db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Db-derby Wiki] Update of "DerbyJMXQuickStart" by JohnHEmbretsen
Date Thu, 17 Apr 2008 12:27:39 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Db-derby Wiki" for change notification.

The following page has been changed by JohnHEmbretsen:
http://wiki.apache.org/db-derby/DerbyJMXQuickStart

The comment on the change is:
Added example security policy entries

------------------------------------------------------------------------------
  [[Anchor(SecurityPolicy)]]
  === Fine-grained authorization: Security policy ===
  
- When starting the Derby Network Server from the command line, it installs a basic security
policy by default. This policy includes the required permissions to allow JMX users to access
Derby's MBeans if JMX authentication is disabled. If JMX authentication is enabled, you may
need to grant additional permissions to specific users (JMXPrincipals).
+ When starting the Derby Network Server from the command line, it installs a security manager
and a basic security policy by default. This policy includes the required permissions to allow
JMX users to access Derby's MBeans if JMX user authentication is ''disabled''. If JMX user
authentication is ''enabled'', you may need to grant additional permissions to specific users
(JMXPrincipals).
  
- If you are using a custom security policy, refer to the [http://db.apache.org/derby/javadoc/publishedapi/
public API] of Derby's MBeans and Derby's template security policy file ($DERBY_HOME/demo/templates/server-policy)
for details about the permissions you may need to set to allow or restrict specific JMX access.
See also ["JMXSecurityExpectations"].
+ If you are using a custom security policy, refer to the [http://db.apache.org/derby/javadoc/publishedapi/
public API] of Derby's MBeans and Derby's template security policy file ($DERBY_HOME/demo/templates/server-policy)
for details about the permissions you may need to set to allow or restrict specific JMX access.
See also ["JMXSecurityExpectations"]. This also applies if you are running Derby embedded
with a security manager installed.
  
  Some example permissions are included below. Note that these permissions are not necessarily
suitable for any particular application or environment; some customization is probably needed.
  
- ''TODO - Add example policy here...''
+ Only permissions relating to the Derby 10.4.1 JMX features have been included in the example
below. Additional permissions are needed in order to enjoy regular use of Derby. (You may
want to copy and paste the text into a text editor without line wrapping to increase redability.)
+ 
+ {{{
+ //
+ // permissions for the user/principal "controlRole", for all codebases:
+ //
+ grant principal javax.management.remote.JMXPrincipal "controlRole" {
+ 
+   // Derby system permissions (what is the user allowed to do?)
+   //  See Javadocs for SystemPermission and the specific MBeans for details.
+   permission org.apache.derby.security.SystemPermission "jmx", "control";
+   permission org.apache.derby.security.SystemPermission "engine", "monitor";
+   permission org.apache.derby.security.SystemPermission "server", "monitor,control";
+ 
+   // MBean permissions (which mbeans and associated actions should be allowed for this user?)
+   //  Target name format is: className#member[objectName], where objectName is: domain:keyProperties
+   //  * means "all". See MBeanPermission Javadocs for details.
+   permission javax.management.MBeanPermission "org.apache.derby.mbeans.*#*[org.apache.derby:*]",
"getAttribute";
+   permission javax.management.MBeanPermission "org.apache.derby.mbeans.JDBCMBean#acceptsURL[org.apache.derby:*]",
"invoke";
+   permission javax.management.MBeanPermission "org.apache.derby.mbeans.drda.NetworkServerMBean#ping[org.apache.derby:*]",
"invoke";
+   permission javax.management.MBeanPermission "org.apache.derby.mbeans.ManagementMBean#*[org.apache.derby:*]",
"invoke";
+ 
+   // Extra permissions for application controlled ManagementMBean:
+   //   Not needed if you do not intend to create/register your own Derby Management MBean.
+   //   Wildcards (*) allow all domains, key properties and MBean members. You may want to
be more specific here.
+   permission javax.management.MBeanPermission "org.apache.derby.mbeans.Management#-[*:*]",
"instantiate,registerMBean,unregisterMBean";
+   permission javax.management.MBeanPermission "org.apache.derby.mbeans.Management#*[*:*]",
"invoke";
+ 
+   //
+   // jconsole:
+   //  - most of these permissions are needed to let JConsole query the MBean server and
display information
+   //    about Derby's mbeans as well as some default platform MBeans/MXBeans.
+   //  - if you don't use jconsole, but query the MBean server from your JMX client app,

