db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rick Hillegas (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-2206) Provide complete security model for Java routines
Date Mon, 22 Jan 2007 21:16:30 GMT

    [ https://issues.apache.org/jira/browse/DERBY-2206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12466566
] 

Rick Hillegas commented on DERBY-2206:
--------------------------------------

At this point, we are talking about an API which diverges from the SQL standard in several
ways:

A) Jar ids, which are mandatory in SQL, are optional for us.

B) We have invented a pseudo-jar SYS.ENV, which does not appear in SQL.

C) We cannot preserve the derby.database.classpath search order without breaking the rules
for the jar-specific classpath set by SQLJ.ALTER_JAVA_PATH.

I have two misgivings:

1) I am worried that we will confuse both ourselves and our customers with an API which is
neither the SQL standard nor the old, familiar Cloudscape API.

2) I am worried that we have not stepped back and discussed the customer experience in terms
of upgrade expectations and default, out-of-the-box behavior.

Right now, I'd like to get some clarity on issue (2). Are we expecting any of the following:

i) That Derby will be secure-by-default? Or is routine-security something you have to explicitly
opt into?

ii) That users upgrading to 10.3 won't have to change their applications?



> Provide complete security model for Java routines
> -------------------------------------------------
>
>                 Key: DERBY-2206
>                 URL: https://issues.apache.org/jira/browse/DERBY-2206
>             Project: Derby
>          Issue Type: New Feature
>          Components: Security, SQL
>            Reporter: Rick Hillegas
>             Fix For: 10.3.0.0
>
>
> Add GRANT/REVOKE mechanisms to control which jar files can be mined for user-created
objects such as Functions and Procedures. In the future this may include Aggregates and Function
Tables also. The issues are summarized on the following wiki page: http://wiki.apache.org/db-derby/JavaRoutineSecurity.
Plugin management can be tracked by this JIRA rather than by DERBY-2109. This is a master
JIRA to which subtasks can be linked.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message