[
https://issues.apache.org/jira/browse/DERBY-1387?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12520292
]
Rick Hillegas commented on DERBY-1387:
--------------------------------------
Thanks to Ole Gunnar for the great functional spec. I have a couple comments:
1) Under DatabaseMBean, the property associated with DatabaseName looks wrong
to me.
2) Under DatabaseMBean: I have reservations about the addDBUser() operation. I
do not think that we should be encouraging customers to use the BUILTIN
authentication scheme. In that scheme passwords are stored in plaintext. That
seems very insecure to me. I think it's ok for testing purposes but not for a
production environment. I recommend against exposing this operation.
3) In general, I think we need to beef up the authorization story for this
JMX-based administration before we expose it to customers. Incremental
development is great, but I think real production usage requires more controls.
If I understand the spec correctly, it seems that godlike administrative powers
over all databases are granted to the VM's administrator. I think this is
inappropriate for VMs which host other applications besides Derby. I propose
the following:
a) The VersionMBean looks pretty harmless to me. I don't think it needs more
controls.
b) I think that in order to get your hands on a SystemMBean or a NSCMBean, you
should be forced to authenticate at the Derby system-wide level. Furthermore,
this authentication should result in your being a system-wide DatabasePrincipal
to whom the policy file grants 'permission
org.apache.derby.security.SystemPermission "systemAdministration"'. For more
information on this permissions scheme, see the functional spec for DERBY-2109.
c) You must authenticate as the database's DBA in order to get your hands on
the corresponding DatabaseMBean.
4) Continuing on the topic of authorization: If I understand the spec
correctly, it seems that, potentially, the Derby System Administrator and all
of the Derby DBAs will be given the password for VM-wide JMX-based
administration. In theory, this gives these users the ability to manipulate
other applications running in the VM. The user guides should state clearly that
these other applications are responsible for raising additional authorization
hurdles if they are uncomfortable with these godlike powers that are granted to
Derby super-users.
> Add JMX extensions to Derby
> ---------------------------
>
> Key: DERBY-1387
> URL: https://issues.apache.org/jira/browse/DERBY-1387
> Project: Derby
> Issue Type: New Feature
> Components: Services
> Reporter: Sanket Sharma
> Assignee: Bernt M. Johnsen
> Attachments: DERBY-1387-1.diff, DERBY-1387-1.stat, DERBY-1387-2.diff,
> DERBY-1387-2.stat, DERBY-1387-3.diff, DERBY-1387-3.stat, derbyjmx.patch,
> jmx.diff, jmx.stat, jmxFuncspec.html, Requirements for JMX Updated.html,
> Requirements for JMX.html, Requirements for JMX.zip
>
>
> This is a draft requirement specification for adding monitoring and
> management extensions to Apache Derby using JMX. The requirements document
> has been uploaded on JIRA as well as the Derby Wiki page at
> http://wiki.apache.org/db-derby/_Requirement_Specifications_for_Monitoring_%26_Management_Extensions_using_JMX
> Developers and Users are requested to please look at the document (feature
> list in particular) and add their own rating to features by adding a coloumn
> to the table.
> Comments are welcome.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
