Can we do some kind of virtual path mapping with Network Server?

[Daniel Noll <da...@nuix.com>]

Hi all.

We have a setup where databases can basically be anywhere on the server 
(it's up to the user) and thus we cannot use derby.system.home to get 
relative paths.  To get around this we have gone with absolute paths, 
but absolute paths aren't so great either.

Additionally I have been thinking it might be nice if you could 
selectively allow access to only some databases, such that they don't 
get started up (particular as Network Server doesn't shutdown the 
databases when users have stopped using them... which is another 
unrelated and annoying problem.)

So I have been wondering, is there some API buried in there which I can 
use to map arbitrary paths from the client URL to arbitrary absolute 
paths on the other side?  This would effectively allow us to create a 
replacement for derby.system.home which can support multiple root 
directories, effectively merging together all these directories.

Daniel


-- 
Daniel Noll                            Forensic and eDiscovery Software
Senior Developer                              The world's most advanced
Nuix                                                email data analysis
http://nuix.com/                                and eDiscovery software

Re: Can we do some kind of virtual path mapping with Network Server?

[Daniel Noll <da...@nuix.com>]

Rick Hillegas wrote:
> Hi Daniel,
> 
> Feel free to file a feature-request JIRA, describing the behavior you 
> need. Then people will have an issue which they can vote for--and that 
> will help concentrate our attention.

I will do.

I am first going to experiment and see if it would be possible to write 
a custom store implementation to do this.  Since there is a store which 
can read from a jar file instead of a file, I figure it must be possible 
to make a store which virtualises file paths instead of taking absolute 
ones.

Daniel


-- 
Daniel Noll                            Forensic and eDiscovery Software
Senior Developer                              The world's most advanced
Nuix                                                email data analysis
http://nuix.com/                                and eDiscovery software

Re: Can we do some kind of virtual path mapping with Network Server?

[Rick Hillegas <Ri...@Sun.COM>]

Hi Daniel,

Feel free to file a feature-request JIRA, describing the behavior you 
need. Then people will have an issue which they can vote for--and that 
will help concentrate our attention.

Thanks,
-Rick

Daniel Noll wrote:
> Kristian Waagan wrote:
>> Hi Daniel,
>>
>> Have you considered using symbolic links?
>> (btw, something to check out here is how Java security interacts with 
>> symlinks)
>
> It seems to canonicalise the path excessively, so it would probably do 
> the right thing and make sure you have permission to both locations.  
> I have noticed Java even checks this even if you have a FilePermission 
> for all files. :rollseyes:
>
> On UNIX this would have been a fairly sensible option... Windows does 
> have symlinks now, but not *every* version of the OS we support.  On a 
> related note I have noticed Java has issues with my second hard disk 
> which is mounted at C:\Data, so it may not be great for symlinks either.
>
>> Regarding disallowing access for selected databases, is using the 
>> access rights mechanisms provided by the OS/file system an option?
>>
>> I do realize there are limitations and challenges with the 
>> approach(es)...
>
> Using the filesystem for access control works but puts the burden on 
> the sysadmin to get it right (and it's something which is hard to 
> check from Java land, "are the permissions on this entire hard disk 
> correct?"
>
> Hiding the entire thing behind a REST or similar API would be another 
> solution to the problem, but it's a pretty steep hill.  I just thought 
> I would throw the question out there because a simple API which takes 
> a path and returns a path would have been an elegant solution, even if 
> it were buried deep in the server code.
>
> Daniel
>
>

Re: Can we do some kind of virtual path mapping with Network Server?

[Daniel Noll <da...@nuix.com>]

Kristian Waagan wrote:
> Hi Daniel,
> 
> Have you considered using symbolic links?
> (btw, something to check out here is how Java security interacts with 
> symlinks)

It seems to canonicalise the path excessively, so it would probably do 
the right thing and make sure you have permission to both locations.  I 
have noticed Java even checks this even if you have a FilePermission for 
all files. :rollseyes:

On UNIX this would have been a fairly sensible option... Windows does 
have symlinks now, but not *every* version of the OS we support.  On a 
related note I have noticed Java has issues with my second hard disk 
which is mounted at C:\Data, so it may not be great for symlinks either.

> Regarding disallowing access for selected databases, is using the access 
> rights mechanisms provided by the OS/file system an option?
> 
> I do realize there are limitations and challenges with the approach(es)...

Using the filesystem for access control works but puts the burden on the 
sysadmin to get it right (and it's something which is hard to check from 
Java land, "are the permissions on this entire hard disk correct?"

Hiding the entire thing behind a REST or similar API would be another 
solution to the problem, but it's a pretty steep hill.  I just thought I 
would throw the question out there because a simple API which takes a 
path and returns a path would have been an elegant solution, even if it 
were buried deep in the server code.

Daniel


-- 
Daniel Noll                            Forensic and eDiscovery Software
Senior Developer                              The world's most advanced
Nuix                                                email data analysis
http://nuix.com/                                and eDiscovery software

Re: Can we do some kind of virtual path mapping with Network Server?

[Kristian Waagan <Kr...@Sun.COM>]

Daniel Noll wrote:
> Hi all.
>
> We have a setup where databases can basically be anywhere on the 
> server (it's up to the user) and thus we cannot use derby.system.home 
> to get relative paths.  To get around this we have gone with absolute 
> paths, but absolute paths aren't so great either.
>
> Additionally I have been thinking it might be nice if you could 
> selectively allow access to only some databases, such that they don't 
> get started up (particular as Network Server doesn't shutdown the 
> databases when users have stopped using them... which is another 
> unrelated and annoying problem.)
>
> So I have been wondering, is there some API buried in there which I 
> can use to map arbitrary paths from the client URL to arbitrary 
> absolute paths on the other side?  This would effectively allow us to 
> create a replacement for derby.system.home which can support multiple 
> root directories, effectively merging together all these directories.

Hi Daniel,

Have you considered using symbolic links?
(btw, something to check out here is how Java security interacts with 
symlinks)
Regarding disallowing access for selected databases, is using the access 
rights mechanisms provided by the OS/file system an option?

I do realize there are limitations and challenges with the approach(es)...


-- 
Kristian
>
> Daniel
>
>