Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 25589 invoked from network); 30 Jun 2009 14:30:01 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 30 Jun 2009 14:30:01 -0000 Received: (qmail 71757 invoked by uid 500); 30 Jun 2009 14:30:11 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 71707 invoked by uid 500); 30 Jun 2009 14:30:11 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 71699 invoked by uid 99); 30 Jun 2009 14:30:11 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Jun 2009 14:30:11 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Jun 2009 14:30:08 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 991BE234C044 for ; Tue, 30 Jun 2009 07:29:47 -0700 (PDT) Message-ID: <1725896631.1246372187626.JavaMail.jira@brutus> Date: Tue, 30 Jun 2009 07:29:47 -0700 (PDT) From: "Dag H. Wanvik (JIRA)" To: derby-dev@db.apache.org Subject: [jira] Updated: (DERBY-3282) Add a mechanism for managing users in Derby In-Reply-To: <12635702.1197907123176.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/DERBY-3282?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Dag H. Wanvik updated DERBY-3282: --------------------------------- Component/s: Services > Add a mechanism for managing users in Derby > ------------------------------------------- > > Key: DERBY-3282 > URL: https://issues.apache.org/jira/browse/DERBY-3282 > Project: Derby > Issue Type: Improvement > Components: Services > Reporter: Rick Hillegas > > Currently, managing users in Derby is awkward. The BUILTIN mechanism seems appropriate for testing purposes, but has problems in a production setting. DERBY-866 describes part of a new mechanism for managing users. DERBY-866 may be part of the right solution--or it may not be. I think it would be worthwhile to step back from this issue and first describe at a high level what the customer experience should be. By introducing a new mechanism, we have the opportunity to think through the complete experience of user management. Here are my initial thoughts: > 1) This mechanism is mutually exclusive with the currently supported settings of the derby.authentication.provider property. > 2) There should be a super user who has the power to create, view, and drop users, including database owners. The design should let this super user delegate these powers to other users. > 3) In the new mechanism it is sufficient that user credentials are system-wide. > 4) Database owners should nevertheless have the power to state which usernames can connect to their databases. DBOs should also have the power to state who can shut down their databases. This mechanism should be extensible to managing other database-specific powers which fall outside the SQL spec. The design should let the DBO delegate these powers to other users. > 5) Users should be able to change their own credentials whenever they want. > 6) No password needed for this mechanism should be stored in plaintext anywhere on the system. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.