Re: making Derby secure by default

Wed, 21 Sep 2011 05:39:39 -0700 

Hi Dag,
Thanks for the questions. Most of these have to do with authentication and the notion of identity in Derby. These are issues we need to iron out, perhaps as part of DERBY-866. Some comments inline... 

On 9/20/11 2:02 PM, Dag H. Wanvik wrote:

Thanks, Rick!

On 9/16/2011 8:55 PM, Rick Hillegas wrote:



CS1) The VM owner would have to specify credentials in order to boot 
the server.



How would we store and authenticate these credentials (we have no a 
priori DB or central repository unless authetication is via LDAP)? 
Would this require the system privileges to be completed or do you 
have another model in mind?

Here are two possible approaches:


i) As part of the work on DERBY-866, we build system-wide authentication 
for Derby. The latest proposal on that issue is for database-specific 
credentials. The problem of system-wide credentials baffles me.



ii) If we are using the new authentication scheme proposed on DERBY-866, 
then we just accept the credentials which are provided when the server 
is booted. Those credentials are stored in memory and are required for 
subsequent operations on the server.


More discussion needed.





CS2) Those credentials would be required in order to shutdown the 
server, shutdown the engine, turn server-side tracing on/off, and in 
general use any of the public functions of 
NetworkServerControl/NetServlet.


and I guess, any interface we expose through our management beans?

Probably. JMX may have its own notion of identity, though.





CS3) SSL/TLS would be turned on. Unless overridden, certificate/key 
stores would be expected/created at some default location.



CS4) Some mechanism would control create/restore database powers 
across the network. Discussion needed.



Can you elaborate on what you have in mind here? Do you mean changing 
the data base owner (DBO) for a database? And/or the privileges 
referred to in CS2?

This might be the almost finished work on DERBY-2109. Alternatively, we 
might consider some sort of certificate-based identity when SSL/TLS is 
enabled. I think this is wrapped up with your earlier question about (CS1).



At this point, we might want to start a separate thread to address the 
question of Derby identity and how to supply builtin authentication 
which is secure and easy to administer. Or continue this discussion on 
DERBY-866.


Thanks,
-Rick


Thanks,
Dag


























					Reply via email to