+   //    some of these permissions may be needed.
+   permission javax.management.MBeanPermission "org.apache.derby.mbeans.*#-[org.apache.derby:*]",
"getMBeanInfo,queryNames,isInstanceOf";
+   permission javax.management.MBeanPermission "sun.management.*#-[java.*:*]", "getMBeanInfo,isInstanceOf,queryNames";
+   permission javax.management.MBeanPermission "sun.management.*#*[java.*:*]", "getAttribute,invoke";
+   permission javax.management.MBeanPermission "sun.management.*#-[com.sun.management*:*]",
"getMBeanInfo,isInstanceOf,queryNames";
+   permission javax.management.MBeanPermission "com.sun.management.*#-[java.*:*]", "getMBeanInfo,isInstanceOf,queryNames";
+   permission javax.management.MBeanPermission "com.sun.management.*#*[java.*:*]", "getAttribute,invoke";
+   permission javax.management.MBeanPermission "java.*#-[java.*:*]", "getMBeanInfo,isInstanceOf,queryNames";
+   permission javax.management.MBeanPermission "javax.management.MBeanServerDelegate#-[JMImplementation:type=MBeanServerDelegate]",
"getMBeanInfo,isInstanceOf,queryNames,addNotificationListener";
+   permission java.net.SocketPermission "*", "resolve";
+   permission java.util.PropertyPermission "java.class.path", "read";
+   permission java.util.PropertyPermission "java.library.path", "read";
+   permission java.lang.management.ManagementPermission "monitor";
+   // end jconsole
+ };
+ 
+ 
+ grant codeBase "${derby.install.url}derby.jar"
+ {
+   // Allows Derby to create an MBeanServer:
+   //
+   permission javax.management.MBeanServerPermission "createMBeanServer";
+ 
+   // Allows access to Derby's built-in MBeans, within the domain org.apache.derby.
+   // Derby must be allowed to register and unregister these MBeans.
+   // It is possible to allow access only to specific MBeans, attributes or 
+   // operations. To fine tune this permission, see the javadoc of 
+   // javax.management.MBeanPermission or the JMX Instrumentation and Agent 
+   // Specification. 
+   //
+   permission javax.management.MBeanPermission "org.apache.derby.*#[org.apache.derby:*]",
"registerMBean,unregisterMBean";
+ 
+   // Trusts Derby code to be a source of MBeans and to register these in the MBean server.
+   //
+   permission javax.management.MBeanTrustPermission "register";
+ 
+   // Gives permission for JMX to be used against Derby.
+   // If JMX user authentication is being used, a whole set of fine-grained
+   // permissions need to be granted to allow specific users access to 
+   // MBeans and actions they perform (see JMXPrincipal permissions above).
+   // Needed to allow access to all actions related to mbeans in the
+   // org.apache.derby.mbeans pagage.
+   //
+   permission org.apache.derby.security.SystemPermission "jmx", "control";
+   permission org.apache.derby.security.SystemPermission "engine", "monitor";
+   permission org.apache.derby.security.SystemPermission "server", "monitor";
+ 
+   // add additonal derby.jar related permissions here...
+ };
+ 
+ 
+ grant codeBase "${derby.install.url}derbynet.jar"
+ {
+   // Accept connections from any host (only localhost access is required for JMX).
+   //
+   permission java.net.SocketPermission "*", "accept"; 
+ 
+   // For outbound MBean operations such as NetworkServerMBean's ping:
+   // The wildcard "*" is to allow pings to both localhost and any other server host.
+   //
+   permission java.net.SocketPermission "*", "connect,resolve"; 
+ 
+   // Gives permission for JMX to be used against Derby.
+   // If JMX user authentication is being used, a whole set of fine-grained
+   // permissions need to be granted to allow specific users access to 
+   // MBeans and actions they perform (see JMXPrincipal permissions above).
+   // Needed to allow access to all actions related to the NetworkServerMBean.
+   //
+   permission org.apache.derby.security.SystemPermission "server", "control,monitor";
+ 
+   // add additonal derbynet.jar related permissions here...
+ 
+ }}}
+ 
+ Note that in the example above the system property `derby.install.url` is used to tell the
security manager/policy implementation where to find the codebases `derby.jar` and `derbynet.jar`.
Using a property provides flexibility - however, you may avoid the use of such a property
by specifying the full codebase URLs directly in the policy file. The value of this property
may be specified on the command line, for example
+ {{{
+ -Dderby.install.url=file:/home/user/derby/10.4.1.3/lib/
+ }}}
+ or
+ {{{
+ -Dderby.install.url=file:/C:/derby/10.4.1.3/lib/
+ }}}
+ 
+ For more information about policy files, granting permissions, and property expansion, see
[http://java.sun.com/javase/6/docs/technotes/guides/security/PolicyFiles.html Default Policy
Implementation and Policy File Syntax] and [http://java.sun.com/javase/6/docs/technotes/guides/security/PolicyGuide.html
Policy File Creation and Management].
+ 
  
  [[Anchor(JConsoleAccess)]]
  == Using JConsole to access Derby's MBeans ==

Mime
View raw message