You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is a difference between role granting/revoking between 2.0.4 and 2.1.0 wich is currently undocumented.
EPISODE ONE: grant/revoke
//login as sysdba
create role "role01";
grant "role01" to user01 with admin option
//login as user01
grant "role01" to user02
//login as sysdba
grant "role01" to user02 with admin option
//login as user01
revoke "role01" from user02
<last command works ok (removes record from RDB$USER_PRIVILEGES wich grants role01 to user02 by user01) for 2.0 but fails in 2.1 persisting record in RDB$USER_PRIVILEGES with message
*This operation is not defined for system tables.Unsuccessful metadata update.
USER01 is not grantor of <Unknown> on Role01 to USER02.* >
//and if in FB 2.1.0 sysdba execute
revoke "role01" from user02
//role01 will be unavailable to user02 (access granted by user01 will be removed too)
Please explain how it works or how it should realy work, because I cannot find description of such changes in release notes.
EPISODE TWO: admin option
//as sysdba
create role "role01";
grant "role01" to user01 with admin option;
//as user01
grant "role01" to user03 with admin option;
//as sysdba
grant "role01" to user02 with admin option;
//as user01
//this removes admin option from user02
grant "role01" to user02;
//as user03
grant "role01" to user02 with admin option;
//as user02
grant "role01" to public
<Last command fails with *This operation is not defined for system tables.Unsuccessful metadata update.
User USER02 has no grant admin option on SQL role Role01.*>
To solve this problem I had to add new clause to GRANT and REVOKE commands - GRANTED BY. Only using it it's possible to avoid conflicts with roles (and other rigths) assignment when performed by many users.
This also means backporting is problematic - we do not add new features in old versions.
Submitted by: Konstantin Dombrugov (abracadabra)
There is a difference between role granting/revoking between 2.0.4 and 2.1.0 wich is currently undocumented.
EPISODE ONE: grant/revoke
//login as sysdba
create role "role01";
grant "role01" to user01 with admin option
//login as user01
grant "role01" to user02
//login as sysdba
grant "role01" to user02 with admin option
//login as user01
revoke "role01" from user02
<last command works ok (removes record from RDB$USER_PRIVILEGES wich grants role01 to user02 by user01) for 2.0 but fails in 2.1 persisting record in RDB$USER_PRIVILEGES with message
*This operation is not defined for system tables.Unsuccessful metadata update.
USER01 is not grantor of <Unknown> on Role01 to USER02.* >
//and if in FB 2.1.0 sysdba execute
revoke "role01" from user02
//role01 will be unavailable to user02 (access granted by user01 will be removed too)
Please explain how it works or how it should realy work, because I cannot find description of such changes in release notes.
EPISODE TWO: admin option
//as sysdba
create role "role01";
grant "role01" to user01 with admin option;
//as user01
grant "role01" to user03 with admin option;
//as sysdba
grant "role01" to user02 with admin option;
//as user01
//this removes admin option from user02
grant "role01" to user02;
//as user03
grant "role01" to user02 with admin option;
//as user02
grant "role01" to public
<Last command fails with *This operation is not defined for system tables.Unsuccessful metadata update.
User USER02 has no grant admin option on SQL role Role01.*>
Should it work like that?
Commits: 5f0278b
The text was updated successfully, but these errors were encountered: