Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!apple!agate!ucbvax!mtxinu!rtech!squid!robf
From: robf@squid.rtech.com (Robert Fair)
Newsgroups: comp.databases
Subject: Re: question about ingres/star
Keywords: answers
Message-ID: <3058@rtech.rtech.com>
Date: 7 Jul 89 11:55:10 GMT
References: <25504@shemp.CS.UCLA.EDU>
Sender: news@rtech.rtech.com
Reply-To: robf@squid.UUCP (Robert Fair)
Distribution: usa
Organization: Relational Technology, Inc.
Lines: 62

jhwang@CS.UCLA.EDU () writes:
>
>I had the following permission problem while runnung ingres/star :
>
>I created a database navyd at one site : ipswich. The following
>permission problem occurs when I tried to remotely retrieve
>relation "ship" from other node :
>
>3500: No permission for RETRIEVE on table ship
>26002: Above error from Node: IPSWICH  Database: IINAVYD
>
>Has anyone has the similar problem before ? 
>Also, ingres star does not recognize "define permit" command.
>
The crucial concept  here is that INGRES/STAR respects the autonomy of
local databases - this means that if you can't access data locally then
you can't access it through Star either (this stops any potential security 
loopholes at the local site.)

As a result:
- Permits are defined at the LOCAL level, not the Star level.
- When Star logs into a local database (usually through INGRES/NET) the
  effective local user has to have appropriate access permissions.

To give an example, user 'fred' on machine 'central' is accessing a
Star database  with links to table 'info' in database 'infodb' on 
node 'infonode'. When Fred issues a query on 'info' Star fires up
a backend on 'infonode' to run the query, using INGRES/NET for
data transfer. To run the backend there has to be an effective
rlogin running on 'infonode', with an assocoiated username. 
This username is set by INGRES/NET and is defined by "ingnetdef" utility, 
which basically says: 
	"Whenever you login to machine "x", use username "y" with
	 password "zzz"
("x","y" and "zzz" are settable by Fred on his 'central' node).

The net result of all this is if username "y" has been setup as an
INGRES user without any permits then the local backend on 'infonode'
will not allow him/her to access the data, and you'll get the above
error.

A couple of suggestions to avoid this kind of problem:
1) Make sure the NET login information (ingnetdef) is accurate.
2) Make sure the remote login has the appropriate local permits.

BTW, in INGRES 6.2 STAR there is a nice new command to allow commands
to be passed directly to the local DBMS:

    DIRECT CONNECT WITH NODE='infonode', DATABASE='infodb', DBMS='ingres';
    /* ... */
    GRANT SELECT ON info TO PUBLIC;
    /* ... */
    DIRECT DISCONNECT    

When in DIRECT mode Star doesn't interpret the commands, so you can use
any features specific to that local DBMS (which may or may not be INGRES)
There is a similar DIRECT EXECUTE IMMEDIATE statement for running
single commands.

Robert Fair
Technical Support 
Relational Technology, Inc