JMX Access Control Proposal

Thu, 21 Feb 2008 09:19:29 -0800 

Related to DERBY-1387, there is an access control proposal on the wiki at

http://wiki.apache.org/db-derby/JMXSecurityExpectations#head-0e3b575bde6a9f7dce809605aa153ccff9daa7e7

The proposal is also related to a previous E-mail thread with the subject "JMX
meeting system authorization (DERBY-2109 & 1387)",
http://db.markmail.org/message/s7eqlhz6ydrufatl?q=list:org%2Eapache%2Edb%2Ederby-dev

I'm starting a new thread here so that we don't deviate too much from "the
Apache way" on the wiki...


1) I noticed that Derby connection authorization (db-authr) is not mentioned in
the proposal. Does this mean that this will be ignored, at least for JMX actions
that do not rely on obtaining a regular JDBC connection to the database from the
MBean?


2) I'm curious about how this proposal relates to Derby authentication?
I'm still a bit puzzled here, I guess. On the wiki we have noted elsewhere
(regarding database MBeans):
JHE: If any of *-authc are enabled, the JMX user must pass all 
authentication checks (jmx-authc, derby-authc, db-authc) that are enabled for
this type of access (connecting to this particular database using this
particular Derby system).
DJD: Why is derby-authc included here, to connect to a database 
derby-authc is not required, so why to administer it?
JHE: Isn't passing derby-authc required if it has been enabled 
programmatically, unless derby.database.propertiesOnly=true?
DJD: No, to connect to a database only database authentication is needed. 
(db-authc').

('db-authc' is defined on the wiki page as "The database-wide property
derby.connection.requireAuthentication is true". 'derby-authc' is the same
property, but system-wide)

My experiments with the client driver and the network server indicate that if
derby.connection.requireAuthentication is enabled programmatically as a system
property, and disabled as a database property, and the
derby.database.propertiesOnly property has not been set, then passing
system-level authentication is required in order to obtain a client connection.
Am I misunderstanding something?


--
John

Reply via email to