Oystein Grovlen - Sun Norway wrote:
Rick Hillegas wrote:
2) What behavior would we like to see in 10.3 when we control engine
shutdown with Java Security?
I think we need to prevent unauthorized users from bringing down the
network server. I wonder if there is much difference between the
power to shutdown the engine and the power to shutdown the network
server? It makes sense to me that if you don't have the weaker power
to shutdown the engine, then you should not have the stronger power
to shutdown the whole server. Which of the following behaviors seems
best:
i) You cannot shutdown the network server if the engine is still
running and/or databases are still open. Instead, first you must
connect with the engine shutdown url and good credentials as a user
who has Shutdown privilege. Once you have brought down the engine
this way, then you can bring down the network server.
It seems a bit cumbersome for a system administrator to have to
connect to every database before shutting down the server.
I agree. What I had in mind was a little simpler, although still cumbersome:
a) First the system administrator connects to derby with the master
shutdown url which brings down the whole engine--and by implication, all
of the open databases.
b) Then the system administrator brings down the network server.
ii) Network server shutdown needs to require credentials, which can
then be forwarded to the server. If the user authenticates and has
Shutdown privilege, then the server will come down regardless of
whether the engine is up and there are open databases. If the user
does not have Shutdown privilege, then the operation will fail.
I think it is fair to assume that if a persom is authorized to shut
down the server, he/she is also authorized to shut down the
databases. In other words, I vote for this alternative.
We could add username and password arguments to the network shutdown
command line. Then we could pass those arguments to the receiving server
for validation by whatever authentication mechanism prevails there. Do
you think this is adequate?
Thanks,
-Rick
