From: Karen&nbsp;Abgarian
Date: May 20 2008 4:23pm
Subject: Re: [Report 2] RBAC system - starting point
List-Archive: http://lists.mysql.com/internals/35594
Message-Id: <EB365D5F-06D5-44B0-8C72-9B40BD584752@apple.com>
MIME-Version: 1.0 (Apple Message framework v919.2)
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit


On May 20, 2008, at 2:18 AM, Sergei Golubchik wrote:

> Hi!
>
> On May 20, Sergey Kudriavtsev wrote:
>> Hello, everyone.
>>
>> So, I'm going to implement some basic role functionality in another  
>> two weeks.
>>
>> Exactly, I'm planning to do the following:
>>
>> 1. Add new necessary fields to mysql.user table:
>>
>>  Default_role char(16) binary;
>>  Comment varchar(50);
>>  Create_role_priv enum('N','Y') character set utf8 NOT NULL default  
>> 'N';
>>  Drop_role_priv enum('N','Y') character set utf8 NOT NULL default  
>> 'N'.
>>
>> To distinguish roles from users I propose to use "Host" field of
>> mysql.user table - If this field is empty then we should consider the
>> specified record to be a role.
>> Now empty field is equivalent to '%'. I will change the behaviour of
>> parser to always fail host identity check when the checked field has
>> empty value. I will also change mysql_fix_privilege_tables script to
>> replace all existing empty "Host" field values with '%'.
>
> This is fine, but what are you going to do with mysql.host table ? In
> there empty host is not equivalent to '%' :(

i apologize for breaking in, but if you are already extending the  
mysql.user,
why don't you just add another flag field for this instead of reusing  
a column?
IMHO, this creates confusion.  A related question is, the similarity  
of users and
roles is an internal implementation feature, the users think of users  
and roles
as separate entities.  Perhaps it makes sense to follow a typical  
Oracle approach
and create a common (possibly hidden) table with the user/role  
information +
mysql.user and mysql.role as views on that.

The necessity of the create/drop_role_priv is unclear to me, I would  
say it belongs
to the grants table.

Sorry if this is out of bounds.


Tx/Rgs
Karen