maria-developers team mailing list archive

[Vicentiu Ciorbaru <cvicentiu@xxxxxxxxx>]

On Wed, Apr 17, 2013 at 8:08 PM, Sergei Golubchik <serg@xxxxxxxxxxxx> wrote:
> Hi, Vicențiu!
>
> On Apr 17, Vicențiu Ciorbaru wrote:
>> Hello,
>>
>> My name is Vicențiu Ciorbaru. I am 3'rd year undergraduate student at
>> the Polytechnic University of Bucharest, Romania and I am very
>> interested in contributing to MariaDB as part of Google Summer of
>> Code. I have not used MariaDB previously but I have taken it for a
>> spin just now.
>>
>> I have participated in GSoC once before and would like to do so again.
>> I have contributed to other open source organisations (Mozilla, Samba,
>> ROSEdu) and I submit patches when time permits.
>>
>> The project that interests me the most is MDEV-4397: Roles.
>>
>> I want to ask you what would be a good place to start in the codebase
>> to help me get an idea what I need to do for this project?
>
> sql/sql_acl.cc
>
> Check functions like acl_load(), acl_get(), grant_load(), check_grant().
> There are more functions that deal with privileges, but those four
> should be enough to understand how the system works.

Hello Sergei,

Thank you for the answer and I apologize for the late response. I had
some trouble following the code in those functions that you mentioned
but I think I got the gist on how the system works.

I have come up with a preliminary plan to implement roles and would
like to discuss it here before I begin to write my proposal.

As I see it so far, the privileges of a user are stored in the
mysql.user table with a privilege per column, such as Select_priv,
Insert_priv etc.

My first idea is to create a separate table that describes a role,
with the columns identical to the privilege columns in user and a name
for the role. This way a row in the table can  represent a subset of
privileges.

Since a user can only have one role at any one time, there would be a
one to one mapping between the mysql.user table and mysql.roles?
table. This could be done with a simple foreign key in the user table.

NOTE: I am not quite sure what a session means in the context
presented in this paragraph:
Quote:"Only one role can be set to a user at any specific point in any
given session. In other words, CURRENT_ROLE (see below) can never
return a list."
I took the meaning of a session as the context present at the moment
the user logged in and that the role is set at the moment of login in
the session context based on the aforementioned tables mysql.user and
mysql.roles.

To get the privileges of a user one would have to check the user table
for all Yes ticked privileges and also add the Yes ticked privileges
in the new mysql.roles table row corresponding to the user (if any)
based on the foreign key in the user table.

The queries:
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
will either modify the user table or the roles table.

Regarding the ambiguity between a user and a role, would it not be
easier to have an extra keyword TO ROLE or FROM ROLE?

I am not sure what these tables should contain exactly:
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES

I am looking forward to your feedback on these ideas.

Thank you,
Vicențiu