db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rick Hillegas (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-5522) Document the NATIVE authentication scheme.
Date Fri, 23 Mar 2012 14:41:27 GMT

    [ https://issues.apache.org/jira/browse/DERBY-5522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13236634#comment-13236634
] 

Rick Hillegas commented on DERBY-5522:
--------------------------------------

Thanks for posting these changes to the Ref and Dev Guides, Kim. They look great. Some suggested
changes follow:

General comment about the reference pages for the new NATIVE system procedures:

I think it would be good if these pages pointed out that the username argument is an authorization
id. Its case-sensitivity is handled the same way that Derby handles the case-sensitivity of
schema names and schema object names which are passed to other Derby procedures. To reduce
confusion, I also recommend making the examples use uppercase usernames. E.g.:

    CALL SYSCS_UTIL.SYSCS_CREATE_USER('FRED', 'fredpassword')



rrefnativecreateuserproc:

I think it would be good if this page stated that if NATIVE authentication is not already
turned on, then...

1) The first user whose credentials are stored must be the DBO.

2) Calling this procedure will turn on NATIVE authentication the next time the database is
booted.

3) Once you turn on NATIVE authentication with this procedure, it remains turned on permanently.
There is no way to turn it off.


rrefnativedropuserproc:

I think that this page should state that you can't drop the credentials of the DBO.


rrefnativemodifypasswordproc:

I would reword the first sentence slightly in order to distinguish this procedure from the
similar syscs_reset_password() procedure:

"The SYSCS_UTIL.SYSCS_MODIFY_PASSWORD system procedure is called by a user to change her own
password."


rrefnativeresetpasswordproc

Slight expansion of the first sentence:

"has been forgotten" -> "has expired or been forgotten"


rrefproper13766:

While you're in there, it would be good to cleanup an existing false statement. The default
value for derby.authentication.provider is "no authentication", not BUILTIN. By default, no
authentication mechanism protects the database.


rrefproper27467:

I see from the diff file that this section states that derby.connection.requireAuthentication
is irrelevant if NATIVE authentication is turned on. That's good. For some reason, that change
doesn't appear in the html output in the zip file.


rrefproperpasswordthreshold:

I would reword the 3rd paragraph:

"A warning is raised when a user logs in and the remaining lifetime of her password is less
than this proportion of the maximum password lifetime. That is, Derby rasies a warning when
the remaining lifetime of a password is less than (derby.authentication.native.passwordLifetimeThreshold
* derby.authentication.native.passwordLifetimeMillis).


rrefpropersqlauth:

Again, for some reason the extra material in the diff doesn't appear in the html output in
the zip file.


cdevcsecure866060:

Paragraph 5: "anabled" -> "enabled"


cdevcsecurenativeauth:

Bullet 3 under "Managing users and passwords":

    "forgotten" -> "forgotten or expired"


Bullets under "Converting an existing database to use NATIVE authentication"

I would reword bullet 1 this way:

"If you specify NATIVE:credentialsDB, then add users of the existing database to the credentialsDB.
Typically, you would specify uppercase user names and case-sensitive passwords. For instance,
if the old database was created without any authentication, then its default username is APP
and you would do the following:"

I would reword bullet 2 this way:

"If you plan to specify NATIVE:credentialsDB:LOCAL, then first connect to the existing database
as its database owner using its old authentication scheme. Call SYSCS_UTIL.SYSCS_CREATE_USER
to add credentials for the database owner. For example, if the existing database was created
with no authentication, then the database owner is APP and you would add credentials for APP
as shown above."


rdevcsecurenativeauthex:

Last paragraph of "NATIVE authentication and SQL authorization example":

    "DERBY_LIB is DERBY_HOME/lib" -> "DERBY_LIB is the directory which holds the Derby
jar files, typically DERBY_HOME/lib"

Thanks,
-Rick
                
> Document the NATIVE authentication scheme.
> ------------------------------------------
>
>                 Key: DERBY-5522
>                 URL: https://issues.apache.org/jira/browse/DERBY-5522
>             Project: Derby
>          Issue Type: Improvement
>          Components: Documentation
>    Affects Versions: 10.9.0.0
>            Reporter: Rick Hillegas
>            Assignee: Kim Haase
>         Attachments: CreateNativeUsers.java, CreateNativeUsers.java, DERBY-5522-devguide-2.diff,
DERBY-5522-devguide-2.stat, DERBY-5522-devguide-2.zip, DERBY-5522-devguide.diff, DERBY-5522-devguide.stat,
DERBY-5522-devguide.zip, DERBY-5522-ref.diff, DERBY-5522-ref.stat, DERBY-5522-ref.zip, NativeAuthExampleClient1.java,
NativeAuthExampleClient2.java, NativeAuthExampleEmbedded.java, NativeAuthExampleEmbedded.java,
NativeAuthExampleEmbedded.java, NativeAuthExampleEmbedded.java, NativeAuthExampleEmbedded.java,
NativeAuthExampleEmbedded.java, NativeAuthenticationExample.java, NativeAuthenticationExample.java,
NativeAuthenticationExample.java, NativeAuthenticationExample.java, NativeAuthenticationExample.java,
UseNativeUsers.java, UseNativeUsers.java, derby.log
>
>
> We should document NATIVE authentication after we have implemented the changes described
on DERBY-866. The documentation changes are described by the functional spec UserManagement.html
attached to that issue.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message