lockEscalationThreshold =
@@ -411,11 +399,11 @@
}
/**
- * @see LanguageConnectionContext#usesSqlStandardPermissions
+ * @see LanguageConnectionContext#usesSqlAuthorization
*/
- public boolean usesSqlStandardPermissions()
+ public boolean usesSqlAuthorization()
{
- return usesSqlPermissions;
+ return getDataDictionary().usesSqlAuthorization();
}
/**
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionFactory.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionFactory.java?rev=386867&r1=386866&r2=386867&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionFactory.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/conn/GenericLanguageConnectionFactory.java Sat Mar 18 08:59:16 2006
@@ -398,8 +398,7 @@
if (value_s != null &&
!StringUtil.SQLEqualsIgnoreCase(value_s, Property.NO_ACCESS) &&
!StringUtil.SQLEqualsIgnoreCase(value_s, Property.READ_ONLY_ACCESS) &&
- !StringUtil.SQLEqualsIgnoreCase(value_s, Property.FULL_ACCESS) &&
- !StringUtil.SQLEqualsIgnoreCase(value_s, Property.SQL_STANDARD_ACCESS))
+ !StringUtil.SQLEqualsIgnoreCase(value_s, Property.FULL_ACCESS))
throw StandardException.newException(SQLState.AUTH_INVALID_AUTHORIZATION_PROPERTY, key, value_s);
return true;
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/connect.out
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/connect.out?rev=386867&r1=386866&r2=386867&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/connect.out (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/connect.out Sat Mar 18 08:59:16 2006
@@ -35,8 +35,8 @@
ij> create table mytab(i int);
0 rows inserted/updated/deleted
ij> grant select on mytab to satheesh;
-ERROR 42Z60: GRANT not allowed unless database property derby.database.defaultConnectionMode has value 'sqlStandard'.
+ERROR 42Z60: GRANT not allowed unless database property derby.database.sqlAuthorization has value 'TRUE'.
ij> revoke select on mytab to satheesh;
-ERROR 42Z60: REVOKE not allowed unless database property derby.database.defaultConnectionMode has value 'sqlStandard'.
+ERROR 42Z60: REVOKE not allowed unless database property derby.database.sqlAuthorization has value 'TRUE'.
ij> disconnect;
ij>
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevoke.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevoke.java?rev=386867&r1=386866&r2=386867&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevoke.java (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevoke.java Sat Mar 18 08:59:16 2006
@@ -63,8 +63,8 @@
dbmd = owner.getConnection().getMetaData();
// GrantRevoke TODO: Enable standard access tests
// checkStandardAccess( );
- owner.stmt.executeUpdate( "call SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.defaultConnectionMode',"
- + " 'sqlStandard')");
+// owner.stmt.executeUpdate( "call SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.sqlAuthorization',"
+// + " 'true')");
runGrantTests();
// We can't test much of REVOKE unless GRANT works
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL_app.properties
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL_app.properties?rev=386867&r1=386866&r2=386867&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL_app.properties (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL_app.properties Sat Mar 18 08:59:16 2006
@@ -1,7 +1,7 @@
ij.protocol=jdbc:derby:
ij.showNoConnectionsAtStart=true
-derby.database.defaultConnectionMode=sqlStandard
+derby.database.sqlAuthorization=true
useextdirs=true
# DataSource properties, only used if ij.dataSource is set
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevoke_derby.properties
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevoke_derby.properties?rev=386867&r1=386866&r2=386867&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevoke_derby.properties (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevoke_derby.properties Sat Mar 18 08:59:16 2006
@@ -2,7 +2,7 @@
derby.connection.requireAuthentication=true
derby.authentication.provider=BUILTIN
derby.debug.true=AuthenticationTrace
-derby.database.defaultConnectionMode=sqlStandard
+derby.database.sqlAuthorization=true
#
# Users definition