About shardingsphere authrity

[lwclover]

I think shardingsphere authrity should be database-independent.
that means when we use mysql 'create user' and 'grant '，don`t execute on the database.just persist data on registry center enough.

Welcome to leave a comment and discuss.

[gloriawish]

really interesting. this is a good idea.

[RaigorJiang]

Hi @lwclover ,
I took note of your suggestion and did some research on the authrity engine, and I think it is indeed necessary to make the authrity
storage independent of the underlying databases (resources).

Here are some reasons:

1. Different databases, such as MySQL, PostgreSQL, and Oracle, have different authorization and query ways. Compatibility with them is a complicated task;
2. ShardingSphere uses logical schemas, and these schemas do not exist in the resources, the authorization information of the logical schema must be maintained in ShardingSphere;
3. When using the sharding feature, the user uses the logical table name (t_order) to authorize, while the actual tables (t_order_0, t_order_1...) exist in the resources, and the tables owned by each resource are different.
4. In ShardingSphere, resources can be dynamically added or dropped. When a resource changes, do privileges need to be synchronized?
5. When using ShardingSphere-Proxy, there can be no resource, and the authorization information cannot be lost;
6. In fact, the existing Native authority provider is not easy to use.

Therefore, I agree to make ShardingSphere's authrity system independent of the databases and mark the existing Native authority provider as Deprecated.

Ref: AuthorityProvideAlgorithm

[ricemouse]

Yes, if shardingshpere is used as data gateway, then user should not care about the data authority underline, all access control should be made on gateway. This also relieve the burden of manipulating underlying database authority. This will be a very interesting feature.