You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Rick Hillegas (JIRA)" <ji...@apache.org> on 2018/10/20 23:45:00 UTC
[jira] [Commented] (DERBY-3547) Create a utility that generates a
security policy file for Derby's tests
[ https://issues.apache.org/jira/browse/DERBY-3547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16658027#comment-16658027 ]
Rick Hillegas commented on DERBY-3547:
--------------------------------------
The situation has gotten considerably worse over the last decade. Now we a great number of these test policy files.
Here's what makes sense to me:
1) We should create a derbyBuild utility which generates policy files during Derby compilation.
2) The utility should be driven by a descriptor, which describes each policy file.
3) In the descriptor, it should be possible to say that a given policy can be constructed from a parent policy by adding or subtracting permissions. This will be very useful in describing the test policy files.
4) There should be a template policy file for most of the published configurations (see the public API javadoc for a list of these configurations). That means that we have a separate template policy for the shared module, for the embedded engine, for the server, for the remote client, for tests, and for optional tests.
> Create a utility that generates a security policy file for Derby's tests
> ------------------------------------------------------------------------
>
> Key: DERBY-3547
> URL: https://issues.apache.org/jira/browse/DERBY-3547
> Project: Derby
> Issue Type: Improvement
> Components: Test
> Reporter: Daniel John Debrunner
> Priority: Minor
>
> With the number of current test policy files it is becoming a pain to remember to modify all of them when needed to add a new permission.
> In addition with JMX, SystemPermission (and DatabasePermission) support, testing of fine-grained permissions will become unmanagable if a new policy file is needed for every combination.
> I suggest a java utility that can be used in a test decorator to create a set of permissions that can then be modified before creating a real policy file and pointing the security manager to it. I imagine an api like:
> TestPolicy() - constructor creates a set of permissions that corresponds to the current derby_tests.policy (or similar)
> The object supports a number of code bases, corresponding to the current jars, e.g.
> derby, derbynet, derbytools,derbyclient,ant,emma, junit,
> removeCodebase(String code) - remove all the permissions for a given code base. Allows specific testing, e.g. with just client tests don't have permissions for any other jars.
> removePermission(String code, Permission permission) - remove a single permission from a code base - allows negative testing, what happens if this permission is not available.
> addPermission(String code, Permission permission) - add a permission into the code base
> writePolicyFile(PrintStream out) - write the policy file out
> This would also stop the need for derby_tests.policy to have a jar and classes section with duplicated information, TestPolicy would just create the grant code blocks with the correct code location.
> TestPolicy could obviously be expanded as new needs appear, eg. Principal testing.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)