db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dag.Wan...@Sun.COM (Dag H. Wanvik)
Subject Re: 10.3 Concern: Need to make DBO restrictions [Derby-2264] optional at upgrade
Date Tue, 29 May 2007 15:57:03 GMT

Hi,

Stanley Bradbury <Stan.Bradbury@gmail.com> writes:

> I feel strongly that the restrictions implemented by DERBY-2264 must
> be tied to sqlAuthorization (or a new property of it's own) being
> turned on.  The restrictions need to be optional at upgrade otherwise

I understand your concerns. I addressed the upgrade issue several
times in the discussion of this issue, but felt the community
preferred the semantics which are currently implemented, landing on
the side of a sensible secure-by-default behavior. Options:

    - label this a major release (11.0), lowering the expectancy for a
      painless upgrade with users.
    - postpose the 10.3 release and change the semantics to something
      else (tie enforcement to sqlAuthorization, introduce new
      property to turn this checking off (default on) or vice versa)
    - release it as it stands, but make a follow-up release with some
      knob to allow users to disable it; making sure to call this out
      in release notes. Note: since hard upgrade is among the operations
      restricted, users would likely (although not necessarily) get
      some hint of the issue early on ;)
    - pull the feature from 10.3 (I'd love to avoid that ;)
    - others?

We need to decide pretty quick; this is a bit late in the game.. What
say others?

Thanks,

Dag

> the feature will, by default, break compatibility for some
> applications using connection based authentication.  Put simply,
> removing the ability for any user to shutdown or upgrade a database
> will cause failures in systems that depend on that functionality.  I
> am certain that many Derby users like the near-zero-admin nature of
> the old authentication system.  This feature introduces an
> administrative account.  Dag originally suggested the feature be tied
> to sqlAuthorization (thank-you, Dag) when he noted that the patch
> caused some tests in derbyall to fail.  Now that I have had time work
> with the feature and better evaluate the impact I see this as
> necessary for compatibility.  This issue will be logged in JIRA before
> long but I chose to begin the discussion outside of JIRA to increase
> mailbox visibility.  Any opinions - agreements/objections?

Mime
View raw message