db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Db-derby Wiki] Update of "JMXSecurityExpectations" by JohnHEmbretsen
Date Fri, 08 Feb 2008 17:07:50 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Db-derby Wiki" for change notification.

The following page has been changed by JohnHEmbretsen:

New page:
= JMX Security Expectations =

Security expectations for the JMX Management and Monitoring features added by [https://issues.apache.org/jira/browse/DERBY-1387


== Overview ==

This is an effort to track and summarize conclusions from discussions on the derby-dev mailing
list and in [https://issues.apache.org/jira/browse/DERBY-1387 Jira] regarding JMX security
in Derby.

Relevant background information is available in Jira and the mail archives, including:
 * [https://issues.apache.org/jira/browse/DERBY-1387 DERBY-1387] (includes a functional specification)
 * [https://issues.apache.org/jira/browse/DERBY-2109 DERBY-2109]
 * [http://www.nabble.com/-jira--Created%3A-%28DERBY-1387%29-Add-JMX-extensions-to-Derby-td4770244.html
Mail thread #1]
 * [http://db.markmail.org/message/v6npsxpyfrzxchiy?q=list:org%2Eapache%2Edb%2Ederby-dev Mail
thread #1.1] (Protecting system properties)
 * [http://db.markmail.org/message/s7eqlhz6ydrufatl?q=list:org%2Eapache%2Edb%2Ederby-dev Mail
thread #1.2] (JMX meeting system authorization)

== Terminology ==

 * Let's simplify things by saying that MBeans have essentially two states: ''enabled'' or
    * An '''enabled''' (registered) MBean is visible/accessible to any valid JMX user.
    * A '''disabled''' (unregistered) MBean is not visible/accessible any JMX user.

 * '''"Running Derby":'''
   Running the Derby engine with Derby's JMX Management and Monitoring features enabled, using
a JVM supporting all JMX features inclueded in J2SE 5.0. This includes, for example, running
the Derby Network Server or Derby Embedded using a Java SE 6 JVM.

 * '''JMX user:'''
   A user connecting to the JVM running Derby and thereby possibly Derby's Management Service
through JMX, either VM-locally (from the same JVM), locally (from the same host as the host
running Derby), or remotely (from a different host than the host running Derby).
   A "valid" JMX user is a user who is successfully authenticated by the system (this includes
all JMX users when authentication is disabled).

 * '''JMX Authentication (''jmx-authc''):'''
   A user trying to access Derby's JMX services may need to provide some kind of credentials
(prove her identity) in order to connect to the `MBeanServer.` Whether or not to require JMX
authentication is up to the VM-Admin. 

 * '''JMX Authorization (''jmx-authz''):''' 
   Once authenticated, a user may be granted a certain set of rights to perform certain JMX-related
actions (read/write attributes, invoke
   operations, register MBeans, etc.). When authorization is disabled, any valid JMX user
may use and access all services offered by the Management Service by default.
 * '''Derby system level authentication (''derby-authc''):'''
   The system-wide property `derby.connection.requireAuthentication` is `true`.

 * '''Derby database level authentication (''db-authc''):'''
   The database-wide property `derby.connection.requireAuthentication` is 

 * '''Derby database level connection authorization (''db-authr''):'''
   A given user is authorized with either `fullAcess` (default), `readOnlyAccess` or `noAccess`
privileges. This is defined by a number of the databse-wide properties
    * `derby.database.defaultConnectionMode`
    * `derby.database.fullAccessUsers`
    * `derby.database.readOnlyAccessUsers`

 * * is a wildcard (for example, '''*-authc''' includes '''jmx-authc''', '''derby-authc'''
and '''db-authc''').

== Security Expectations ==

For the first revision of the JMX features, Derby's JMX features can either be enabled or
disabled at system startup only. The default is: ''disabled''.

When the Derby system starts, and Derby's JMX features are enabled, and sufficient JMX support
is available in the JVM running Derby, then Derby will establish a Management Service (JMX
Agent) by (among other things) creating/retreiving an `MBeanServer`. MBeans must be registered
with this `MBeanServer` in order to become accessible to valid JMX users.

Credentials supplied during authentication may not be accessed or be reused by another JMX
user. Every JMX user/client must provide credentials if authentication is enabled.

After system startup, the following MBeans may be registered with the `MBeanServer` and thus

=== VersionMBean ===

 * Displays version information from the running Derby instance.
 * Will be enabled "always".
 * All ''Attributes'' are available to all valid JMX users.
 * No ''Operations'' are defined in this MBean.

=== SystemMBean ===

 * Provides access to Derby system settings and other information on the system level in Derby.
This is handled by including ''Attributes'' in the MBean. A single ''Attribute'' may defined
as '''read-only''' or '''readwrite'''.
 * Provides an MBean operation, `bootDatabase(url)`, which boots a given database.
 * May be enabled only if system-wide authentication ('''derby-authc''') is ''disabled'' in
Derby (default),

   if system-wide authentication ('''derby-authc''') is ''enabled'' in Derby 
   the JMX user has passed '''jmx-authc''' (and '''jmx-authr''')
   the JMX user has passed '''derby-authc'''

 * If System Privileges ([https://issues.apache.org/jira/browse/DERBY-2109 DERBY-2109]) are
enforced by Derby, then a valid JMX user cannot create a new database using the `bootDatabase(url)`
Operation unless this user has sufficient privileges to do so.

=== NetworkServerControlMgmtMBean ===

 * Provides access to the `NetworkServerControl` API and server-related settings.
 * Some settings are read-only, others are readwrite.
 * Includes ''Operations'' such as `ping()`, `traceConnection(...)` and `shutdown()`.
 * Same enabling policy as '''SystemMBean'''.
 * ''Operation'' `shutdown()` may be restricted by a Java security policy, in which case a
valid JMX user without the sufficient privileges should not be allowed to shut down the Network
Server using this Operation. 
   This requires integration with features developed with [https://issues.apache.org/jira/browse/DERBY-2109
DERBY-2109] (System Privileges).

=== DatabaseMBean ===

 * Provides access to database settings and operations.
 * Settings may be ''read-only'' or ''readwrite''.
 * A new '''DatabaseMBean''' will be created for each booted database. Such MBeans will be
enabled automatically if '''*-authc''' and '''db-authr''' is disabled.
 * If ant of '''*-authc''' are enabled, the JMX user must pass all authentication checks ('''jmx-authc''',
'''derby-authc''', '''db-authc''') that are enabled for this type of access (connecting to
this particular database using this particular Derby system).

== Notes/Issues ==

 * '''jmx-authc''' should be closely tied to derby-authc so that a user does not have to authenticate
twice (or more) in order to use a system-level MBean.
 * how to perform '''derby-authc''' checks without connecting to a database?
 * how to (easily and correctly) enforce [http://db.apache.org/derby/docs/dev/tuning/ctunsetprop23308.html
''Precedence of properties''] and [http://db.apache.org/derby/docs/dev/tuning/ctunsetprop824533.html
''protection of database properties'']? Are there existing utility methods or other mechanisms
for this?
 * do we need a ''delegating MBean'', controlling when to enable/disable other "sensitive"
MBeans such as '''SystemMBean''' and '''NetworkServerControlMBean'''?

View raw message