Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 20322 invoked from network); 5 Jun 2007 17:55:15 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 5 Jun 2007 17:55:15 -0000 Received: (qmail 80249 invoked by uid 500); 5 Jun 2007 17:55:18 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 80228 invoked by uid 500); 5 Jun 2007 17:55:18 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 80219 invoked by uid 99); 5 Jun 2007 17:55:18 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Jun 2007 10:55:18 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=UNPARSEABLE_RELAY X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: local policy) Received: from [192.18.1.36] (HELO gmp-ea-fw-1.sun.com) (192.18.1.36) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Jun 2007 10:55:12 -0700 Received: from d1-emea-09.sun.com ([192.18.2.119]) by gmp-ea-fw-1.sun.com (8.13.6+Sun/8.12.9) with ESMTP id l55Hspwc014234 for ; Tue, 5 Jun 2007 17:54:51 GMT Received: from conversion-daemon.d1-emea-09.sun.com by d1-emea-09.sun.com (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) id <0JJ600901CCS6200@d1-emea-09.sun.com> (original mail from Dag.Wanvik@Sun.COM) for derby-dev@db.apache.org; Tue, 05 Jun 2007 18:54:50 +0100 (BST) Received: from khepri05.norway.sun.com ([129.159.112.194]) by d1-emea-09.sun.com (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) with ESMTPSA id <0JJ6007D0CFD4C10@d1-emea-09.sun.com> for derby-dev@db.apache.org; Tue, 05 Jun 2007 18:54:50 +0100 (BST) Date: Tue, 05 Jun 2007 19:54:47 +0200 From: Dag.Wanvik@Sun.COM (Dag H. Wanvik) Subject: Re: Can't upgrade from 10.1 to 10.3 Sender: Dag.Wanvik@Sun.COM To: derby-dev@db.apache.org Message-id: <18021.41831.713952.549770@gargle.gargle.HOWL> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT X-Draft-From: ("nnml:Derby-dev" 18260) References: <4660BEFC.9090606@gmail.com> <466450A4.8020307@apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Daniel John Debrunner writes: > Shouldn't an upgrade from 10.1 change the database owner to the one > performing the upgrade? That's what DERBY-1544 states. > > http://issues.apache.org/jira/browse/DERBY-1544 Yes, and I have not touched that functionality. My comment about "APP" is only relevant for 10.2 and 10.3; previously the owner of the system schema was the pseduo user "DBA", sorry, not sure I ever knew that.. There is a bit of a bootstrap issue hidden here: the enforcement of dbo powers for upgrade relies on the dbo concept being in place, which really only happened with 10.2. Since we now with patch 8 of DERBY-2264 don't enforce unless sqlAuthorization is active, the upgrade from 10.1 is little impacted since upgrade is not restricted to the database owner because there is no sqlAuthorization in 10.1 - but there is one see snag I found, see below. I experimented a bit and found that with patch 8, upgrade from 10.1 -> 10.3 works with or without authentication as follows: *Without* authentication the new dbo gets to be "APP" or connecting user if given, and *with* authentication it gets to be the connecting user, as expected. It will even gladly make a bogus user the database owner, since authentication happens *after* the upgrade boot (happens for both 10.2 and 1.3 upgrade; I will file a separate issue for this..). SNAG: I found this can happen when upgrading from 10.1 to 10.3: - 10.1 database created with authentication on - in 10.1 or in soft upgrade mode with 10.3, set sqlAuthorization to true by calling SYSCS_SET_DATABASE_PROPERTY. - shut down - the database now refuses to boot unless hard upgrade is specified. That is, it will not do a soft boot as long as the property derby.database.sqlAuthorization is true. ERROR XCL47: Use of 'sqlAuthorization' requires database to be upgraded from version 10.1 to version 10.2 or later. It can still be booted in 10.1, of course. - This behavior is the same for 10.1 -> 10.2, btw. - Now, in 10.3 with DERBY-2264, when the user has specified hard upgrade, in order to verify that the user is dbo and thus allowed to upgrade, we boot first *without* the upgrade attribute to check credentials (i.e. a soft boot), and if OK, shutdown and reboot with hard upgrade. Unfortunately, the first boot will now fail, since soft boot is barred by the sqlAuthorization being set. But the user *is* attempting a hard upgrade, so the error message is meaningless. I see two options for handling this: 1) Make the exception XCL47 specific to the sqlAuthorization feature and catch it when the credentials boot fails, then throw a more meaningful error message asking the user to unset the sqlAuthorization property before attempting upgrade. Cons: step back from 10.2, which handled the hard upgrade maybe be awkward to have to reboot in older release to fix it. Pros: simple fix 2) Make the exception XCL47 specific to the sqlAuthorization feature and catch it when the credentials boot fails, realizing that this is an upgrade from a release prior to 10.2 (for which dbo powers enforcement is not really meaningful); and go ahead with the hard upgrade as requested, falling back on checking credentials after boot time, as in 10.2. Pros: Principle of least surprise; do what user asks. Cons: May lead user to think dbo powers checking was indeed performed when it was not. I think I prefer solution 2); the dbo powers checking could be seen as providing a guarantee for future upgrades, it is not obvious that it would or should apply to upgrades from older versions anyway. Thoughts? Dag