You are viewing a plain text version of this content. The canonical link for it is here.

Posted to derby-dev@db.apache.org by Rick Hillegas <Ri...@Sun.COM> on 2007/01/04 23:45:30 UTC

shutting down the network server with credentials

I would like to continue the discussion about system shutdown and 
privileges. For further context, please see DERBY-2109.

I am a bit puzzled about the interaction between engine shutdown and 
network server shutdown. I would appreciate the community's advice about:

1) What is supposed to be happening today?

2) And what behavior would we like to see in 10.3 when we control engine 
shutdown with Java Security?

Thanks for pondering the following...
-Rick
---------------

1) What is supposed to be happening today?

I'm a bit confused by the section on "Shutting down the Network Server" 
in the Admin Guide. According to that section, if you are running with 
user authentication enabled, then you are supposed to shutdown your 
databases before shutting down the network server. This is a bit 
ambiguous. What is supposed to happen if you don't shut down your 
databases before shutting down the network server? I ran the following 
experiment:

A) I brought up the network server with user authentication enabled. 
That is, I brought up the network server with this command line:

java -Dderby.connection.requireAuthentication=true \
     -Dderby.authentication.provider=BUILTIN
     -Dderby.user.\"rick\"=rickspassword \
     -Dderby.database.sqlAuthorization=true \
     -Dderby.stream.error.logSeverityLevel=0 \
     org.apache.derby.drda.NetworkServerControl start -p 824

B) Then in another shell, I verified that I needed to specify 
username/password in order to connect to the engine with the following 
engine-shutdown URL:

jdbc:derby://localhost:8246/;shutdown=true;user="rick";password=rickspassword

I then brought down the server and ran this next experiment:

C) I again brought up the network server as in (A).

D) In another shell I connected to a database, using my credentials, 
opened a ResultSet, and went to sleep holding the ResultSet open.

E) Then in another shell, I shutdown the network server like so:

java org.apache.derby.drda.NetworkServerControl shutdown -p 8246

The server complained "Connection refused : Invalid authentication." 
Nevertheless, the server VM exitted.

Finally, I ran the following experiment:

F) I again brought up the network server as in (A).

G) I again shutdown the network server as in (E).

This time there was no outstanding open connection or database and the 
server came down without complaint.

The results of these experiments puzzle me. I think it is odd that you 
need credentials to bring down the engine, but you don't need 
credentials to bring down the network server--which then brings down the 
engine as a side effect. Is this behavior expected and correct right now?


--------------------

2) What behavior would we like to see in 10.3 when we control engine 
shutdown with Java Security?

I think we need to prevent unauthorized users from bringing down the 
network server. I wonder if there is much difference between the power 
to shutdown the engine and the power to shutdown the network server? It 
makes sense to me that if you don't have the weaker power to shutdown 
the engine, then you should not have the stronger power to shutdown the 
whole server. Which of the following behaviors seems best:

i) You cannot shutdown the network server if the engine is still running 
and/or databases are still open. Instead, first you must connect with 
the engine shutdown url and good credentials as a user who has Shutdown 
privilege. Once you have brought down the engine this way, then you can 
bring down the network server.

ii) Network server shutdown needs to require credentials, which can then 
be forwarded to the server. If the user authenticates and has Shutdown 
privilege, then the server will come down regardless of whether the 
engine is up and there are open databases. If the user does not have 
Shutdown privilege, then the operation will fail.

iii) Something else?

Re: shutting down the network server with credentials

Posted by Rick Hillegas <Ri...@Sun.COM>.

