31 messages in com.mysql.lists.internalsRe: [Report 2] RBAC system - starting...| From | Sent On | Attachments |
|---|---|---|
| Sergey Kudriavtsev | 19 May 2008 23:32 | |
| Sergei Golubchik | 20 May 2008 02:18 | |
| Mark Callaghan | 20 May 2008 08:30 | |
| Karen Abgarian | 20 May 2008 09:23 | |
| Sergey Kudriavtsev | 20 May 2008 11:51 | |
| Sergey Kudriavtsev | 20 May 2008 11:59 | |
| Sergei Golubchik | 20 May 2008 12:08 | |
| Sergey Kudriavtsev | 20 May 2008 12:09 | |
| Sergey Kudriavtsev | 20 May 2008 12:21 | |
| Jeremy Cole | 20 May 2008 12:27 | |
| Sergei Golubchik | 20 May 2008 13:16 | |
| Vladimir Shebordaev | 20 May 2008 14:03 | |
| Jeremy Cole | 20 May 2008 14:06 | |
| Roy Lyseng | 20 May 2008 14:09 | |
| Vladimir Shebordaev | 20 May 2008 14:17 | |
| Roy Lyseng | 20 May 2008 14:19 | |
| Roy Lyseng | 20 May 2008 14:20 | |
| Jeremy Cole | 20 May 2008 14:32 | |
| Jeremy Cole | 20 May 2008 14:40 | |
| Jeremy Cole | 20 May 2008 14:44 | |
| Jeremy Cole | 20 May 2008 14:48 | |
| Jeremy Cole | 20 May 2008 15:00 | |
| Vladimir Shebordaev | 20 May 2008 15:01 | |
| Sergei Golubchik | 20 May 2008 15:06 | |
| Jeremy Cole | 21 May 2008 00:29 | |
| Jeremy Cole | 21 May 2008 00:55 | |
| Vladimir Shebordaev | 21 May 2008 02:00 | |
| Jeremy Cole | 21 May 2008 13:52 | |
| Vladimir Shebordaev | 21 May 2008 15:09 | |
| Eric Bergen | 21 May 2008 16:28 | |
| Vladimir Shebordaev | 22 May 2008 04:37 |
| Subject: | Re: [Report 2] RBAC system - starting point |
|---|---|
| From: | Sergey Kudriavtsev (serg...@gmail.com) |
| Date: | 05/20/2008 12:21:55 PM |
| List: | com.mysql.lists.internals |
Hello, Sergei!
2008/5/20 Sergei Golubchik <se...@mysql.com>:
Hi!
On May 20, Sergey Kudriavtsev wrote:
2008/5/20 Sergei Golubchik <se...@mysql.com>:
On May 20, Sergey Kudriavtsev wrote:
To distinguish roles from users I propose to use "Host" field of mysql.user table - If this field is empty then we should consider the specified record to be a role. Now empty field is equivalent to '%'. I will change the behaviour of parser to always fail host identity check when the checked field has empty value. I will also change mysql_fix_privilege_tables script to replace all existing empty "Host" field values with '%'.
This is fine, but what are you going to do with mysql.host table ? In there empty host is not equivalent to '%' :(
I'm not sure whether I have to do something with mysql.host table at all. Anyway, I'm going to store roles in mysql.user/mysql.xxx_priv only and I don't see how mysql.host table will interfere with roles' privileges. Please, explain this issue in more detailed way.
Sorry, it was a typo. I meant mysql.db table. In mysql.db table blank host is not the same as '%' host.
And again I don't see the interference :(. I've carefully studied the corresponding manual page (Access Control, Stage 2: Request Verification), but I didn't found any possible errors in this scheme.
Anyway, as community considers isRole ENUM('N','Y') column to be better then I consider I shall implement it in that way.
Regards / Mit vielen Grüssen, Sergei
-- __ ___ ___ ____ __ / |/ /_ __/ __/ __ \/ / Sergei Golubchik <se...@mysql.com> / /|_/ / // /\ \/ /_/ / /__ Principal Software Engineer/Server Architect /_/ /_/\_, /___/\___\_\___/ Sun Microsystems GmbH, HRB München 161028 <___/ Sonnenallee 1, 85551 Kirchheim-Heimstetten Geschäftsführer: Thomas Schroeder, Wolfgang Engels, Dr. Roland Boemer Vorsitzender des Aufsichtsrates: Martin Häring
-- Best regards, Sergey Kudriavtsev