db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Db-derby Wiki] Update of "JMXSecurityExpectations" by DanDebrunner
Date Mon, 18 Feb 2008 17:40:34 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Db-derby Wiki" for change notification.

The following page has been changed by DanDebrunner:

The comment on the change is:
Add some more information about JMX authentication, authorization and access.

   * '''JMX Authentication (''jmx-authc''):'''
     A user trying to access Derby's JMX services may need to provide some kind of credentials
(prove her identity) in order to connect to the `MBeanServer.` Whether or not to require JMX
authentication is up to the VM-Admin. 
+    * If '''JMX Authentication''' is enabled then '''JMX Access''' is required. This is a
simple authorization scheme (c.f. Derby's connection level authorization) that defines JMX
authentication users as either '''readwrite''' or '''readonly'''. Note that finer grained
authorization is provided by the policy file for the security manager.
+      * '''readwrite''' can read and write attributes and invoke operations on MBeans.
+      * '''readonly''' can only read attributes on MBeans.
   * '''JMX Authorization (''jmx-authz''):''' 
     Once authenticated, a user may be granted a certain set of rights to perform certain
JMX-related actions (read/write attributes, invoke
-    operations, register MBeans, etc.). When authorization is disabled, any valid JMX user
may use and access all services offered by the Management Service by default.
+    operations, register MBeans, etc.) through standard Java security manager permissions.
When authorization is disabled by there not being a security manager on the jvm being monitored,
any valid JMX user may use and access all services offered by the Management Service subject
to their JMX access level.
   * '''Derby system level authentication (''derby-authc''):'''
     The system-wide property `derby.connection.requireAuthentication` is `true`.
@@ -131, +134 @@

   * If any of '''*-authc''' are enabled, the JMX user must pass all authentication checks
('''jmx-authc''', '''derby-authc''', '''db-authc''') that are enabled for this type of access
(connecting to this particular database using this particular Derby system). 
      * /!\ Why is '''derby-authc''' included here, to connect to a database '''derby-authc'''
is not required, so why to administer it?
        * Isn't passing '''derby-authc''' required if it has been enabled programmatically,
unless `derby.database.propertiesOnly=true`?
+       * No, to connect to a database only database authentication is needed. ('''db-authc'''').
  == Notes/Issues ==

View raw message