You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Dag H. Wanvik (JIRA)" <ji...@apache.org> on 2008/05/13 16:42:55 UTC
[jira] Created: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Add checks that a new role isn't already a user authorization id
----------------------------------------------------------------
Key: DERBY-3673
URL: https://issues.apache.org/jira/browse/DERBY-3673
Project: Derby
Issue Type: Sub-task
Reporter: Dag H. Wanvik
Derby current does not have dictionary information about legal users.
Authentication is configurable as being derby internal, LDAP based, or
user supplied.
SQL specifies that user ids and role names go in the same namespace
(authorization ids). Therefore, at role creation time, a new role
name should be checked against legal users for this database, and be
defined if there is already a user id by that name.
Unfortunately, since there is currently no reliable dictionary
information about legal users, the best we can do presently is perform
heuristic checks that a proposed role id is not already a user id.
Since the check can not not reliable, we should also add a check to
prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik updated DERBY-3673:
---------------------------------
Attachment: derby-3673-3.diff
A small corner case fix which escapes " inside a quoted identifer in
IdUtil#SQLIdentifier2CanonicalPropertyUsername.
Tested manually since this code path is hard to reach in the regression tests
(to reach it requires a user defined as a JVM property + default security manager).
E.g.:
java '-Dderby.user."f""OO"=foo' org.apache.derby.drda.NetworkServerControl start
and then trying to do:
create role "f""OO";
giving:
ERROR X0Y68: User 'f"OO' already exists.
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat, derby-3673-2.diff, derby-3673-2.stat, derby-3673-3.diff, derby-3673-3a-javadoc_fixes.diff
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12596750#action_12596750 ]
Dag H. Wanvik commented on DERBY-3673:
--------------------------------------
The test for exisiting user should probably ignore builtin users defined
at the system level when derby.database.propertiesOnly is true.
Will make that change.
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12597092#action_12597092 ]
Dag H. Wanvik commented on DERBY-3673:
--------------------------------------
Thanks for looking at this, Rick!
I think all your comments are valid, thanks! The schema owner authid
fell off my radar at some point, thanks for catching that.
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik updated DERBY-3673:
---------------------------------
Attachment: (was: derby-3673-3.diff)
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat, derby-3673-2.diff, derby-3673-2.stat, derby-3673-3.diff, derby-3673-3a-javadoc_fixes.diff
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Kristian Waagan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kristian Waagan updated DERBY-3673:
-----------------------------------
Attachment: derby-3673-3a-javadoc_fixes.diff
'derby-3673-3a-javadoc_fixes.diff' fixes some JavaDoc warnings.
Committed to trunk with revision 658612.
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat, derby-3673-2.diff, derby-3673-2.stat, derby-3673-3a-javadoc_fixes.diff
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik updated DERBY-3673:
---------------------------------
Derby Info: (was: [Patch Available])
Committed derby-3673-2 as svn version 658385.
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat, derby-3673-2.diff, derby-3673-2.stat
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Kathey Marsden (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kathey Marsden updated DERBY-3673:
----------------------------------
Component/s: SQL
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Components: SQL
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat, derby-3673-2.diff, derby-3673-2.stat, derby-3673-3.diff, derby-3673-3a-javadoc_fixes.diff, derby-3673-4.diff
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik updated DERBY-3673:
---------------------------------
Attachment: derby-3673-5.diff
Uploading a javadoc patch, committed as svn 692179.
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Components: SQL
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat, derby-3673-2.diff, derby-3673-2.stat, derby-3673-3.diff, derby-3673-3a-javadoc_fixes.diff, derby-3673-4.diff, derby-3673-5.diff
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12598869#action_12598869 ]
Dag H. Wanvik commented on DERBY-3673:
--------------------------------------
derby-3673-3 committed as svn 658943.
