db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rick Hillegas (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-2264) Restrict shutdown, upgrade, and encryption powers to the database owner
Date Tue, 13 Feb 2007 17:19:57 GMT

    [ https://issues.apache.org/jira/browse/DERBY-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12472771

Rick Hillegas commented on DERBY-2264:

Hi Dag,

I just want to punch up the upgrade implications of what we're proposing:

By now there must be scores of legacy applications which use Derby authentication. For many
of these applications, the DBA owner is APP. When these applications upgrade to 10.3, no-one
will be able to shut them down. That is because APP is probably not a real user with a real
password. The affected applications have this shape:

1) Created with authentication turned off. This is what makes APP the DBA.

2) Authentication turned on later after users and passwords were defined.

The workaround for these applications will be this:

A) Create an account for APP.

B) Change the application so that, when it shuts down, it re-connects to the database as APP,
not as the current user.

What are the imp;lications of not shutting down the database gracefully when the application
exits? A long time ago this used to mean that the log file would just keep growing indefinitely.
Has this behavior changed? If it's ok to shutdown gracelessly, then another workaround may
be this:

C) Re-code the application to swallow the concluding exception which says that shutdown failed.

We seem to have some misgivings that many legacy applications will fit this profile. There
seem to be two proposals for how to limit this exposure:

i) Limit the exposure to a subset of applications created since 10.2, viz., applications which
have enabled SQL authorization.

ii) Limit the exposure to read-only applications.

At this point, I'm not too keen on either of these techniques. To me they muddy the model
laid out in the attached functional spec. I'm not happy about the affect on legacy applications.
However, I think that a good Release Note might be our best approach.

> Restrict shutdown, upgrade, and encryption powers to the database owner
> -----------------------------------------------------------------------
>                 Key: DERBY-2264
>                 URL: https://issues.apache.org/jira/browse/DERBY-2264
>             Project: Derby
>          Issue Type: New Feature
>          Components: Security, SQL
>            Reporter: Rick Hillegas
>         Assigned To: Dag H. Wanvik
>         Attachments: dbaPowers.html, dbaPowers.html
> This JIRA separates out the database-owner powers from the system privileges in the master
security JIRA DERBY-2109. Restrict the following powers to the database owner for the moment:
shutdown, upgrade, and encryption.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message