y quyn trong SQL v lnh gn

Trong h thng R khng c h qun tr c s d liu trung tm, bt k ngi s dng c s d liu c th c y quyn to ra mt bng mi, khi anh ta c y quyn v duy nht c thm quyn thc hin cc thao tc trn bng . Nu bng to ra l mt khung nhn th vic y quyn c th b hn ch bi c ch y quyn trn bng biu.

Nu ngi dng mun chia s bng ca mnh vi nhng ngi dng khc th c th s dng lnh GRANT trong ngn ng SQL cung cp cho ngi dng cc quyn hn thao tc trn bng khc nhau i vi tng ngi dng khc nhau. Thng thng ngi to ra bng s gii hn quyn cho ngi dng khc c th thao tc trn bng d liu ca mnh khi c s d liu c to ra. Cc quyn gn trn bng s l:

READ: kh nng s dng mi quan h ny trong mt truy vn, n cho php c mt hng trong c s d liu quan h, xc nh gii hn ca ngi dng trong mi quan h d liu INSERT: Cho php thm mt dng mi vo bng DELETE: Cho php xa mt dng t bng UPDATE: Cho php chnh sa d liu trn bng, cho php chn mt i tng ca mt ct thuc bng DROP: Cho php xa bng

Lnh GRANT trong SQL c cu trc nh sau:

GRANT ALL [PRIVILGES ] ON (table) TO (user-list) [WITH GRANT OPTION]

ALL[PRIVILEGES]: cp pht tt c cc quyn cho ngi dng trn i tng c s d liu c ch nh. Ngi gn quyn c th cp tt c cc quyn trn mt bng, hoc ch ra cc quyn c th cho tng ngi dng trong danh sch hoc c th t thuc tnh PUBLIC cho tt c ngi dng s dng c s d liu c cp quyn trn bng .

Ngi gn quyn c th cp theo cc ty chn trong lnh gn, ty chn ca lnh gn s cho php gii hn quyn ca ngi s dng v cho php c c gn cho ngi dng k tip hay khng. theo nh c Lampson v Graham cng Denning

V d : Ngi dng A to ra bng quan h EMPLOYEE v thc hin gn quyn bng lnh sau: GRANT READ, INSERT ON EMPLOYEE TO B Sau khi gn quyn ngi dng B s c c quyn c v quyn thm d liu vo bng d liu EMPLOYEE . Nu ngi dng B thc hin lnh gn cho mt s ngi dng khc trong h thng c th thao tc trn bng d liu EMPLOYEE th h thng d liu s khng cho php B thc hin lnh gn v B khng c quyn thc hin gn quyn cho ngi khc trn bng d liu EMPLOYEE. Nu B c thm ty chn cho php c gn khi A thc hin lnh gn cho B, khi B s c quyn

A: GRANT READ, INSERT ON EMPLOYEE TO B WITH GRANT OPTION A: GRANT READ ON EMPLOYEE TO X WITH GRANT OPTION

B: GRANT READ, INSERT ON EMPLOYEE TO X

Khi A to ra bng d liu EMPLOYEE v thc hin gn quyn READ v INSERT cng vi ty chn WITH GRANT OPTION , khi B s c c quyn c th gn cho ngi dng tip theo. iu g s xy ra i vi ngi dng X khi thc hin cc lnh gn trn ? Ngi dng X s c lnh READ t A gn cho v c php thc hin gn cho ngi ngi dng khc, nhng khng c lnh INSERT, khi B gn quyn READ v INSERT cho X m khng c ty chn th X s khng c quyn c gn cho ngi dng khc. Vy khi thc hin xong 3 lnh trn th ngi dng X s ch c quyn READ v INSERT nhng quyn INSERT s khng c php gn cho ngi dng khc.

Thu hi

Trc khi thc hin vic thu hi quyn gn, chng ta phi hiu c ch bo v ca cc m t trong v d trn c thc hin nh th no. Vic thc hin h thng ph ny s cho php hn ch cc hnh thc c s ca vic thc hin y m t sau: H thng R duy tr hai mi quan h cho vic s dng ca h thng ph y quyn SYSAUTH v

SYSCOLAUTH. Mi quan h SYSAUTH c nhng ct sau:

USERID: Cho thy ngi dng c y quyn thc hin cc hnh ng trn bng ny. TNAME: ch r bng no TYPE: Nu bng ny l mt mi quan h c bn 'V' ,nu n l mt khung nhn. mi mt ct cho nhng c quyn READ,INSERT...c th c cp trn mt bng, khng bao gm vic cp nht, c cha mt 'Y' hoc 'N' cho bit ngi dng c c quyn trn bng UPDATE: ch y quyn cho cp nht ct trong bng GRANTOPT: Cho bit c nhng c quyn trong hng ny l c gn cho ngi dng khc

i vi mi bng m trn ngi dng c y quyn thc hin mt s hnh ng, y s c 2 dng trong SYSAUTH; mt cho grantable v mt l nongrantable c quyn, mt b cho cp (USERID, bng ) ch c xy dng khi ngi s dng c t nht mt trong nhng c quyn trn bng. Gi tr ca ct UPDATE ca mt b trong SYSAUTH c th l 'ALL' (tt c cc ct c th c cp nht ) hoc 'NONE' (khng c c quyn cp nht ), hoc 'SOME' nu UPDATE l 'SOME' , sau quan h SYSCOLAUTH ch ra chnh xc nhng ct m ngi s dng nm c quyn UPDATE : i vi mi cp nht ct ca bng, mi cp (ngi dng, bng, ct , gn , ty chn gn ) c a vo SYSCOLAUTH.

Khi mt ngi dng s dng cc vn mt lnh GRANT , cc mc quyn hn ca lnh s c a ra xc nh xem quyn hn c gn. tp hp cc quyn grantable c ngi gn cho giao nhau vi tp hp cc quyn c tn trong lnh gn v quyn thc s c cp l g. Hiu qu ca mt lnh GRANT chn mt b mi vo quan h SYSAUTH, hoc sa i mt cch thch hp b hin c. V d : nu lnh gn l thc hin cng vi ty chn ca lnh v c mt b trong quan h SYSAUTH cho vic (c cp, bng) kt hp vi GRANTOPT ='Y' , sau b ny c sa i bng cch thit lp 'Y' cc ct tng ng vi cc c quyn c cp.

Thu hi quyn

Mt ngi dng c ngi dng khc cp quyn cho thao tc trn mt bng no th cng c th b thu hi quyn c cp, lnh thc hin vic thu hi quyn nh sau:

REVOKE {ALL RIGHT ON (privileges)}ON (table) FROM (user-list)

c quyn trn bng tn l b t chi thu hi, tr khi thu hi c mt c quyn ring. S cn thit phi thu hi quyn c cp trc . Khng cn hai b i din cho mt quyn ca ngi dng trn bng. Chng ta phi gi c nhng quyn m khng phi ngi cp, iu ny i hi b trong SYSAUTH cho vic kt hp (c cp, bng, ngi cp) ring bit cho mi lnh gn ca bng v mt cho quyn khng phi lnh gn bng. Hn na sau khi thu hi, h thng phi thu hi quyn t nhng ngi m ngi dng c cp cho thao tc trn bng. Trnh t gn s c ch ra trn bng bi nhng ngi gn v lnh thu hi c i din bi: G1,G2,...........Gi-1,Gi,Gi+1.........Gn, mi cp Gi l mt quyn c gn , nu nh i<j th ti im Gi lnh gn c thc hin trc so vi Gj. By gi gi s nhng quyn gn ti Gi b thu hi th trnh t s l G1,G2,...........Gi-1,Gi,Gi+1.........Gn,Ri Chng ta s thy trng thi ca vic thu hi quyn ti Gi, nu Gi khng thc hin c l do trng thi ca vic quan h ca y quyn (SYSAUTH v SYSCOLAUTH) sau khi thc hin trnh t trn th ta s c : G1,G2,...........Gi-1,Gi+1.........Gn. Trng thi l nh nhau nu nh quyn c gn khng c thu hi

V d: A: GRANT READ, INSERT, UPDATE B: GRANT READ, UPDATE A: REVOKE INSERT, UPDATE ON ON ON EMPLOYEE TO X

EMPLOYEE TO X EMPLOYEE FROM X

Sau khi thc hin vic thu hi quyn READ, UPDATE ca X trn bng EMPLOYEE. Nguyn tc chung l nu thu hi quyn gn m quyn li c gn t ngun khc th sau ngi dng vn c gi quyn . c ngha l c lp v ngun c gn quyn.

Thu hi quy

Xem xt trnh t gn quyn sau : A to ra quan h d liu trn bng EMPLOYEE A: GRANT ALL RIGHTS ON EMPLOYEE TO X WITH GRANT OPTION X: GRANT ALL RIGHTS ON EMPLOYEE TO Y A: REVOKE ALL RIGHTS ON EMPLOYEE FROM X

Theo vic thu hi th trnh t ny tng ng vi X: GRANT ALL RIGHTS ON EMPLOYEE TO Y vic ny s tht bi v X khng c quyn thc hin trn bng EMPLOYEE , sau khi thc hin lnh thu hi th h thng cn phi chnh sa b thu hi trong SYSAUTH v SYSCOLAUTH khi phi thc hin vic thu hi nhng quyn m X gn cho ngi khc. Nu nh quyn thu hi khng trong bng v khng c thm hnh ng th cn c thc hin.

