The 10.2 GRANT/REVOKE work was a big step forward in making Derby more
secure in a client/server configuration. I'd like to plug some more
security holes in 10.3. In particular, I'd like to focus on
authorization issues which the ANSI spec doesn't address. I would
appreciate feedback from the community: what do you think are the most
important outstanding security issues?
Here are the important issues which occur to me. I'm not sure that
GRANT/REVOKE will end up being the right way to plug these holes. Maybe
for some issues, maybe not for others. At this point I just want to
survey what's missing:
Missing privileges that are above the level of a single database:
- Create Database
- Shutdown System
Missing privileges specific to a particular database:
- Connect to that Database
- Shutdown that Database
- Create (in that Database) Java Plugins (currently
Functions/Procedures, but someday Aggregates and VTIs)
What other issues do you think we should list?
(Note that 10.2 gave us GRANT/REVOKE control over the following
database-specific issues, via granting execute privilege to system
procedures:
Jar Handling
Backup Routines
Admin Routines
Import/Export
Property Handling
Check Table )
I would appreciate the community's advice.
Thanks,
-Rick
