1

SQL Authorization (Chap. 8.7)

PrivilegesGrant and RevokeGrant Diagrams

2

Authorization A file system identifies certain privileges on

the objects (files) it manages. Typically read, write, execute.

A file system identifies certain participants to whom privileges may be granted. Typically the owner, a group, all users.

3

Privileges --- 1 SQL identifies a more detailed set of

privileges on objects (relations) than the typical file system.

9 privileges in all, some of which can be restricted to one column of one relation.

4

Privileges --- 2 Some important privileges on a relation:

1. SELECT = right to query the relation.2. INSERT = right to insert tuples.

May apply to only one attribute.

3. DELETE = right to delete tuples.4. UPDATE = right to update tuples.

May apply to only one attribute.

5

beers that donot appear inBeers. We addthem to Beerswith a NULLmanufacturer.

Example: Privileges For the statement below:INSERT INTO Beers(name)

SELECT beer FROM SellsWHERE NOT EXISTS

(SELECT * FROM Beers WHERE name = beer);

We require privileges SELECT on Sells and Beers, and INSERT on Beers or Beers.name.

6

Authorization ID’s A user is referred to by authorization ID,

typically their user name. There is an authorization ID PUBLIC.

Granting a privilege to PUBLIC makes it available to any authorization ID.

7

The GRANT Statement To grant privileges, say:

GRANT <list of privileges>ON <relation or other object>TO <list of authorization ID’s>;

If you want the recipient(s) to be able to pass the privilege(s) to others add:

WITH GRANT OPTION

8

Granting Privileges You have all possible privileges on the

objects, such as relations, that you create. You may grant privileges to other users

(authorization ID’s), including PUBLIC. You may also grant privileges WITH

GRANT OPTION, which lets the grantee also grant this privilege.

9

Example: GRANT Suppose you are the owner of Sells. You

may say:GRANT SELECT, UPDATE(price)ON SellsTO sally;

Now Sally has the right to issue any query on Sells and can update the price component only.

10

Example: Grant Option Suppose we also grant:GRANT UPDATE ON Sells TO sallyWITH GRANT OPTION; Now, Sally can not only update any

attribute of Sells, but can grant to others the privilege UPDATE ON Sells. Also, she can grant more specific privileges

like UPDATE(price) ON Sells.

11

Revoking PrivilegesREVOKE <list of privileges>ON <relation or other object>FROM <list of authorization ID’s>;

Your grant of these privileges can no longer be used by these users to justify their use of the privilege. But they may still have the privilege because

they obtained it independently from elsewhere.

12

REVOKE Options We must append to the REVOKE

statement either:1. CASCADE. Now, any grants made by a

revokee are also not in force, no matter how far the privilege was passed.

2. RESTRICT. If the privilege has been passed to others, the REVOKE fails as a warning that something else must be done to “chase the privilege down.”

13

Grant Diagrams Nodes = user/privilege/option/isOwner?

UPDATE ON R, UPDATE(a) on R, and UPDATE(b) ON R live in different nodes.

SELECT ON R and SELECT ON R WITH GRANT OPTION live in different nodes.

Edge X ->Y means that node X was used to grant Y.

14

Notation for Nodes Use AP for the node representing

authorization ID A having privilege P. P * represents privilege P with grant option. P ** represents the source of the privilege P.

That is, AP ** means A is the owner of the object on which P is a privilege. Note ** implies grant option.

15

Manipulating Edges --- 1 When A grants P to B, We draw an edge

from AP * or AP ** to BP. Or to BP * if the grant is with grant option.

If A grants a subprivilege Q of P (say UPDATE(a) on R when P is UPDATE ON R) then the edge goes to BQ or BQ *, instead.

16

Manipulating Edges --- 2 Fundamental rule: user C has privilege Q as

long as there is a path from XQ ** (the origin of privilege Q ) to CQ, CQ *, or CQ**. Remember that XQ** could be CQ**.

17

Manipulating Edges --- 3 If A revokes P from B with the CASCADE

option, delete the edge from AP to BP. If A uses RESTRICT, and there is an edge

from BP to anywhere, then reject the revocation and make no change to the graph.

18

Manipulating Edges --- 4 Having revised the edges, we must check that

each node has a path from some ** node, representing ownership.

Any node with no such path represents a revoked privilege and is deleted from the diagram.

19

Example: Grant Diagram

AP**

A owns theobject onwhich P isa privilege

BP*

A: GRANT PTO B WITHGRANT OPTION

CP*

B: GRANT PTO C WITHGRANT OPTION

CP

A: GRANT P TO C

Example: Grant Diagram

AP** BP* CP*

CP

A executesREVOKE P FROM B CASCADE;

However, C stillhas P without grantoption because ofthe direct grant.

Not only does B loseP*, but C loses P*.Delete BP* and CP*.

Even hadC passed Pto B, bothnodes arestill cut off.

21

Exercise

22

Transactions (Chap. 8.6)

SerializabilityIsolation LevelsAtomicity

23

The Setting Database systems are normally being

accessed by many users or processes at the same time. Both queries and modifications.

Unlike Operating Systems, which support interaction of processes, a DMBS needs to keep processes from troublesome interactions.

24

Example: Bad Interaction You and your spouse each take $100 from

different ATM’s at about the same time. The DBMS better makes sure one account

deduction doesn’t get lost. Compare: An OS allows two people to edit a

document at the same time. If both write, one’s changes get lost.

