Thanks, David and Lance, for elaborating on the usability issue raised
by Øystein: policy files can be tricky to work with.
It seems to me a sysadmin needs our system privileges because she wants
to prevent malicious shutdown (shutdownEngine privilege) and resource
hogging (createDatabase privilege). I suspect that she also wants to
control malicious shutdown via unauthorized calls to System.exit() and
resource hogging via unauthorized use of java.io classes. For instance,
she needs to prevent the following:
create procedure exitNow( in statusValue int )
language java
parameter style java
no sql
external name 'java.lang.System.exit'
;
call exitNow( 1 );
What I'm suggesting is that the sysadmin needs to run the vm under a
SecurityManager anyway if she's shy about unauthorized shutdown and
resource hogging. That means she already needs to understand policy
files in order to grant Derby sufficient privilege to even run--as
documented in the Developer's Guide. The incremental learning curve for
our new privileges is slight, I think.
I'm not saying that policy files are trivial. I'm just saying the
sysadmin already needs to understand them if she's going to control
shutdown and resource hogging.
Regards,
-Rick
Lance J. Andersen wrote:
I agree with David on this that policy files are painful.
David Van Couvering wrote:
Rick Hillegas (JIRA) wrote:
2) Unfamiliar api. Oracle, DB2, Postgres, and MySQL all handle
system privileges in different ways. Picking one of these models
would still result in an api that's unfamiliar to many people. That
said, these databases do tend to use GRANT/REVOKE for system
privileges, albeit each in its own peculiar fashion. I agree that
GRANT/REVOKE is an easier model to learn than Java Security. I think
however, that the complexity of Java Security is borne by the
derby-dev developer, not by the customer. Creating a policy file is
very easy and our user documentation gives simple examples which the
naive user can just crib. With adequate user documentation, I think
this approach would be straightforward for the customer.
I must respectfully disagree that "creating a policy file is very
easy." I think it's a royal PITA - the syntax is complex,
nonintuitive and unforgiving.
Can we provide a GRANT/REVOKE interface on top of an implementation
that uses JAAS?
