db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rick Hillegas (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-1387) Add JMX extensions to Derby
Date Thu, 16 Aug 2007 16:27:30 GMT

    [ https://issues.apache.org/jira/browse/DERBY-1387?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12520292
] 

Rick Hillegas commented on DERBY-1387:
--------------------------------------

Thanks to Ole  Gunnar for the great functional spec. I have a couple comments:

1) Under DatabaseMBean, the property associated with DatabaseName looks wrong to me.

2) Under DatabaseMBean: I have reservations about the addDBUser() operation. I do not think
that we should be encouraging customers to use the BUILTIN authentication scheme. In that
scheme passwords are stored in plaintext. That seems very insecure to me. I think it's ok
for testing purposes but not for a production environment. I recommend against exposing this
operation.

3) In general, I think we need to beef up the authorization story for this JMX-based administration
before we expose it to customers. Incremental development is great, but I think real production
usage requires more controls. If I understand the spec correctly, it seems that godlike administrative
powers over all databases are granted to the VM's administrator. I think this is inappropriate
for VMs which host other applications besides Derby. I propose the following:

a) The VersionMBean looks pretty harmless to me. I don't think it needs more controls.

b) I think that in order to get your hands on a SystemMBean or a NSCMBean, you should be forced
to authenticate at the Derby system-wide level. Furthermore, this authentication should result
in your being a system-wide DatabasePrincipal to whom the policy file grants 'permission org.apache.derby.security.SystemPermission
"systemAdministration"'. For more information on this permissions scheme, see the functional
spec for DERBY-2109.

c) You must authenticate as the database's DBA in order to get your hands on the corresponding
DatabaseMBean.

4) Continuing on the topic of authorization: If I understand the spec correctly, it seems
that, potentially, the Derby System Administrator and all of the Derby DBAs will be given
the password for VM-wide JMX-based administration. In theory, this gives these users the ability
to manipulate other applications running in the VM. The user guides should state clearly that
these other applications are responsible for raising additional authorization hurdles if they
are uncomfortable with these godlike powers that are granted to Derby super-users.


> Add JMX extensions to Derby
> ---------------------------
>
>                 Key: DERBY-1387
>                 URL: https://issues.apache.org/jira/browse/DERBY-1387
>             Project: Derby
>          Issue Type: New Feature
>          Components: Services
>            Reporter: Sanket Sharma
>            Assignee: Bernt M. Johnsen
>         Attachments: DERBY-1387-1.diff, DERBY-1387-1.stat, DERBY-1387-2.diff, DERBY-1387-2.stat,
DERBY-1387-3.diff, DERBY-1387-3.stat, derbyjmx.patch, jmx.diff, jmx.stat, jmxFuncspec.html,
Requirements for JMX Updated.html, Requirements for JMX.html, Requirements for JMX.zip
>
>
> This is a draft requirement specification for adding monitoring and management extensions
to Apache Derby using JMX. The requirements document has been uploaded on JIRA as well as
the Derby Wiki page at http://wiki.apache.org/db-derby/_Requirement_Specifications_for_Monitoring_%26_Management_Extensions_using_JMX
> Developers and Users are requested to please look at the document (feature list in particular)
and add their own rating to features by adding a coloumn to the table.
> Comments are welcome.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message