db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel John Debrunner (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-1387) Add JMX extensions to Derby
Date Wed, 06 Feb 2008 20:39:08 GMT

    [ https://issues.apache.org/jira/browse/DERBY-1387?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12566325#action_12566325

Daniel John Debrunner commented on DERBY-1387:

For the security issue one idea is consider is packaging Derby's mbeans in a separate jar
file (e.g. derbyjmx.jar).
This jar could be automatically in the class path of derby.jar but having it separate would
allow it to be granted different permissions.

If the mbeans are in derby.jar then they will most likely have the permission to read Derby's
system properties (derby.*),
putting them in a separate jar allows some control to some administrator (vm-admin?), thus
they could have the option of:

   - not allowing any jmx access to system properties while continuing to use the other administration
facilities  of Derby's mbeans
   - allowing only read access to derby's system properties (that are exposed through Derby's
   - allowing read/write access to derby's system properties (that are exposed through Derby's

> I noticed Dan's suggestion of including a restricted/limited set of MBeans/attributes/operations
in the first version of this feature

My suggestion was slightly different, a first patch that gets working mbeans with limited
attributes and operations to allow folks to play with them.
Then any amount of added new functionality before a release that contains mbeans (ie. 10.4),
the only requirement would be some agreement that new functionality does not expose security
holes. E.g. a initial patch of working functionality could be:

  - version mbean - as it is today
  - system mbean - maybe any system property read-only that does not expose security information
(e.g. LocksWaitTimeOut ok,  DatabaseFullAccessUsers not ok)
  - network server mbean - ping only
  - database mbean - name, locale, read-only

> Add JMX extensions to Derby
> ---------------------------
>                 Key: DERBY-1387
>                 URL: https://issues.apache.org/jira/browse/DERBY-1387
>             Project: Derby
>          Issue Type: New Feature
>          Components: Services
>            Reporter: Sanket Sharma
>            Assignee: John H. Embretsen
>         Attachments: DERBY-1387-1.diff, DERBY-1387-1.stat, DERBY-1387-2.diff, DERBY-1387-2.stat,
DERBY-1387-3.diff, DERBY-1387-3.stat, DERBY-1387-4.diff, DERBY-1387-4.stat, DERBY-1387-5.diff,
DERBY-1387-5.stat, DERBY-1387-6.zip, DERBY-1387-7.zip, DERBY-1387-8.zip, DERBY-1387-9.diff,
DERBY-1387-9.stat, derbyjmx.patch, jmx.diff, jmx.stat, jmxFuncspec.html, jmxFuncspec.html,
jmxFuncspec.html, Requirements for JMX Updated.html, Requirements for JMX.html, Requirements
for JMX.zip
> This is a draft requirement specification for adding monitoring and management extensions
to Apache Derby using JMX. The requirements document has been uploaded on JIRA as well as
the Derby Wiki page at http://wiki.apache.org/db-derby/_Requirement_Specifications_for_Monitoring_%26_Management_Extensions_using_JMX
> Developers and Users are requested to please look at the document (feature list in particular)
and add their own rating to features by adding a coloumn to the table.
> Comments are welcome.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message