[Db-derby Wiki] Update of "JMXSecurityExpectations" by JohnHEmbretsen

[Apache Wiki <wi...@apache.org>]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Db-derby Wiki" for change notification.

The following page has been changed by JohnHEmbretsen:
http://wiki.apache.org/db-derby/JMXSecurityExpectations

New page:
= JMX Security Expectations =

Security expectations for the JMX Management and Monitoring features added by [https://issues.apache.org/jira/browse/DERBY-1387 DERBY-1387].

[[TableOfContents]]

== Overview ==

This is an effort to track and summarize conclusions from discussions on the derby-dev mailing list and in [https://issues.apache.org/jira/browse/DERBY-1387 Jira] regarding JMX security in Derby.

Relevant background information is available in Jira and the mail archives, including:
 * [https://issues.apache.org/jira/browse/DERBY-1387 DERBY-1387] (includes a functional specification)
 * [https://issues.apache.org/jira/browse/DERBY-2109 DERBY-2109]
 * [http://www.nabble.com/-jira--Created%3A-%28DERBY-1387%29-Add-JMX-extensions-to-Derby-td4770244.html Mail thread #1]
 * [http://db.markmail.org/message/v6npsxpyfrzxchiy?q=list:org%2Eapache%2Edb%2Ederby-dev Mail thread #1.1] (Protecting system properties)
 * [http://db.markmail.org/message/s7eqlhz6ydrufatl?q=list:org%2Eapache%2Edb%2Ederby-dev Mail thread #1.2] (JMX meeting system authorization)

== Terminology ==

 * Let's simplify things by saying that MBeans have essentially two states: ''enabled'' or ''disabled''
    * An '''enabled''' (registered) MBean is visible/accessible to any valid JMX user.
    * A '''disabled''' (unregistered) MBean is not visible/accessible any JMX user.

 * '''"Running Derby":'''
   Running the Derby engine with Derby's JMX Management and Monitoring features enabled, using a JVM supporting all JMX features inclueded in J2SE 5.0. This includes, for example, running the Derby Network Server or Derby Embedded using a Java SE 6 JVM.

 * '''JMX user:'''
   A user connecting to the JVM running Derby and thereby possibly Derby's Management Service through JMX, either VM-locally (from the same JVM), locally (from the same host as the host running Derby), or remotely (from a different host than the host running Derby).
   A "valid" JMX user is a user who is successfully authenticated by the system (this includes all JMX users when authentication is disabled).

 * '''JMX Authentication (''jmx-authc''):'''
   A user trying to access Derby's JMX services may need to provide some kind of credentials (prove her identity) in order to connect to the `MBeanServer.` Whether or not to require JMX authentication is up to the VM-Admin. 

 * '''JMX Authorization (''jmx-authz''):''' 
   Once authenticated, a user may be granted a certain set of rights to perform certain JMX-related actions (read/write attributes, invoke
   operations, register MBeans, etc.). When authorization is disabled, any valid JMX user may use and access all services offered by the Management Service by default.
   
 * '''Derby system level authentication (''derby-authc''):'''
   The system-wide property `derby.connection.requireAuthentication` is `true`.

 * '''Derby database level authentication (''db-authc''):'''
   The database-wide property `derby.connection.requireAuthentication` is 
   `true`.

 * '''Derby database level connection authorization (''db-authr''):'''
   A given user is authorized with either `fullAcess` (default), `readOnlyAccess` or `noAccess` privileges. This is defined by a number of the databse-wide properties
    * `derby.database.defaultConnectionMode`
    * `derby.database.fullAccessUsers`
    * `derby.database.readOnlyAccessUsers`

 * * is a wildcard (for example, '''*-authc''' includes '''jmx-authc''', '''derby-authc''' and '''db-authc''').
      

== Security Expectations ==

For the first revision of the JMX features, Derby's JMX features can either be enabled or disabled at system startup only. The default is: ''disabled''.

When the Derby system starts, and Derby's JMX features are enabled, and sufficient JMX support is available in the JVM running Derby, then Derby will establish a Management Service (JMX Agent) by (among other things) creating/retreiving an `MBeanServer`. MBeans must be registered with this `MBeanServer` in order to become accessible to valid JMX users.

