db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Db-derby Wiki] Update of "sqlAuth4Dblook" by Hiranya Jayathilaka
Date Sat, 09 May 2009 14:57:08 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Db-derby Wiki" for change notification.

The following page has been changed by Hiranya Jayathilaka:

New page:
= Implementing SQL Authorization Support for Derby dblook =

== Introduction ==
 * Project: Implementing SQL Authorization Support for Derby dblook
 * Description: This project is carried out as a part of the Google Summer of Code 2009 program.
The detailed project proposal can be found at http://wiki.apache.org/general/HiranyaJayathilaka/gsoc2009/derby-dblook-proposal.
Project is carried out by Hiranya Jayathiala (hiranya@apache.org) and is mentored by Dag Wanvik
of the Apache Derby team. Please feel free to edit this wiki page and contribute to the project
in any means you wish.

== Design ==
We intend to use a directed graph as the means of tracking and representing the dependencies
among various persistent objects in a database. Let's call it the dblook dependency graph.
When dblook is fired off against a database, it would create the dependency graph in memory
and 'walk' the graph steb-by-step while producing DDL statements required to reconstruct those

All persistent objects of a database would be vertices in the dependency graph. If A and B
are two persistent objects in a database and if B is a dependent object of A then there will
be a directed edge from A to B in the dependency graph (A --> B). Information required
to construct the dependency graph will be fetched from the system tables (specially from the
SYSDEPENDS table which effectively captures all such dependencies among persistent objects).
The graph construction algorithm should also associate each vertex with a database user as
the owner. (what is the right way to find the object owner?) In addition it should capture
all the permissions associated with each object and the users involved with those permissions.

Once we have the full dblook dependency graph in memory we can create all the roles required
(should be done as the dbo).  

When dblook finally walks the graph it will need to produce an authentication statement prior
to producing the actual DDL statement required to create each object. For an example if there
is an object O associated with the user U in the graph, dblook will first output an authentication
statement for user U before producing the DDL statement for O. After producing the creation
statement necessary grant statements should be created related to the object. Basically all
the permissions related to the object should be granted to the associated users. Walking the
graph should start from a node which does not have any in bound edges (ie it does not depend
on any other object). As the graph walk continues objects are removed from the graph along
with all edges incident on them. The walk continues until the graph's set of vertices is empty.

(The datastructures used to store the elements of the dependency graph should be lightweight.

View raw message