db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Db-derby Wiki] Update of "JMXSecurityExpectations" by DanDebrunner
Date Thu, 21 Feb 2008 18:46:03 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Db-derby Wiki" for change notification.

The following page has been changed by DanDebrunner:
http://wiki.apache.org/db-derby/JMXSecurityExpectations

The comment on the change is:
Add some potential new permssions to control JMX management.

------------------------------------------------------------------------------
  
  Credentials supplied during any kind of authentication process may not be accessed or be
reused by another JMX user. Every JMX user/client must provide credentials if authentication
is enabled, in order to access sensitive parts of the Derby system and/or a database.
  
- === Proposal - Access Control - Proposal ===
+ === Proposal - MBean Access Control - Proposal ===
  
- Require that every action on an MBean (read attribute, write attribute, operation) undergoes
a single authorization check in addition to any implicit JMX management permission checks
(e.g. invoke permission on a specific MBean operation is an implicit check). The authorization
check is '''one''' of:
+ Require that every action on an MBean (read attribute, write attribute, operation) undergoes
at least one single authorization check in addition to any implicit JMX management permission
checks (e.g. invoke permission on a specific MBean operation is an implicit check). The authorization
check is '''one''' of:
   * Java security manager permission
   * Database authorization (GRANT/REVOKE)
  
@@ -98, +98 @@

  
  ==== Examples ====
  
-  * Get attribute methods on VersionMBean would require `SystemPermission("monitor")`
+  * Get attribute methods on VersionMBean for the network server would require `SystemPermission("serverMonitor")`
-  * Setting attributes on a system MBean would require `SystemPermission("control")`
+  * Setting attributes on a system MBean would require `SystemPermission("engineControl")`
   * Shutdown method on a network server control MBean would require `SystemPermission("shutdown")`
(from DERBY-2109)
   * Getting attributes representing database properties on a database MBean require `EXECUTE`
on `SYSCS_GET_DATABASE_PROPERTY`.
   * Setting attributes representing database properties on a database MBean requires `EXECUTE`
on `SYSCS_SET_DATABASE_PROPERTY`.
   * Getting non-database properties attributes would require `DatabasePermission("monitor")`
for the specific database.
+ 
+ ==== New System Permissions ====
+ New actions to be added to Derby's permission class `org.apache.derby.security.SystemPermission`.
+ 
+  * !SystemPermission("jmxControl") - ability to start and stop Derby's JMX management
+  * !SystemPermission("serverControl") - ability to control the network server and see sensitive
information like host, port number
+  * !SystemPermission("serverMonitor") - ability to monitor the network server
+  * !SystemPermission("engineControl") - ability to control the engine (not sure of a use
here yet)
+  * !SystemPermission("engineMonitor") - ability to monitor the engine (not sure of a use
here yet)
+ 
+ Could also have these:
+  * !SystemPermission("control") - implies "jmxControl,serverControl,engineControl"
+  * !SystemPermission("monitor") - implies "serverMonitor,engineMonitor"
+ 
+ May not be worth it as it's just as easy to specify multiple permissions in the policy file
and having the
+ single value implies others may cause issues when a new class is added, e.g. replicationControl.
Would an existing
+ policy file with SystemPermission("control") automatically gain replicationControl?
+ 
+ ==== New Database Permissions ====
+ New actions to be added to Derby's permission class `org.apache.derby.security.DatabasePermission`.
+  * !DatabasePermission("control") - ability to see control the database and see sensitive
information (e.g. authentication settings, database name)
+  * !DatabasePermission("monitor") - ability to see monitoring information about the database
(e.g. current connection count).
+ 
+ ==== Notes on new permissions ====
+ Exact use for these various permissions may become clear as attributes and operations are
added to MBeans (and new MBeans added).
+ 
+ Some care may be needed with database permissions, to have a clear consistent story as to
if DatabasePermission("monitor")
+ is required or just database authentication and grant/revoke.
  
  === Suggested MBeans ===
  

Mime
View raw message