Subject RE: [Firebird-Architect] feature request: embed the security database on each database file
Author Samofatov, Nickolay
Hi, Jim!

> >currently, firebird/interbase stores security information on a
> >separate isc/security database.
> >
> >I'd like to request an option that allows storage of security
> >information on each separate user database instead.
> >
> >
> >
> I'm committed to a plugable security manager for Vulcan that supports
> both the existing scheme and something useable. Any thoughts on
> requirements or ideas on an API would be appreciated.
> My personal feelings are that security information belongs in a
> database, and that storing a SHA hash of passwords makes the most
> sense. There are other secure hashes. Does anyone has strong
> on the subject?

My feelings are somewhat different. I remember that big businesses tend
to create environment with single sign-on. Otherwise access control
system quickly gets unmanageable.

To satisfy both corporate needs and needs of solution providers creating
stand-alone applications security system should do the following:
1) store authorization information (grants) in database where data is
2) users and roles should also be stored in database where data is
located. These objects may be local (as local users on UNIX box) or
bound to one of Pluggable Authentication Modules.
3) we need a number of Pluggable Authentication Modules (currently, I
see a need in redirection to Linux/Unix pluggable security API, LDAP and
Kerberos). With this regard, Firebird security database is just one case
of PAM, just very simple one.

This stuff was thought about and discussed long time ago. I remember
John Bellardo had it working in some form a year or so ago. It was not
finished before 1.5 release (and AFAIU, required too big ODS changes).
This work was taken over by Dmitry and I remember he published a plan to
finish it after 1.5 release.