Credentials supplied during authentication may not be accessed or be reused by another JMX user. Every JMX user/client must provide credentials if authentication is enabled.

After system startup, the following MBeans may be registered with the `MBeanServer` and thus enabled:


=== VersionMBean ===

 * Displays version information from the running Derby instance.
 * Will be enabled "always".
 * All ''Attributes'' are available to all valid JMX users.
 * No ''Operations'' are defined in this MBean.

=== SystemMBean ===

 * Provides access to Derby system settings and other information on the system level in Derby. This is handled by including ''Attributes'' in the MBean. A single ''Attribute'' may defined as '''read-only''' or '''readwrite'''.
 * Provides an MBean operation, `bootDatabase(url)`, which boots a given database.
 * May be enabled only if system-wide authentication ('''derby-authc''') is ''disabled'' in Derby (default),
 
   OR

   if system-wide authentication ('''derby-authc''') is ''enabled'' in Derby 
     AND 
   the JMX user has passed '''jmx-authc''' (and '''jmx-authr''')
     AND
   the JMX user has passed '''derby-authc'''

 * If System Privileges ([https://issues.apache.org/jira/browse/DERBY-2109 DERBY-2109]) are enforced by Derby, then a valid JMX user cannot create a new database using the `bootDatabase(url)` Operation unless this user has sufficient privileges to do so.


=== NetworkServerControlMgmtMBean ===

 * Provides access to the `NetworkServerControl` API and server-related settings.
 * Some settings are read-only, others are readwrite.
 * Includes ''Operations'' such as `ping()`, `traceConnection(...)` and `shutdown()`.
 * Same enabling policy as '''SystemMBean'''.
 * ''Operation'' `shutdown()` may be restricted by a Java security policy, in which case a valid JMX user without the sufficient privileges should not be allowed to shut down the Network Server using this Operation. 
   This requires integration with features developed with [https://issues.apache.org/jira/browse/DERBY-2109 DERBY-2109] (System Privileges).


=== DatabaseMBean ===

 * Provides access to database settings and operations.
 * Settings may be ''read-only'' or ''readwrite''.
 * A new '''DatabaseMBean''' will be created for each booted database. Such MBeans will be enabled automatically if '''*-authc''' and '''db-authr''' is disabled.
 * If ant of '''*-authc''' are enabled, the JMX user must pass all authentication checks ('''jmx-authc''', '''derby-authc''', '''db-authc''') that are enabled for this type of access (connecting to this particular database using this particular Derby system).


== Notes/Issues ==

 * '''jmx-authc''' should be closely tied to derby-authc so that a user does not have to authenticate twice (or more) in order to use a system-level MBean.
 * how to perform '''derby-authc''' checks without connecting to a database?
 * how to (easily and correctly) enforce [http://db.apache.org/derby/docs/dev/tuning/ctunsetprop23308.html ''Precedence of properties''] and [http://db.apache.org/derby/docs/dev/tuning/ctunsetprop824533.html ''protection of database properties'']? Are there existing utility methods or other mechanisms for this?
 * do we need a ''delegating MBean'', controlling when to enable/disable other "sensitive" MBeans such as '''SystemMBean''' and '''NetworkServerControlMBean'''?

Re: [Db-derby Wiki] Update of "JMXSecurityExpectations" by JohnHEmbretsen

["John H. Embretsen" <Jo...@Sun.COM>]

Daniel John Debrunner wrote:
> John Embretsen wrote:
>> Daniel John Debrunner wrote:

>>> The SystemMBean section is really talking about if an attribute or 
>>> operation is visible or useable by a specific jmx-user, not if the 
>>> bean is enabled or not.
>>
>> My intention was to talk about if the entire bean is enabled 
>> (registered) or not. But perhaps my thinking is flawed. I guess I was 
>> basing this description upon one possible way to implement this kind 
>> of control, by not letting the bean be registered if the JMX user has 
>> not been authenticated (we may for instance put logic in a 
>> preRegister() method of the MBean).
> 
> Maybe I'm confused. I thought Derby's MBeans were registered by Derby's 
> code, not a jmx-user. Once a mbean was registered any jmx-user could see 
> it?

Yes, that's true. Though in theory it is possible for a jmx-user to 
register MBeans as well, e.g. by using 
javax.management.MBeanServerConnection#createMBean() methods. But that 
was not what I was thinking about when I wrote that page.

> Is there another step where the mbean gets registered in the view of the 
> jmx-user connecting to the system?

My thinking was flawed in the sense that I did not remember to consider 
the fact that, currently, the SystemMbean is enabled automatically at 
Derby boot-time. I need to re-think this and update the wiki, but I'll 
probably take a break first to recharge ;) Though feel free to edit the 
wiki page if you want...


-- 
John

Re: [Db-derby Wiki] Update of "JMXSecurityExpectations" by JohnHEmbretsen

[Daniel John Debrunner <dj...@apache.org>]

John Embretsen wrote:
> Daniel John Debrunner wrote:
>>  JohnHEmbretsen wrote:
>>
>>>  * Let's simplify things by saying that MBeans have essentially two 
>>> states: ''enabled'' or ''disabled''
>>>     * An '''enabled''' (registered) MBean is visible/accessible to 
>>> any valid JMX user.
>>
>>>
>>> === SystemMBean ===
>>
>>>  * May be enabled only if system-wide authentication 
>>> ('''derby-authc''') is ''disabled'' in Derby (default),
>>
>> Nice page. Just to point out that the use of "enabled" in SystemMBean 
>> does not match the definition of "enabled" earlier in the page.
>>
>> The SystemMBean section is really talking about if an attribute or 
>> operation is visible or useable by a specific jmx-user, not if the 
>> bean is enabled or not.
> 
> My intention was to talk about if the entire bean is enabled 
> (registered) or not. But perhaps my thinking is flawed. I guess I was 
> basing this description upon one possible way to implement this kind of 
> control, by not letting the bean be registered if the JMX user has not 
> been authenticated (we may for instance put logic in a preRegister() 
> method of the MBean).

Maybe I'm confused. I thought Derby's MBeans were registered by Derby's 
code, not a jmx-user. Once a mbean was registered any jmx-user could see it?

Is there another step where the mbean gets registered in the view of the 
jmx-user connecting to the system?


Dan.

Re: [Db-derby Wiki] Update of "JMXSecurityExpectations" by JohnHEmbretsen

[John Embretsen <Jo...@Sun.COM>]

Daniel John Debrunner wrote:
>  JohnHEmbretsen wrote:
> 
>>  * Let's simplify things by saying that MBeans have essentially two 
>> states: ''enabled'' or ''disabled''
>>     * An '''enabled''' (registered) MBean is visible/accessible to any 
>> valid JMX user.
> 
>>
>> === SystemMBean ===
> 
>>  * May be enabled only if system-wide authentication 
>> ('''derby-authc''') is ''disabled'' in Derby (default),
> 
> Nice page. Just to point out that the use of "enabled" in SystemMBean 
> does not match the definition of "enabled" earlier in the page.
> 
> The SystemMBean section is really talking about if an attribute or 
> operation is visible or useable by a specific jmx-user, not if the bean 
> is enabled or not.

My intention was to talk about if the entire bean is enabled (registered) or 
not. But perhaps my thinking is flawed. I guess I was basing this description 
upon one possible way to implement this kind of control, by not letting the bean 
be registered if the JMX user has not been authenticated (we may for instance 
put logic in a preRegister() method of the MBean).


-- 
John

Re: [Db-derby Wiki] Update of "JMXSecurityExpectations" by JohnHEmbretsen

[Daniel John Debrunner <dj...@apache.org>]

  JohnHEmbretsen wrote:

>  * Let's simplify things by saying that MBeans have essentially two states: ''enabled'' or ''disabled''
>     * An '''enabled''' (registered) MBean is visible/accessible to any valid JMX user.

> 
> === SystemMBean ===

>  * May be enabled only if system-wide authentication ('''derby-authc''') is ''disabled'' in Derby (default),

Nice page. Just to point out that the use of "enabled" in SystemMBean 
does not match the definition of "enabled" earlier in the page.

The SystemMBean section is really talking about if an attribute or 
operation is visible or useable by a specific jmx-user, not if the bean 
is enabled or not.

Dan.