Vic thu hi cc quyn gn l khng r rng, ta thy nu quyn thu hi li c ngi dng khc gn cho th vic thu hi quy nn gi li quyn . Vn l mt thut ton nh khng thy chu k trong cc chui ca vic gn quyn. Vic thu hi thut ton phi phn bit gia 2 trng hp nh hnh di :

Hiu qu cc thut ton chnh xc du vt chui cp t X n ngi dng to ra bng. Nu tt c cc con ng nh vy thng qua ngi b thu hi th sau quyn ca X nn c thu hi. Tuy nhin nu c tn ti mt con ng tr li ngi to ra bng m khng i qua im thu hi th sau X nn gi li cc c quyn sau khi thu hi.

Trong bt k trng hp no cc b trong SYSAUTH i din cho cc cp b thu hi s c chnh sa hoc xa. Cc b trong SYSAUTH i din cho quyn cn li ca X trn bng d liu, nu c s c xem xt quyt nh chnh xc cho vic gn quyn ca X l quy thu hi. quyt nh vic thu hi quy hay khng m khng r rng tm cc cp ca th , chng ta sa i bng SYSAUTH thay v ch 'Y' hoc 'N' mi ct c cha mt du thi gian cho bit thi gian tng i ca mt cp, du thi gian ny c th i din cho thi gian thc hoc c th l mt h thng duy tr truy cp. c im quan trong ca n l khng c 2 lnh gn c gn vi cng mt thi im , mt ct y quyn cha 0, c ngha khng c s hu quyn , hoc gi tr T s cho bit quyn c cp vo thi gian T. V d: gi s rng A, B, C c gn quyn nht nh trn bng EMPLOYEE t X, nhng ngi ln lt gn quyn cho Y s l:

Sau khi cc chui s kin ny c thc hin th phn c lin quan n bng SYSAUTH nh sau:

USERID X X Y X

TABLE

GRANTOR A B X C 15 20 25 30

READ 15 0 25 0

INSERT 0 20 25 30

DELETE

EMPLOYEE EMPLOYEE EMPLOYEE EMPLOYEE

Gi s ti thi im t=35, B thc hin lnh thu hi quyn REVOKE ALL RIGHTS ON EMPLOYEE FROM X th b ((X, EMPLOYEE,B) cn c xa trong SYSAUTH, xc nh cc quyn m X gn trn bng EMPLOYEE phi c thu hi, chng ta s c 1 danh sch cc quyn c gn n X nh sau:

TABLE EMPLOYEE

READ {15,30}

INSERT {15}

DELETE {30}

v danh sch quyn m X gn

TABLE EMPLOYEE

READ {25}

INSERT {25}

DELETE {25}

Vic gn quyn DELETE ca X ti thi im t=25 s c thu hi bi v quyn DELETE c gn vo thi im t=30, nhng quyn READ v INSERT c X gn cho php gia li v nhng quyn ny c gn trc bi ngun khc.

Di y l thut ton thu hi

REVOKE procedure (grantee,privilege,table,grantor); comment turn of the granteeauthorization for (privilege) obtained from (grantor); set(privilege)=0 in the (grantee,table,grantor) tuple in SYSAUTH; Comment find the minumum timestamp for the grantees remaining grantable (privilege) on (table); m <--crurent timestamp; for each grantor u such that(grantee,privilege,table,u,grantable) is in SYSAUTH do if privileges # 0 and privileges <m then m<--privilege; comment revoke grantees grants of (privilege) on (table) which were made before time m;

for each user u such that (u,privilege, table,grantee) is in SYSAUTH do if privileges<m then REVOKE (u,privilege,table,grantee); return end REVOKE

V d: Hy xem xt cc th ca cc quyn c gn c th hin trong hnh sau:

Gi nh rng tt c cc quyn c cp mi ln, v cho cc cp t A n X b thu hi, sau : u tin ch c cp X ti Y b thu hi, vic cp X ti Z khng b thu hi bi v quyn c cp ti t=15 Tip theo l t Y ti X c thu hi Cui cng l t X ti Z c thu hi

Nu cng mt quyn c gn bi cng mt ngi dng trn mt bng th r rng cc du thi gian trc nn c duy tr, vic gn quyn sau khng c hiu lc trn bng SYSAUTH. Nu khng mt thu hi sau mt thi gian c th gy ra vic thu hi mt quyn gn hp php trc .