Notes on Eigenbase/LucidDB security work by JVS at February 2011 Eigenbase meetup.

1. EigenbaseMeetup Feb 2011SQL:2008 Authorization JVS Slides

2. Authorization Model

3. Supported Privileges SELECT/INSERT/UPDATE/DELETE on tables Column-level not supported; use views EXECUTE on functions REFERENCES on tables Controls whether views can be created on them USAGE on UDT’s Extension projects can define new privileges as well as categorize the objects on which they apply

4. Notes on Roles Users/roles can inherit multiple roles Role inheritance cycles are not allowed A role has to be explicitly “activated” in a session At most one at a time Roles can own objects and can be grantor Avoids CASCADE which would occur when owner/grantor is a user who later gets dropped

5. Some Syntax GRANT ROLE unqualified-role-name, ... TO unqualified-user-or-role-name, ... [ WITH ADMIN OPTION ] [ GRANTED BY { CURRENT_ROLE | CURRENT_USER } ] GRANT { ALL PRIVILEGES | privileged-action, ... } ON [ TABLE | SPECIFIC { FUNCTION | PROCEDURE | ROUTINE } ] qualified-object-name TO unqualified-user-or-role-name, ... [ WITH GRANT OPTION ] [ GRANTED BY { CURRENT_ROLE | CURRENT_USER } ] privileged-action ::= { INSERT | UPDATE | SELECT | DELETE | EXECUTE | USAGE | REFERENCES }

6. “setuid” Currently only works for UDR implemented in Java Does not apply to UDX cursor inputs (those are treated the as the rest of the invoking query) CREATE { FUNCTION | PROCEDURE } … EXTERNAL NAME 'external-name' [ EXTERNAL SECURITY { DEFINER | INVOKER | IMPLEMENTATION DEFINED } ]

7. Authorization Stack Relevant when UDR’s call back in via jdbc:default:connection Implicit impersonation (via setuid) Explicit impersonation (via SET SESSION AUTHORIZATION) Role changes via SET ROLE CURRENT_ROLE is cleared in new stack frame SESSION_USER vs CURRENT_USER

8. Metadata Visibility Currently applies only to JDBC views, which themselves are queryable by PUBLIC Object is visible if user has any privilege granted on it Either directly or via role (recursively) Implemented via UDX FILTER_USER_VISIBLE_OBJECTS Need an equivalent for LucidDB-specific views (USER_ views to go with DBA_ views)

9. Open Issue: Advanced Privileges Jar/function creation ANALYZE/REBUILD/TRUNCATE TABLE SQL/MED server/wrapper creation/reference SQL/MED metadata import Named catalog creation User/role creation Repository replacement Catalog extension models Purge/checkpoint, label creation ALTER SYSTEM, ALTER SESSION Impersonation Backup/restore

10. New LucidDB SYS_ROOT Views DBA_USERS DBA_ROLES DBA_AUTH_IDS (union of users and roles) DBA_INHERITED_ROLES DBA_ELEMENT_GRANTS Thanks to Kevin Secretan!

11. Remaining Work REVOKE (all of it) Non-table privileges Schema AUTHORIZATION clause Needed for allowing schema and its objects to be owned by role instead of user View grant dependencies REFERENCES, USAGE SET SESSION AUTHORIZATION (impersonation)