Authorization API doesn't differentiate reads from writes, etc...
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Drizzle |
New
|
Undecided
|
Unassigned |
Bug Description
Authorization API is defined in drizzled/
To be more compatible with SQL standard, the Authorization API needs to also support different operation types. This could be done by defining an enum type that lists all the possible privilege types, that is then passed as an additional argument to the currently existing functions. The enum should at least contain something simple like read and write, but might ultimately support a wide range of fine grained privileges as we are used to from, say, MySQL: http://
For backward compatibility, the currently existing functions may of course stay. It would allow policy plugins to just implement a simple "all or nothing" access policy without having to deal with this new argument at all.
Example of old API method:
virtual bool restrictTable(const drizzled:
Example of new API method:
virtual bool restrictTable(const drizzled:
Then of course all drizzled code has to be changed to actually use this new method and specify the operation being performed. The new method would then first call the old operation-less method so that plugins that only use the simple API are called first. (If access is restricted, then it's restricted, no need to continue after that.)
Bug arises from work on documenting policy plugins. See https:/ /lists. launchpad. net/drizzle- discuss/ msg08365. html for the background.