[jira] [Comment Edited] (DERBY-6598) Document permissions recommendations for JAR procedures

[Kim Haase (JIRA)]

    [ 
https://issues.apache.org/jira/browse/DERBY-6598?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14017055#comment-14017055
 ] 

Kim Haase edited comment on DERBY-6598 at 6/3/14 7:56 PM:
----------------------------------------------------------

I think the "Configuring Java security" topic of the security guide covers this 
under "Backups/imports/jars" but might need an added note on this subject.

The "Execute privileges" sections of the individual procedure topics in the 
Reference Manual need the information.

In the Developer's Guide, the info should probably be added to the "Jar file 
examples" topic, the parent of the one that shows how to use the procedures.

There's a mention of the procedures in one of the replication topics in the 
Admin Guide, but it cross-references both the Dev Guide and the Reference 
Manual, so I don't think anything needs to be added there.


was (Author: chaase3):
I think the "Configuring Java security" topic of the security guide covers this 
under "Backups/imports/jars" but might need an added note on this subject.

The introductory topic in the Reference Manual, "System procedures for storing 
jar files in a database", needs the information.

In the Developer's Guide, the info should probably be added to the "Jar file 
examples" topic, the parent of the one that shows how to use the procedures.

There's a mention of the procedures in one of the replication topics in the 
Admin Guide, but it cross-references both the Dev Guide and the Reference 
Manual, so I don't think anything needs to be added there.

> Document permissions recommendations for JAR procedures
> -------------------------------------------------------
>
>                 Key: DERBY-6598
>                 URL: https://issues.apache.org/jira/browse/DERBY-6598
>             Project: Derby
>          Issue Type: Bug
>          Components: Documentation
>    Affects Versions: 10.11.0.0
>            Reporter: Kim Haase
>            Assignee: Kim Haase
>
> It's been recommended that we should make the documentation of the 
> SQLJ.INSTALL_JAR procedure (and SQLJ.REPLACE_JAR) state more explicitly that 
> the privilege should only be granted to trusted users. For example:
> "Since this procedure can be used to install arbitrary code that runs in the 
> same Java Virtual Machine as the Derby database engine, the execution 
> privilege should only be granted to trusted users."
> This needs to go into the Reference Manual topics on these procedures as well 
> as other locations where they are discussed.



--
This message was sent by Atlassian JIRA
(v6.2#6252)