Suresh Thalamati wrote:
> Rick Hillegas wrote:
>> Oystein Grovlen - Sun Norway wrote:
>>
>>> Rick Hillegas wrote:
>>>
>>>> 2) What behavior would we like to see in 10.3 when we control 
>>>> engine shutdown with Java Security?
>>>>
>>>> I think we need to prevent unauthorized users from bringing down 
>>>> the network server. I wonder if there is much difference between 
>>>> the power to shutdown the engine and the power to shutdown the 
>>>> network server? It makes sense to me that if you don't have the 
>>>> weaker power to shutdown the engine, then you should not have the 
>>>> stronger power to shutdown the whole server. Which of the following 
>>>> behaviors seems best:
>>>>
>>>> i) You cannot shutdown the network server if the engine is still 
>>>> running and/or databases are still open. Instead, first you must 
>>>> connect with the engine shutdown url and good credentials as a user 
>>>> who has Shutdown privilege. Once you have brought down the engine 
>>>> this way, then you can bring down the network server.
>>>
>>>
>>> It seems a bit cumbersome for a system administrator to have to 
>>> connect to every database before shutting down the server.
>>
>> I agree. What I had in mind was a little simpler, although still 
>> cumbersome:
>>
>> a) First the system administrator connects to derby with the master 
>> shutdown url which brings down the whole engine--and by implication, 
>> all of the open databases.
>>
>> b) Then the system administrator brings down the network server.
>>
>
> I don't understand the reasons behind why you want users to perform 
> two-steps to shutdown. I think it is not intuitive, I am sure most of 
> the users will just shutdown the network server (option b) and assume
> databases are shutdown too.  If the intention is to allow users to 
> perform of quick shutdown of network server without shutdown of 
> databases , it should be a different command.
>
> Thanks
> -suresh
>
>
Thanks, Suresh. I sense that a consensus is building that network 
shutdown should be a one step process and that the user should supply 
credentials.

Regards,
-Rick

Re: shutting down the network server with credentials

Posted by Suresh Thalamati <su...@gmail.com>.

Rick Hillegas wrote:
> Oystein Grovlen - Sun Norway wrote:
> 
>> Rick Hillegas wrote:
>>
>>> 2) What behavior would we like to see in 10.3 when we control engine 
>>> shutdown with Java Security?
>>>
>>> I think we need to prevent unauthorized users from bringing down the 
>>> network server. I wonder if there is much difference between the 
>>> power to shutdown the engine and the power to shutdown the network 
>>> server? It makes sense to me that if you don't have the weaker power 
>>> to shutdown the engine, then you should not have the stronger power 
>>> to shutdown the whole server. Which of the following behaviors seems 
>>> best:
>>>
>>> i) You cannot shutdown the network server if the engine is still 
>>> running and/or databases are still open. Instead, first you must 
>>> connect with the engine shutdown url and good credentials as a user 
>>> who has Shutdown privilege. Once you have brought down the engine 
>>> this way, then you can bring down the network server.
>>
>>
>> It seems a bit cumbersome for a system administrator to have to 
>> connect to every database before shutting down the server.
> 
> I agree. What I had in mind was a little simpler, although still 
> cumbersome:
> 
> a) First the system administrator connects to derby with the master 
> shutdown url which brings down the whole engine--and by implication, all 
> of the open databases.
> 
> b) Then the system administrator brings down the network server.
> 

I don't understand the reasons behind why you want users to perform 
two-steps to shutdown. I think it is not intuitive, I am sure most of 
the users will just shutdown the network server (option b) and assume
databases are shutdown too.  If the intention is to allow users to 
perform of quick shutdown of network server without shutdown of 
databases , it should be a different command.

Thanks
-suresh

Re: shutting down the network server with credentials

Posted by Rick Hillegas <Ri...@Sun.COM>.

Oystein Grovlen - Sun Norway wrote:
> Rick Hillegas wrote:
>
>> 2) What behavior would we like to see in 10.3 when we control engine 
>> shutdown with Java Security?
>>
>> I think we need to prevent unauthorized users from bringing down the 
>> network server. I wonder if there is much difference between the 
>> power to shutdown the engine and the power to shutdown the network 
>> server? It makes sense to me that if you don't have the weaker power 
>> to shutdown the engine, then you should not have the stronger power 
>> to shutdown the whole server. Which of the following behaviors seems 
>> best:
>>
>> i) You cannot shutdown the network server if the engine is still 
>> running and/or databases are still open. Instead, first you must 
>> connect with the engine shutdown url and good credentials as a user 
>> who has Shutdown privilege. Once you have brought down the engine 
>> this way, then you can bring down the network server.
>
> It seems a bit cumbersome for a system administrator to have to 
> connect to every database before shutting down the server.
I agree. What I had in mind was a little simpler, although still cumbersome:

a) First the system administrator connects to derby with the master 
shutdown url which brings down the whole engine--and by implication, all 
of the open databases.