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat, derby-3673-2.diff, derby-3673-2.stat, derby-3673-3.diff, derby-3673-3a-javadoc_fixes.diff
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik updated DERBY-3673:
---------------------------------
Derby Info: [Patch Available]
Fix Version/s: 10.5.0.0
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.stat
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Rick Hillegas (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12596842#action_12596842 ]
Rick Hillegas commented on DERBY-3673:
--------------------------------------
Thanks for this patch, Dag. It also looks good. I have a couple comments:
CreateRoleConstantAction
When creating a LANG_OBJECT_ALREADY_EXISTS exception, I recommend
calling rd.getDescriptorType() rather than hard-coding "User". This is
a small point but it may help us better localize this message in the
future.
I'm also curious about the check being performed in knownUser(). Are
we already checking that the new role name is not the same as an
existing authorization id in SYS.SYSSCHEMAS? Off the top of my head it
seems that we want to forbid those collisions and it seems likely to
me that such a check would catch a very broad class of collisions,
including most of the cases caught by the current knownUser() code.
DataDictionaryImpl.inspectRoleGrants()
I am a little troubled that a method with this innocent name may have
the side-effect of dropping a role descriptor. At the very least, I
think that the header comment for this method should document the
side-effect.
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik updated DERBY-3673:
---------------------------------
Attachment: derby-3673-2.stat
derby-3673-2.diff
This patch, derby-3673-2, addresses one of Ricks comments (more
below), and also improves somewhat on the previous implementation, in
that this present patch, if possible, maps from the properties user
("derby.user.<user>" to canonical internal form before checking for a
match against the role, instead of trying to compute the external form
from the internal form and then look up that property.
This will work for users defined by database properties, and system properties if
specified in derby.properties. However, the new approach will not work
for JVM properties if the security manager is enabled and the
permission to execute System.getProperties is not given
(PropertyPermission("*", "read,write"),
cf. http://java.sun.com/j2se/1.5.0/docs/api/java/lang/SecurityManager.html#checkPropertiesAccess()).
In such a case we fall back on mapping in the other direction, as in
the first patch, since this only needs permission to read access
(PropertyPermission("derby.user.*", "read").
Rick, the first comment where you warn against hard-coding "User" in
the error message: I don't really have a user descriptor, so I can't
call getDescriptorType. I did modify the hard-coded "Role" in the
error message a few lines up to use rd.getDescriptorType(), though.
For the existing user case, "USER" is a SQL keyword so I am not sure
it needs be localized. But we could create a new error message to
cover this situation, which would be localized. What do you think?
Running regression tests now.
Patch details:
M java/engine/org/apache/derby/impl/sql/execute/CreateRoleConstantAction.java
Added check against schema owners. Moved more logic over to
PropertyUtil#existsBuiltinUser to simplify code in
CreateRoleConstantAction.
M java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java
Renamed inspect* methods to visit* and added more prominent Javadocs
to indicate the drop behavior better. Added existsSchemaOwnedBy.
M java/engine/org/apache/derby/iapi/services/property/PropertyUtil.java
Added existsBuiltinUser and minions.
M java/engine/org/apache/derby/iapi/util/StringUtil.java
Added normalizeSQLIdentifier and
compressQuotes. normalizeSQLIdentifier is used by minion of
PropertyUtil#existsBuiltinUser.
M java/engine/org/apache/derby/iapi/util/IdUtil.java
Same as previous patch.
M java/testing/org/apache/derbyTesting/functionTests/tests/lang/RolesTest.java
New test for an additional user which would we would fail to find in
the first patch due to mapping direction. New test for existing user
found via schema owner.
M java/engine/org/apache/derby/impl/sql/compile/sqlgrammar.jj
Moved a utility method, compressQuotes, to StringUtil, since I needed
it in StringUtil#normalizeSQLIdentifier.
M java/storeless/org/apache/derby/impl/storeless/EmptyDictionary.java
M java/engine/org/apache/derby/iapi/sql/dictionary/DataDictionary.java
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat, derby-3673-2.diff, derby-3673-2.stat
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik closed DERBY-3673.
