User Names & Authorization Identifiers in Derby
Overview
A user in Derby is represented by a case-sensitive value, called an authorization identifier. E.g.EVE, eve, eVe, eve@yahoo.com are all different users. A user name can be provided to or read from Derby in a number of forms, e.g. SQL identifiers, a String in a Java program etc. This wiki page summarizes the how a user name converted to an authorization identifier in various situations.
Note that rules for user names in Derby are independent on how that user name is defined to Derby or authenticated. Thus these rules apply if the database is using the BUILTIN authentication or LDAP authentication.
User Name Rules
Context |
Definition |
Use |
SQL identifiers |
User identifier is a SQL identifier, section 5.4 SQL 2003. A regular identifier is upper-cased to represent an authorization identifier, e.g. eve, eVe and EVE all represent the authorization identifier EVE. A delimited identifier (with double quotes) does not have any case conversion to its authorization identifier, e.g. "eVe" represents the authorization identifier eVe. Note that the delimited identifier "EVE" represents the authorization identifier EVE which is the same user as the regular identifiers eve, EVE and EvE etc. The authorization identifier represents how a user name is stored/processed by the SQL engine in a SQL context, e.g. the system tables representing granted permissions. Note that derby.* properties are not in the SQL context. |
grantee in GRANT statement |
grantee in REVOKE statement |
||
|
|
|
CURRENT USER expression |
Returns the authorization identifier for the current user. |
VALUES CURRENT USER |
VALUES SESSION_USER |
||
VALUES {fn user()} |
||
|
|
|
SQL Routine |
A system SQL routine taking a USERNAME parameter requires the caller pass in the authorization identifier, this is to align with the value being passed in from CURRENT USER or a value obtained from a system table representing a user. |
SYSCS_UTIL.SYSCS_SET_USER_ACCESS DERBY-3095 |
SYSCS_UTIL.SYSCS_GET_USER_ACCESS DERBY-3095 |
||
|
|
|
JDBC Connection request |
Follows the rules of SQL identifiers including support for delimited identifiers. |
User named passed into method call, e.g. DataSource.setUser, DriverManager.getConnection |
User set as user property in DriverManager connection request |
||
User name on JDBC URL |
||
|
|
|
JDBC DatabaseMetaData.getUserName() |
Returns the user name used to make the JDBC connection request which is a SQL identifier and not the authorization identifier. |
conn.getMetaData().getUserName() |
|
|
|
Derby BUILTIN authentication |
Follows the rules of SQL identifiers including support for delimited identifiers. DERBY-3150 |
System property derby.user.username=password |
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY( 'derby.user.username', 'password') |
||
|
|
|
Connection authorization |
User names set in Java or database properties. Documented as following the rules of SQL identifiers including support for delimited identifiers. Thus derby.database.fullAccessUsers=eVe and derby.database.fullAccessUsers=EVE have identical meaning. |
derby.database.fullAccessUsers |
derby.database.readOnlyAccessUsers |
Example - Authorization identifier EVE
All of these examples are valid for authorization identifier EVE
GRANT SELECT ON t TO eve |
REVOKE SELECT ON T FROM EvE |
GRANT SELECT ON t TO EVE |
GRANT SELECT ON t TO "EVE" |
VALUES CURRENT_USER will return EVE |
CALL SYSCS_UTIL.SYSCS_SET_USER_ACCESS('EVE', NULL) |
VALUES SYSCS_UTIL.SYSCS_GET_USER_ACCESS('EVE') |
jdbc:derby:db;user=eve |
jdbc:derby:db;user=EVE |
ds.getConnection("eve", password); // Java code DatabaseMetaData.getUserName() will return eve |
ds.getConnection("EVE", password); // Java code DatabaseMetaData.getUserName() will return EVE |
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.user.EVE', 'password') |
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.user.eve', 'password') |
derby.database.readOnlyAccessUsers=eve |
Example - Authorization identifier eve
All of these examples are valid for authorization identifier eve
GRANT SELECT ON t TO "eve" |
REVOKE SELECT ON T FROM "eve" |
VALUES CURRENT_USER will return eve |
CALL SYSCS_UTIL.SYSCS_SET_USER_ACCESS('eve', NULL) |
VALUES SYSCS_UTIL.SYSCS_GET_USER_ACCESS('eve') |
jdbc:derby:db;user="eve" |
ds.getConnection("\"eve\"", password); // Java code DatabaseMetaData.getUserName() will return "eve" |
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.user."eve"', 'password') |
derby.database.readOnlyAccessUsers="eve" |
Note
Earlier versions of this document used normal user name to represent authorization identifier. Thanks to Rick's comments in DERBY-2109 I decided to re-write this in terms of authorization identifier.