db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Db-derby Wiki] Update of "JMXSecurityExpectations" by JohnHEmbretsen
Date Fri, 15 Feb 2008 13:39:07 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Db-derby Wiki" for change notification.

The following page has been changed by JohnHEmbretsen:
http://wiki.apache.org/db-derby/JMXSecurityExpectations

------------------------------------------------------------------------------
+ ~-Parent: DerbyProposals-~
+ 
  = JMX Security Expectations =
  
  Security expectations for the JMX Management and Monitoring features added by [https://issues.apache.org/jira/browse/DERBY-1387
DERBY-1387].
@@ -51, +53 @@

      * `derby.database.readOnlyAccessUsers`
  
   * * is a wildcard (for example, '''*-authc''' includes '''jmx-authc''', '''derby-authc'''
and '''db-authc''').
+ 
+ It may also be helpful to frame the discussion in terms of the following roles (extracted
from mail thread #1 above):
+   * '''VM-Admin''' - This is the account which starts up the JVM which is running Derby.
This user has full control of the VM.
+   * '''!DerbyNet-Admin''' - This is the person who configures Derby's network behavior.
+   * '''Engine-Admin''' - This is the person who configures Derby's system-wide behavior.
Probably this is the !DerbyNet-Admin. However, the discussion on [https://issues.apache.org/jira/browse/DERBY-2109
DERBY-2109] has presented a case for separating these two roles.
+   * '''DB-Admin''' - This is a person who configures a particular Derby database - the Database
Owner.
+   * '''!OtherApp-Admin''' -  This is a person who configures another application which runs
in the same VM as Derby.
        
  
  == Security Expectations ==
@@ -59, +68 @@

  
  When the Derby system starts, and Derby's JMX features are enabled, and sufficient JMX support
is available in the JVM running Derby, then Derby will establish a Management Service (JMX
Agent) by (among other things) creating/retreiving an `MBeanServer`. MBeans must be registered
with this `MBeanServer` in order to become accessible to valid JMX users.
  
- Credentials supplied during any kind of authentication process may not be accessed or be
reused by another JMX user. Every JMX user/client must provide credentials if authentication
is enabled, in order to access sensitive parts of the system.
+ The following paragraph sums up the community's expectations with regards to tDerby's JMX
features:
  
- After system startup, the following MBeans may be registered with the `MBeanServer` and
thus enabled:
+ '''''A valid JMX user (a user able to connect via JMX to Derby's `MBeanServer`) should in
general not be able to access information or perform operations that would otherwise be restricted
by Derby's existing security mechanisms (authentication, authorization, Security Manager,
etc.).'''''
+ 
+ Summarized, the main issues that need to be sorted out are:
+   * ''A (Derby) system admin (possibly including both VM-Admin, !DerbyNet-Admin and Engine-Admin)
should not necessarily have access to all databases booted in the system''
+   * ''A database admin (DB-Admin) should not necessarily be able to access system-level
Derby settings.''
+ 
+ Credentials supplied during any kind of authentication process may not be accessed or be
reused by another JMX user. Every JMX user/client must provide credentials if authentication
is enabled, in order to access sensitive parts of the Derby system and/or a database.
+ 
  
  === Suggested MBeans ===
  

Mime
View raw message