Return-Path: X-Original-To: apmail-db-derby-dev-archive@www.apache.org Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id F10BF9724 for ; Wed, 21 Sep 2011 12:39:35 +0000 (UTC) Received: (qmail 39046 invoked by uid 500); 21 Sep 2011 12:39:35 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 39003 invoked by uid 500); 21 Sep 2011 12:39:35 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 38996 invoked by uid 99); 21 Sep 2011 12:39:35 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Sep 2011 12:39:35 +0000 X-ASF-Spam-Status: No, hits=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_PASS,UNPARSEABLE_RELAY X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [148.87.113.117] (HELO rcsinet15.oracle.com) (148.87.113.117) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Sep 2011 12:39:26 +0000 Received: from rtcsinet22.oracle.com (rtcsinet22.oracle.com [66.248.204.30]) by rcsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id p8LCcU77016218 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 21 Sep 2011 12:38:33 GMT Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by rtcsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id p8LCcTU9012423 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 21 Sep 2011 12:38:30 GMT Received: from abhmt120.oracle.com (abhmt120.oracle.com [141.146.116.72]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id p8LCcORF007724 for ; Wed, 21 Sep 2011 07:38:24 -0500 Received: from richard-hillegas-computer.local (/10.159.6.143) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 21 Sep 2011 05:38:24 -0700 Message-ID: <4E79DAB5.8090408@oracle.com> Date: Wed, 21 Sep 2011 05:38:13 -0700 From: Rick Hillegas User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11 MIME-Version: 1.0 To: derby-dev@db.apache.org Subject: Re: making Derby secure by default References: <4E6F999D.4020002@oracle.com> <4E734848.5060609@oracle.com> <4E737423.6050207@sbcglobal.net> <4E739B94.8030006@oracle.com> <4E78FF57.9010105@oracle.com> In-Reply-To: <4E78FF57.9010105@oracle.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: rtcsinet22.oracle.com [66.248.204.30] X-CT-RefId: str=0001.0A090207.4E79DAE4.0222,ss=1,re=0.000,fgs=0 Hi Dag, Thanks for the questions. Most of these have to do with authentication and the notion of identity in Derby. These are issues we need to iron out, perhaps as part of DERBY-866. Some comments inline... On 9/20/11 2:02 PM, Dag H. Wanvik wrote: > Thanks, Rick! > > On 9/16/2011 8:55 PM, Rick Hillegas wrote: >> >> CS1) The VM owner would have to specify credentials in order to boot >> the server. > > How would we store and authenticate these credentials (we have no a > priori DB or central repository unless authetication is via LDAP)? > Would this require the system privileges to be completed or do you > have another model in mind? Here are two possible approaches: i) As part of the work on DERBY-866, we build system-wide authentication for Derby. The latest proposal on that issue is for database-specific credentials. The problem of system-wide credentials baffles me. ii) If we are using the new authentication scheme proposed on DERBY-866, then we just accept the credentials which are provided when the server is booted. Those credentials are stored in memory and are required for subsequent operations on the server. More discussion needed. > >> >> CS2) Those credentials would be required in order to shutdown the >> server, shutdown the engine, turn server-side tracing on/off, and in >> general use any of the public functions of >> NetworkServerControl/NetServlet. > > and I guess, any interface we expose through our management beans? Probably. JMX may have its own notion of identity, though. > >> >> CS3) SSL/TLS would be turned on. Unless overridden, certificate/key >> stores would be expected/created at some default location. >> >> CS4) Some mechanism would control create/restore database powers >> across the network. Discussion needed. > > Can you elaborate on what you have in mind here? Do you mean changing > the data base owner (DBO) for a database? And/or the privileges > referred to in CS2? This might be the almost finished work on DERBY-2109. Alternatively, we might consider some sort of certificate-based identity when SSL/TLS is enabled. I think this is wrapped up with your earlier question about (CS1). At this point, we might want to start a separate thread to address the question of Derby identity and how to supply builtin authentication which is secure and easy to administer. Or continue this discussion on DERBY-866. Thanks, -Rick > > Thanks, > Dag > >