You are viewing a plain text version of this content. The canonical link for it is here.

Posted to derby-user@db.apache.org by Phil <ph...@vodafone.ie> on 2010/11/16 13:23:40 UTC

Limiting remote connections to specific users?

Hi,

I have an application that uses derby in embedded mode. We plan to start
up the network daemon by setting derby.drda.startNetworkServer=true in
the derby.properties file as this will allow us to remotely connect to
the application database without disrupting the running application (for
support purposes). 

In order to address security concerns, I would like to define a new user
with limited rights and restrict network connections only to that user
(analagous to how sshd can deny root logins).

I assume that I can define a new role (remotesupportuser for example)
with the appropriate permissions and then grant this role to specific
users. Is there a way that I can configure the derby network server to
accept remote connections only from users with the remotesupportuser
role? Alternatively, is there a way that I can simply deny remote
connections from SA? 

Thanks,
Phil

Re: Limiting remote connections to specific users?

Posted by Phil <ph...@vodafone.ie>.


On Wed, 17 Nov 2010 01:26 +0100, "Dag H. Wanvik" <da...@oracle.com>
wrote:
> Phil <ph...@vodafone.ie> writes:
> 
> > I assume that I can define a new role (remotesupportuser for example)
> > with the appropriate permissions and then grant this role to specific
> > users. Is there a way that I can configure the derby network server to
> > accept remote connections only from users with the remotesupportuser
> > role? 
> 
> No, I don't believee there is. Currently, the role machinery is only
> used to adminster SQL privileges, not system privileges. There has been
> done work on Derby in the past to improve Derby's support for system
> privileges, cf. DERBY-2109, but that work has not been completed.
> 
> Dag

Hi Dag,

Thanks for the feedback, that's useful to know. I'll just take a
different tack with this.

Best regards,
Phil

Re: Limiting remote connections to specific users?

Posted by "Dag H. Wanvik" <da...@oracle.com>.

Phil <ph...@vodafone.ie> writes:

> I assume that I can define a new role (remotesupportuser for example)
> with the appropriate permissions and then grant this role to specific
> users. Is there a way that I can configure the derby network server to
> accept remote connections only from users with the remotesupportuser
> role? 

No, I don't believee there is. Currently, the role machinery is only
used to adminster SQL privileges, not system privileges. There has been
done work on Derby in the past to improve Derby's support for system
privileges, cf. DERBY-2109, but that work has not been completed.

Dag