db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Hillegas <Richard.Hille...@Sun.COM>
Subject Re: [jira] Commented: (DERBY-2109) System privileges
Date Thu, 14 Dec 2006 22:41:50 GMT
Thanks, David and Lance, for elaborating on the usability issue raised 
by Øystein: policy files can be tricky to work with.

It seems to me a sysadmin needs our system privileges because she wants 
to prevent malicious shutdown (shutdownEngine privilege) and resource 
hogging (createDatabase privilege). I suspect that she also wants to 
control malicious shutdown via unauthorized calls to System.exit() and 
resource hogging via unauthorized use of java.io classes. For instance, 
she needs to prevent the following:

  create procedure exitNow( in statusValue int )
  language java
  parameter style java
  no sql
  external name 'java.lang.System.exit'

  call exitNow( 1 );

What I'm suggesting is that the sysadmin needs to run the vm under a 
SecurityManager anyway if she's shy about unauthorized shutdown and 
resource hogging. That means she already needs to understand policy 
files in order to grant Derby sufficient privilege to even run--as 
documented in the Developer's Guide. The incremental learning curve for 
our new privileges is slight, I think.

I'm not saying that policy files are trivial. I'm just saying the 
sysadmin already needs to understand them if she's going to control 
shutdown and resource hogging.


Lance J. Andersen wrote:
> I agree with David on this that policy files are painful.
> David Van Couvering wrote:
>> Rick Hillegas (JIRA) wrote:
>>> 2) Unfamiliar api. Oracle, DB2, Postgres, and MySQL all handle 
>>> system privileges in different ways. Picking one of these models 
>>> would still result in an api that's unfamiliar to many people. That 
>>> said, these databases do tend to use GRANT/REVOKE for system 
>>> privileges, albeit each in its own peculiar fashion. I agree that 
>>> GRANT/REVOKE is an easier model to learn than Java Security. I think 
>>> however, that the complexity of Java Security is borne by the 
>>> derby-dev developer, not by the customer. Creating a policy file is 
>>> very easy and our user documentation gives simple examples which the 
>>> naive user can just crib. With adequate user documentation, I think 
>>> this approach would be straightforward for the customer.
>> I must respectfully disagree that "creating a policy file is very 
>> easy."  I think it's a royal PITA - the syntax is complex, 
>> nonintuitive and unforgiving.
>> Can we provide a GRANT/REVOKE interface on top of an implementation 
>> that  uses JAAS?

View raw message