b) Then the system administrator brings down the network server.
>
>>
>> ii) Network server shutdown needs to require credentials, which can 
>> then be forwarded to the server. If the user authenticates and has 
>> Shutdown privilege, then the server will come down regardless of 
>> whether the engine is up and there are open databases. If the user 
>> does not have Shutdown privilege, then the operation will fail.
>
> I think it is fair to assume that if a persom is authorized to shut 
> down the server, he/she is also authorized to shut down the 
> databases.  In other words, I vote for this alternative.
>
We could add username and password arguments to the network shutdown 
command line. Then we could pass those arguments to the receiving server 
for validation by whatever authentication mechanism prevails there. Do 
you think this is adequate?

Thanks,
-Rick

Re: shutting down the network server with credentials

Posted by Oystein Grovlen - Sun Norway <Oy...@Sun.COM>.

Rick Hillegas wrote:

> 2) What behavior would we like to see in 10.3 when we control engine 
> shutdown with Java Security?
> 
> I think we need to prevent unauthorized users from bringing down the 
> network server. I wonder if there is much difference between the power 
> to shutdown the engine and the power to shutdown the network server? It 
> makes sense to me that if you don't have the weaker power to shutdown 
> the engine, then you should not have the stronger power to shutdown the 
> whole server. Which of the following behaviors seems best:
> 
> i) You cannot shutdown the network server if the engine is still running 
> and/or databases are still open. Instead, first you must connect with 
> the engine shutdown url and good credentials as a user who has Shutdown 
> privilege. Once you have brought down the engine this way, then you can 
> bring down the network server.

It seems a bit cumbersome for a system administrator to have to connect 
to every database before shutting down the server.

> 
> ii) Network server shutdown needs to require credentials, which can then 
> be forwarded to the server. If the user authenticates and has Shutdown 
> privilege, then the server will come down regardless of whether the 
> engine is up and there are open databases. If the user does not have 
> Shutdown privilege, then the operation will fail.

I think it is fair to assume that if a persom is authorized to shut down 
the server, he/she is also authorized to shut down the databases.  In 
other words, I vote for this alternative.

-- 
Øystein

Re: shutting down the network server with credentials

Posted by Rick Hillegas <Ri...@Sun.COM>.

Bryan Pendleton wrote:
>> The results of these experiments puzzle me. I think it is odd that 
>> you need credentials to bring down the engine, but you don't need 
>> credentials to bring down the network server--which then brings down 
>> the engine as a side effect. Is this behavior expected and correct 
>> right now?
>
> Possibly you are seeing DERBY-51. That is, I don't think that bringing
> down the network server actually does bring down the engine. It just
> crashes the JVM, leaving the engine to recover the next time you connect
> to that database.
>
> http://issues.apache.org/jira/browse/DERBY-51
>
> thanks,
>
> bryan
>
>
Thanks, Bryan. This could explain some other odd error messages I saw 
when a sleeping client woke up after the network server was forced down.

Regards,
-Rick

Re: shutting down the network server with credentials

Posted by Bryan Pendleton <bp...@amberpoint.com>.

> The results of these experiments puzzle me. I think it is odd that you 
> need credentials to bring down the engine, but you don't need 
> credentials to bring down the network server--which then brings down the 
> engine as a side effect. Is this behavior expected and correct right now?

Possibly you are seeing DERBY-51. That is, I don't think that bringing
down the network server actually does bring down the engine. It just
crashes the JVM, leaving the engine to recover the next time you connect
to that database.

http://issues.apache.org/jira/browse/DERBY-51

thanks,

bryan