On 6/21/07, Knut Anders Hatlen <[EMAIL PROTECTED]> wrote:
Martin Zaun <[EMAIL PROTECTED]> writes:
> Hi,
>
> there seems to be an issue with 'NetworkServerControl shutdown' and
> authentication. Your comments appreciated.
>
> Here's what I'm doing:
[...]
> 3) What does NOT work and results in a server crash: run shutdown
> from NetworkServerControl with authentication (restarted server):
>
> java -Dderby.connection.requireAuthentication=true
> -Dderby.authentication.provider=BUILTIN
> -Dderby.user.MARTIN=martinspassword
> -Dderby.database.sqlAuthorization=true
> org.apache.derby.drda.NetworkServerControl shutdown
>
> This command makes the server process terminate after this message:
>
> Derby shutdown warning:
> Connection refused : Invalid authentication.
> Apache Derby Network Server - 10.4.0.0 alpha - (549159M) shutdown at
2007-06-20
> 22:52:59.093 GMT
>
> Some printlns I put into
> org.apache.derby.jdbc.InternalDriver.connect()
> suggest that the wrong user name 'APP' (instead of 'MARTIN') is being
> used for authentication:
>
> --> InternalDriver.connect()
> connect(): finfo = {shutdown=true}
> connect(): IdUtil.getUserNameFromURLProps(finfo) = APP
>
>
> Questions:
>
> - Was I using the authentication properties correctly for 'shutdown'?
I don't think the shutdown command recognizes these properties, but it
would be great if there were some way to set username/password for it.
That is correct, it does not - This is stepping into the realm of system
privileges - the SHUTDOWN operation is a system privilege one. For
instance, one would not want *any* authenticated user to be able to shutdown
a server or a database if he/she is not authorized to do so (e.g. Admin
user).
- An authentication failure ("Derby shutdown warning") should not result
> in the termination (or crash) of the server process, right?
Actually, the server doesn't crash, it just shuts down because it got a
shutdown command. The authentication failure is not for the server
shutdown, but for a clean-up operation (invoking a clean shutdown of the
database) performed during server shutdown. This clean-up is not
required for shutting down the server, it only makes the shutdown
cleaner (that is, we don't have to run recovery the next time we boot
the database). That's also why it's only a warning, not an error. Note
that the server shutdown only tries to shut down the database if the
server was started from the command line, otherwise the booted databases
are left running.
> - For better diagnostics, should the "Invalid authentication" message
> tell the user name being used for authentication?
We could have - this has been there for ages - I think it was done
originally for extra security ;-) One does not say anything about what went
wrong with the credentials, one just fails to authenticate and the requester
should know what to do to fix it (no guidance as far as what went wrong -
other databases also do this - I remember having looked at other RDBMS but
it was long ago).
+1
--
Knut Anders
