[
https://issues.apache.org/jira/browse/DERBY-5648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13227718#comment-13227718
]
Rick Hillegas commented on DERBY-5648:
--------------------------------------
Thanks for the additional experiments, Knut.
> Another question is whether there should have been an error when calling
> SYSCS_MODIFY_PASSWORD on a database that's not a credentials database. But I
> suppose that must be allowed so that the password of the DBO can be set
> before NATIVE is enabled?
I think that the use-case is obscure: changing a password which you just set.
However, I don't see a strong reason to forbid this.
> Maybe SYSCS_MODIFY_PASSWORD (and SYSCS_RESET_PASSWORD) should fail, though,
> if there is no entry for the specified user in the local SYS.SYSUSERS table?
And SYSCS_DROP_USER as well? The use-case for allowing these procedures to be
called on non-existent users is obscure: It would involve delegating some but
not all user-maintenance chores to an assistant. The assistant would be allowed
to change the passwords of known users but would be prevented from using these
procedures to fish for additional user names.
The use-case for disallowing these procedures on non-existent users seems more
important to me: alerting the DBO to the fact that she has mis-spelled a user
name.
Further thoughts?
Thanks,
-Rick
> Unclear password expiry warning when using separate credentials db
> ------------------------------------------------------------------
>
> Key: DERBY-5648
> URL: https://issues.apache.org/jira/browse/DERBY-5648
> Project: Derby
> Issue Type: Improvement
> Components: Services
> Affects Versions: 10.9.0.0
> Reporter: Knut Anders Hatlen
> Priority: Minor
>
> If you log on to a database (other than the credentials db) and your password
> is about to expire, you'll be advised to change your password using the
> SYSCS_UTIL.SYSCS_MODIFY_PASSWORD procedure. However, the warning message does
> not say you need to log on to the credentials db to change your password.
> This may lead the user to modify the password in the current database instead
> of the credentials database, thinking everything is well.
> ij(CONNECTION1)> connect 'jdbc:derby:otherdb;user=test;password=abc';
> WARNING 01J15: Your password will expire in 0 day(s). Please use the
> SYSCS_UTIL.SYSCS_MODIFY_PASSWORD procedure to change your password.
> ij(CONNECTION2)> CALL SYSCS_UTIL.SYSCS_MODIFY_PASSWORD('new-password');
> 0 rows inserted/updated/deleted
> ij(CONNECTION2)> connect 'jdbc:derby:otherdb;user=test;password=new-password';
> ERROR 08004: Connection authentication failure occurred. Reason: Invalid
> authentication..
> Even though SYSCS_MODIFY_PASSWORD succeeds, the password has not been updated
> in the credentials db.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
