List:Internals« Previous MessageNext Message »
From:Sergey Kudriavtsev Date:May 20 2008 6:59pm
Subject:Re: [Report 2] RBAC system - starting point
View as plain text  
Hello, Mark!

2008/5/20 Mark Callaghan <mcallaghan@stripped>:
> On Mon, May 19, 2008 at 11:33 PM, Sergey Kudriavtsev
> <sergey.kudriavtsev@stripped> wrote:
>> Hello, everyone.
>>
>> So, I'm going to implement some basic role functionality in another two weeks.
>>
>> Exactly, I'm planning to do the following:
>>
>> 1. Add new necessary fields to mysql.user table:
>>
>>  Default_role char(16) binary;
>>  Comment varchar(50);
>>  Create_role_priv enum('N','Y') character set utf8 NOT NULL default 'N';
>>  Drop_role_priv enum('N','Y') character set utf8 NOT NULL default 'N'.
>>
>> To distinguish roles from users I propose to use "Host" field of
>> mysql.user table - If this field is empty then we should consider the
>> specified record to be a role.
>> Now empty field is equivalent to '%'. I will change the behaviour of
>> parser to always fail host identity check when the checked field has
>> empty value. I will also change mysql_fix_privilege_tables script to
>> replace all existing empty "Host" field values with '%'.
>
> I think it is a bad idea to overload the Host field in this manner.
> This will confuse people. Anyone who looks at the DDL for the table
> will have no idea that this had been done. It will also increase
> support costs for MySQL. Why not add the column "Is_role enum('N',
> 'Y')"? You are already making many other changes.
>

OK, as I see from feedback this is the most preferable way :) But I'll also
have to add the same column to mysql.tables_priv,procs_priv and
columns_priv tables in order to make this construction consistent.

> When a user connects and has a default role, does the connection use
> the merged privileges of the user and role?

Yes.

> When a user switches to a role, does the connection use the merged
> privileges of the user and role?
>

Yes.

[skipped]

> Does SHOW PROCESSLIST display the role or the user name used for authentication?
>
> If SHOW PROCESSLIST displays the user name, what command can I run to
> display the user name and role per connection?
>

I really didn't think about it, thanks for the tip :). I will
definitely modify the corresponding
table in INFORMATION_SCHEMA database, but I'll consider modifying
SHOW PROCESSLIST statement also.

-- 
Life is good! And good life is even better...
Thread
[Report 2] RBAC system - starting pointSergey Kudriavtsev20 May
  • Re: [Report 2] RBAC system - starting pointSergei Golubchik20 May
    • Re: [Report 2] RBAC system - starting pointKaren Abgarian20 May
      • Re: [Report 2] RBAC system - starting pointSergey Kudriavtsev20 May
        • Re: [Report 2] RBAC system - starting pointRoy Lyseng20 May
          • Re: [Report 2] RBAC system - starting pointSergei Golubchik21 May
    • Re: [Report 2] RBAC system - starting pointSergey Kudriavtsev20 May
      • Re: [Report 2] RBAC system - starting pointSergei Golubchik20 May
        • Re: [Report 2] RBAC system - starting pointSergey Kudriavtsev20 May
  • Re: [Report 2] RBAC system - starting pointMark Callaghan20 May
    • Re: [Report 2] RBAC system - starting pointSergey Kudriavtsev20 May
    • Re: [Report 2] RBAC system - starting pointRoy Lyseng20 May
      • Re: [Report 2] RBAC system - starting pointJeremy Cole20 May
  • Re: [Report 2] RBAC system - starting pointJeremy Cole20 May
    • Re: [Report 2] RBAC system - starting pointSergei Golubchik20 May
    • Re: [Report 2] RBAC system - starting pointVladimir Shebordaev20 May
      • Re: [Report 2] RBAC system - starting pointJeremy Cole20 May
        • Re: [Report 2] RBAC system - starting pointVladimir Shebordaev20 May
          • Re: [Report 2] RBAC system - starting pointJeremy Cole20 May
            • Re: [Report 2] RBAC system - starting pointVladimir Shebordaev21 May
              • Re: [Report 2] RBAC system - starting pointJeremy Cole21 May
      • Re: [Report 2] RBAC system - starting pointJeremy Cole20 May
    • Re: [Report 2] RBAC system - starting pointRoy Lyseng20 May
      • Re: [Report 2] RBAC system - starting pointJeremy Cole20 May
  • Re: [Report 2] RBAC system - starting pointJeremy Cole21 May
    • Re: [Report 2] RBAC system - starting pointVladimir Shebordaev21 May
      • Re: [Report 2] RBAC system - starting pointJeremy Cole21 May
        • Re: [Report 2] RBAC system - starting pointVladimir Shebordaev22 May
          • Re: [Report 2] RBAC system - starting pointEric Bergen22 May
            • Re: [Report 2] RBAC system - starting pointVladimir Shebordaev22 May
Re: [Report 2] RBAC system - starting pointJeremy Cole21 May