Uploaded image for project: 'Derby'
  1. Derby
  2. DERBY-3146

Adjust length restriction on user identifiers (authorization ids) to same as other identifiers

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.2.1, 10.1.3.1, 10.2.1.6, 10.2.2.0, 10.3.1.4, 10.3.2.1, 10.3.3.0, 10.4.1.3, 10.4.2.0, 10.5.1.1, 10.5.2.0, 10.5.3.0, 10.6.1.0, 10.6.2.1, 10.7.1.1, 10.8.1.2, 10.8.2.2
    • 10.9.1.0
    • JDBC, SQL
    • None
    • Deviation from standard, Security

    Description

      While working on roles, I notice that there is a max size of 30 on
      user ids in derby (authorization identifiers), e.g. the check being
      performed in the parser:

      private void checkAuthorizationLength( String authorization)
      :
      checkIdentifierLengthLimit( authorization, Limits.DB2_MAX_USERID_LENGTH);
      :

      where Limits.DB2_MAX_USERID_LENGTH == 30. I have checked, and I don't
      think there are any fundamental reasons why Derby can't lift this DB2
      restriction: Then authorization identifiers would have the same max
      limit as other identifiers: 128 (Limits.MAX_IDENTIFIER_LENGTH).

      Currently, this limit of 30 is enforced for GRANT/REVOKE, i.e. for the
      grantees.

      However, in the CREATE SCHEMA statement, the clause

      AUTHORIZATION <authorization identifier>

      which allows specifying a schema's owner, is not subject to this
      restriction. This is also reflected in the reference documentation for
      system tables:

      SYS.SYSCHEMAS:

      Column Name Type Length Nullability Contents
      -------------------------------------------------------------------
      AUTHORIZATIONID VARCHAR 128 false the authorization
      identifier of the
      owner of the schema

      SYS.SYSTABLEPERMS:

      Column Name Type Length Nullability Contents
      -------------------------------------------------------------------
      GRANTEE VARCHAR 30 False The authorization ID
      of the user to whom
      the privilege is
      granted.

      Furthermore, the limit is enforced in the authorizer code
      (AuthorizationServiceBase#authenticate). It is also reflected in the
      metadata: EmbedDatabaseMetaData#getMaxUserNameLength.

      I think it would be good to harmonize these two different limits for
      authorization identifier and change the limit to 128
      (Limits.MAX_IDENTIFIER_LENGTH).

      Attachments

        1. DERBY-3146.diff
          3 kB
          Dag H. Wanvik
        2. DERBY-3146.stat
          0.3 kB
          Dag H. Wanvik

        Issue Links

          Activity

            People

              dagw Dag H. Wanvik
              dagw Dag H. Wanvik
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: