You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by John Embretsen <Jo...@Sun.COM> on 2008/02/21 18:16:17 UTC
JMX Access Control Proposal
Related to DERBY-1387, there is an access control proposal on the wiki at
http://wiki.apache.org/db-derby/JMXSecurityExpectations#head-0e3b575bde6a9f7dce809605aa153ccff9daa7e7
The proposal is also related to a previous E-mail thread with the subject "JMX
meeting system authorization (DERBY-2109 & 1387)",
http://db.markmail.org/message/s7eqlhz6ydrufatl?q=list:org%2Eapache%2Edb%2Ederby-dev
I'm starting a new thread here so that we don't deviate too much from "the
Apache way" on the wiki...
1) I noticed that Derby connection authorization (db-authr) is not mentioned in
the proposal. Does this mean that this will be ignored, at least for JMX actions
that do not rely on obtaining a regular JDBC connection to the database from the
MBean?
2) I'm curious about how this proposal relates to Derby authentication?
I'm still a bit puzzled here, I guess. On the wiki we have noted elsewhere
(regarding database MBeans):
>>>> JHE: If any of *-authc are enabled, the JMX user must pass all
authentication checks (jmx-authc, derby-authc, db-authc) that are enabled for
this type of access (connecting to this particular database using this
particular Derby system).
>>> DJD: Why is derby-authc included here, to connect to a database
derby-authc is not required, so why to administer it?
>> JHE: Isn't passing derby-authc required if it has been enabled
programmatically, unless derby.database.propertiesOnly=true?
> DJD: No, to connect to a database only database authentication is needed.
(db-authc').
('db-authc' is defined on the wiki page as "The database-wide property
derby.connection.requireAuthentication is true". 'derby-authc' is the same
property, but system-wide)
My experiments with the client driver and the network server indicate that if
derby.connection.requireAuthentication is enabled programmatically as a system
property, and disabled as a database property, and the
derby.database.propertiesOnly property has not been set, then passing
system-level authentication is required in order to obtain a client connection.
Am I misunderstanding something?
--
John
Re: JMX Access Control Proposal
Posted by Daniel John Debrunner <dj...@apache.org>.
John Embretsen wrote:
> There are two types of user authorization in Derby, connection
> authorization and SQL authorization. Connection authorization specifies
> the access that users have to connect to a system or database."
>
> I was (am) not sure what a system means in this context, and how that is
> possibly different from a database / JDBC connection request.
That might be a doc bug, since connection authorization really only
applies to the state of a JDBC connection. I'm not sure though if a
system connection (e.g. jdbc:derby:;shutdown=true) goes through
connection authorization, I thought it was only database connections but
I could be wrong.
Dan.
Re: JMX Access Control Proposal
Posted by John Embretsen <Jo...@Sun.COM>.
Daniel John Debrunner wrote:
> If a JMX action does not require obtaining a JDBC connection to the
> database then I would say db-authr is not applicable (which appears
> similar to being ignored). db-authr defines the state of a user's JDBC
> connection into the database (it's now called connection level
> authorization), thus it can only apply if a connection is being obtained.
That makes sense to me as well. I think I have been somewhat confused about when
Derby's user authorization should apply. For example, the Developer's Guide says
[1]:
"When you specify user authorizations, Derby verifies that a user has been
granted permission to access a system, database, object, or SQL action.
There are two types of user authorization in Derby, connection authorization and
SQL authorization. Connection authorization specifies the access that users have
to connect to a system or database."
I was (am) not sure what a system means in this context, and how that is
possibly different from a database / JDBC connection request.
> I'm also assuming that the required expectation is followed at all times
> (from the wiki):
>
> "A valid JMX user (a user able to connect via JMX to Derby's
> MBeanServer) must not be able to access information or perform
> operations that would otherwise be restricted by Derby's existing
> security mechanisms (authentication, authorization, Security Manager,
> etc.)."
Right, thanks for clarifying...
[snip]
> I'm using database authentication to mean the check that is invoked at
> the database level (JDBC connection request) regardless of how it is
> configured.
Ah, I see.
> You are using the term system authentication to mean the check that is
> invoked at the database level if it is configured using system
> properties (which I agree *may* have the authentication as the system
> one, an application's implementation of authentication could implement
> different checks based upon being system or database).
I almost think I know what you mean...
I'll give myself some time to chew on this and come back with more questions if
I'm still fuzzy regarding that last part ;)
> Either way, I think we agree to connect to a database only a single
> authentication step is required.
True.
Thanks!
[1]: http://db.apache.org/derby/docs/dev/devguide/cdevcsecure36595.html
--
John
Re: JMX Access Control Proposal
Posted by Daniel John Debrunner <dj...@apache.org>.
John Embretsen wrote:
> Related to DERBY-1387, there is an access control proposal on the wiki at
>
> http://wiki.apache.org/db-derby/JMXSecurityExpectations#head-0e3b575bde6a9f7dce809605aa153ccff9daa7e7
>
>
> The proposal is also related to a previous E-mail thread with the
> subject "JMX
> meeting system authorization (DERBY-2109 & 1387)",
> http://db.markmail.org/message/s7eqlhz6ydrufatl?q=list:org%2Eapache%2Edb%2Ederby-dev
>
>
> I'm starting a new thread here so that we don't deviate too much from "the
> Apache way" on the wiki...
>
>
> 1) I noticed that Derby connection authorization (db-authr) is not
> mentioned in
> the proposal. Does this mean that this will be ignored, at least for JMX
> actions
> that do not rely on obtaining a regular JDBC connection to the database
> from the
> MBean?
The proposal is only saying that any JMX action (get/set attribute and
invoke operation) on any of Derby's MBeans must go through some
authorization check. Where existing authorization mechanisms exist then
they will be the ones used, to avoid multiple levels of authorization
checking and configuring. Thus setting a database attribute requires
executing a database procedure and thus the user must have been granted
permission to execute that procedure and have a read-write connection.
If a JMX action does not require obtaining a JDBC connection to the
database then I would say db-authr is not applicable (which appears
similar to being ignored). db-authr defines the state of a user's JDBC
connection into the database (it's now called connection level
authorization), thus it can only apply if a connection is being obtained.
I'm also assuming that the required expectation is followed at all times
(from the wiki):
"A valid JMX user (a user able to connect via JMX to Derby's
MBeanServer) must not be able to access information or perform
operations that would otherwise be restricted by Derby's existing
security mechanisms (authentication, authorization, Security Manager,
etc.)."
> 2) I'm curious about how this proposal relates to Derby authentication?
> I'm still a bit puzzled here, I guess.
[snip]
> My experiments with the client driver and the network server indicate
> that if
> derby.connection.requireAuthentication is enabled programmatically as a
> system
> property, and disabled as a database property, and the
> derby.database.propertiesOnly property has not been set, then passing
> system-level authentication is required in order to obtain a client
> connection.
> Am I misunderstanding something?
I see what you mean now, we are using terminology differently. There are
two places in the code where authentication checks are made, for the
system and for the database. The database authentication can be
configured using database properties or system properties.
I'm using database authentication to mean the check that is invoked at
the database level (JDBC connection request) regardless of how it is
configured.
You are using the term system authentication to mean the check that is
invoked at the database level if it is configured using system
properties (which I agree *may* have the authentication as the system
one, an application's implementation of authentication could implement
different checks based upon being system or database).
Either way, I think we agree to connect to a database only a single
authentication step is required.
Thanks,
Dan.