25

ACID Transactions A DBMS is expected to support “ACID

transactions,” which are: Atomic : Either the whole process is done or none

is. Consistent : Database constraints are preserved. Isolated : It appears to the user as if only one

process executes at a time. Durable : Effects of a process do not get lost if the

system crashes.

26

Transactions in SQL SQL supports transactions, often behind the

scenes. Each statement issued at the generic query

interface is a transaction by itself. In programming interfaces like Embedded SQL

or PSM, a transaction begins the first time an SQL statement is executed and ends with the program or an explicit end. JDBC – auto-commit (default)

27

COMMIT The SQL statement COMMIT causes a

transaction to complete. It’s database modifications are now permanent

in the database.

28

ROLLBACK The SQL statement ROLLBACK also

causes the transaction to end, but by aborting. No effects on the database.

Failures like division by 0 can also cause rollback, even if the programmer does not request it.

29

An Example: Interacting Processes Assume the usual Sells(bar,beer,price)

relation, and suppose that Joe’s Bar sells only Bud for $2.50 and Miller for $3.00.

Sally is querying Sells for the highest and lowest price Joe’s bar charges.

Joe decides to stop selling Bud and Miller, but to sell only Heineken at $3.50.

30

Sally’s Program Sally executes the following two SQL

statements, which we call (min) and (max), to help remember what they do.

(max) SELECT MAX(price) FROM SellsWHERE bar = ‘Joe’’s Bar’;

(min) SELECT MIN(price) FROM SellsWHERE bar = ‘Joe’’s Bar’;

31

Joe’s Program At about the same time, Joe executes the

following steps, which have the mnemonic names (del) and (ins).

(del) DELETE FROM SellsWHERE bar = ‘Joe’’s Bar’;

(ins) INSERT INTO SellsVALUES(‘Joe’’s Bar’, ‘Heineken’,3.50);

32

Interleaving of Statements Although (max) must come before (min) and

(del) must come before (ins), there are no other constraints on the order of these statements, unless we group Sally’s and/or Joe’s statements into transactions.

33

Example: Strange Interleaving Suppose the steps execute in the order (max)

(del)(ins)(min).Joe’s Prices:Statement:Result:

Sally sees MAX < MIN!

2.50, 3.00(del) (ins

)

3.50(min)3.50

2.50, 3.00(max)3.00 3.50

34

Fixing the Problem With Transactions If we group Sally’s statements (max)(min)

into one transaction, then she cannot see this inconsistency.

She sees Joe’s prices at some fixed time. Either before or after he changes prices, or in the

middle, but the MAX and MIN are computed from the same prices.

35

Another Problem: Rollback Suppose Joe executes (del)(ins), but after

executing these statements, thinks better of it and issues a ROLLBACK statement.

If Sally executes her transaction after (ins) but before the rollback, she sees a value, 3.50, that never existed in the database.

36

Solution If Joe executes (del)(ins) as a transaction, its

effect cannot be seen by others until the transaction executes COMMIT. If the transaction executes ROLLBACK instead,

then its effects can never be seen.

37

38

Isolation Levels SQL defines four isolation levels = choices

about what interactions are allowed by transactions that execute at about the same time.

How a DBMS implements these isolation levels is highly complex, and a typical DBMS provides its own options.

39

Choosing the Isolation Level Within a transaction, we can say:SET TRANSACTION ISOLATION LEVEL X

where X =1. SERIALIZABLE2. REPEATABLE READ3. READ COMMITTED4. READ UNCOMMITTED

40

Serializable Transactions If Sally = (max)(min) and Joe = (del)(ins) are

each transactions, and Sally runs with isolation level SERIALIZABLE, then she will see the database either before or after Joe runs, but not in the middle.

It’s up to the DBMS vendor to figure out how to do that, e.g.: True isolation in time. Keep Joe’s old prices around to answer Sally’s

queries.

41

Isolation Level Is Personal Choice Your choice, e.g., run serializable, affects

only how you see the database, not how others see it.

Example: If Joe Runs serializable, but Sally doesn’t, then Sally might see no prices for Joe’s Bar. i.e., it looks to Sally as if she ran in the middle

of Joe’s transaction.

42

Read-Committed Transactions If Sally runs with isolation level READ

COMMITTED, then she can see only committed data, but not necessarily the same data each time.

Example: Under READ COMMITTED, the interleaving (max)(del)(ins)(min) is allowed, as long as Joe commits. Sally sees MAX < MIN.

43

Repeatable-Read Transactions Requirement is like read-committed, plus: if

data is read again, then everything seen the first time will be seen the second time. But the second and subsequent reads may see

more tuples as well.

44

Example: Repeatable Read Suppose Sally runs under REPEATABLE

READ, and the order of execution is (max)(del)(ins)(min). (max) sees prices 2.50 and 3.00. (min) can see 3.50, but must also see 2.50 and

3.00, because they were seen on the earlier read by (max).

45

Read Uncommitted A transaction running under READ

UNCOMMITTED can see data in the database, even if it was written by a transaction that has not committed (and may never).

Example: If Sally runs under READ UNCOMMITTED, she could see a price 3.50 even if Joe later aborts.

46

DBMS Techniques to enforce ACID Locking – granularity of locks is important. Locks

are obtained at the beginning of a transaction. Locks are released at the end of commit or rollback.

Logging – write a log to nonvolatile storage. Assure durability.

Transaction Commitment – for durability and atomicity, transactions are computed “tentatively”, recorded, but no changes are made to the db until the transaction gets committed. Changes are copied to the log, then copied to db.