Derby
  1. Derby
  2. DERBY-4505

Document that views, triggers, and constraints run with definer's rights rather than invoker's rights

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 10.2.2.1, 10.3.3.1, 10.4.2.1, 10.5.3.1, 10.6.1.0
    • Fix Version/s: 10.6.1.0
    • Component/s: Documentation
    • Labels:
      None

      Description

      Comments like the following can be found in the code, including this particular example from DDLConstantAction.storeConstraintDependenciesOnPrivileges():

      • Views and triggers and constraints run with definer's privileges.

      This is an important behavior of Derby privileges which deserves to be documented. I can find only one glancing reference to this behavior, viz., in the Reference Guide section on the REVOKE command. There we learn that:

      "You must use the RESTRICT clause on REVOKE statements for routines. The RESTRICT clause specifies that the EXECUTE privilege cannot be revoked if the specified routine is used in a view, trigger, or constraint, and the privilege is being revoked from the owner of the view, trigger, or constraint."

      From that lone statement, a clever reader might deduce that Derby views, triggers, and constraints run with definer rather than invoker rights. But that is not the clear meaning of that statement in the Reference Guide. To draw the necessary conclusion from that statement the reader would have to be clever enough to understand the SQL Standard's tricky language around definer and invoker rights--and that would be a very clever reader indeed.

      In short, we need to document this behavior explicitly. I consider this hole in our documentation to be a serious enough defect that I am marking this issue as a Bug.

      1. DERBY-4505-2.zip
        29 kB
        Kim Haase
      2. DERBY-4505-2.diff
        23 kB
        Kim Haase
      3. DERBY-4505.zip
        29 kB
        Kim Haase
      4. DERBY-4505.stat
        0.3 kB
        Kim Haase
      5. DERBY-4505.diff
        16 kB
        Kim Haase

        Activity

        Gavin made changes -
        Workflow jira [ 12486092 ] Default workflow, editable Closed status [ 12800299 ]
        Dag H. Wanvik made changes -
        Affects Version/s 10.2.3.0 [ 12312215 ]
        Dag H. Wanvik made changes -
        Affects Version/s 10.3.4.0 [ 12313653 ]
        Dag H. Wanvik made changes -
        Affects Version/s 10.4.3.0 [ 12313654 ]
        Dag H. Wanvik made changes -
        Affects Version/s 10.5.4.0 [ 12314154 ]
        Rick Hillegas made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Kim Haase made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Issue & fix info [Patch Available]
        Fix Version/s 10.6.0.0 [ 12313727 ]
        Resolution Fixed [ 1 ]
        Kim Haase made changes -
        Attachment DERBY-4505-2.diff [ 12429914 ]
        Attachment DERBY-4505-2.zip [ 12429915 ]
        Kim Haase made changes -
        Issue & fix info [Patch Available]
        Kim Haase made changes -
        Attachment DERBY-4505.diff [ 12429789 ]
        Attachment DERBY-4505.stat [ 12429790 ]
        Attachment DERBY-4505.zip [ 12429791 ]
        Kim Haase made changes -
        Field Original Value New Value
        Assignee Kim Haase [ chaase3 ]
        Rick Hillegas created issue -

          People

          • Assignee:
            Kim Haase
            Reporter:
            Rick Hillegas
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development