--------------------------------
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat, derby-3673-2.diff, derby-3673-2.stat, derby-3673-3.diff, derby-3673-3a-javadoc_fixes.diff, derby-3673-4.diff
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Rick Hillegas (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12598009#action_12598009 ]
Rick Hillegas commented on DERBY-3673:
--------------------------------------
Thanks, Dag. Looks good. Thanks for the explanation of the localization issues for "User". I don't think this needs to be sanded down further.
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat, derby-3673-2.diff, derby-3673-2.stat
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik updated DERBY-3673:
---------------------------------
Attachment: derby-3673-3.diff
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat, derby-3673-2.diff, derby-3673-2.stat, derby-3673-3.diff, derby-3673-3a-javadoc_fixes.diff
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik updated DERBY-3673:
---------------------------------
Attachment: derby-3673-1.diff
Refreshed the diff after a conflict arose from updating to svn 655948.
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik resolved DERBY-3673.
----------------------------------
Resolution: Fixed
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat, derby-3673-2.diff, derby-3673-2.stat
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik reassigned DERBY-3673:
------------------------------------
Assignee: Dag H. Wanvik
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.stat
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12598653#action_12598653 ]
Dag H. Wanvik commented on DERBY-3673:
--------------------------------------
Changes look good, thanks Kristian!
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat, derby-3673-2.diff, derby-3673-2.stat, derby-3673-3a-javadoc_fixes.diff
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik updated DERBY-3673:
---------------------------------
Attachment: derby-3673-4.diff
This fix (derby-3673-4) removes redundant code in IdUtil#SQLIdentifier2CanonicalPropertyUsername by calling the existing method #normalToDelimited instead. Tested manually. Committed as svn 659195.
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat, derby-3673-2.diff, derby-3673-2.stat, derby-3673-3.diff, derby-3673-3a-javadoc_fixes.diff, derby-3673-4.diff
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-3673) Add checks that a new role isn't
already a user authorization id
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik updated DERBY-3673:
---------------------------------
Attachment: derby-3673-1.stat
derby-3673-1.diff
This patch is a first attempt to check that a proposed new role name
is not already a user name.
Checks performed:
- the proposed name does not already figure as a grantee in a
permission descriptor.
- the proposed name is not the user id of the current session
- if we are using Derby built-in users, check that the proposed
role name is not a built-in user. If authentication is
external, we have no way of knowing, alas.
Still missing is a check that a connection is not made with a user id
that is a role name.
Patch details:
M java/engine/org/apache/derby/impl/sql/execute/CreateRoleConstantAction.java
Added the above checks. I found no way of systematically going through
all properties which start with the string "derby.user", so present
method tries to guess the property name on the basis of the internal
role name, and then look up that property, which if it exists,
represents a user id. This would fail if the user property is
specified in a non-canonical way, cf logic in
IdUtil.SQLIdentifier2CanonicalPropertyUsername. Any ideas here are
welcome.
I am not really happy with this solution, so I will see if I can find
a way to run through all "derby.user" properties instead.
Also, instead of just checking the authorization id of the current
session, it would be better to check all current sessions of course. I
will see if I can find a way to do that. Again, suggestions are
welcome.
M java/engine/org/apache/derby/iapi/sql/dictionary/DataDictionary.java
M java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java
Added code to look for permission grants to a specific grantee. Did
some refactoring here too to avoid code duplication.
M java/engine/org/apache/derby/iapi/util/IdUtil.java
Added SQLIdentifier2CanonicalPropertyUsername. See also comments above.
M java/testing/org/apache/derbyTesting/functionTests/tests/lang/RolesTest.java
Added some test cases, including a case which currently fails
(commented out for now).
M java/storeless/org/apache/derby/impl/storeless/EmptyDictionary.java
stub added
> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>
> Key: DERBY-3673
> URL: https://issues.apache.org/jira/browse/DERBY-3673
> Project: Derby
> Issue Type: Sub-task
> Reporter: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3673-1.diff, derby-3673-1.stat
>
>
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids). Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.