[
https://issues.apache.org/jira/browse/DERBY-5522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13236634#comment-13236634
]
Rick Hillegas commented on DERBY-5522:
--------------------------------------
Thanks for posting these changes to the Ref and Dev Guides, Kim. They look
great. Some suggested changes follow:
General comment about the reference pages for the new NATIVE system procedures:
I think it would be good if these pages pointed out that the username argument
is an authorization id. Its case-sensitivity is handled the same way that Derby
handles the case-sensitivity of schema names and schema object names which are
passed to other Derby procedures. To reduce confusion, I also recommend making
the examples use uppercase usernames. E.g.:
CALL SYSCS_UTIL.SYSCS_CREATE_USER('FRED', 'fredpassword')
rrefnativecreateuserproc:
I think it would be good if this page stated that if NATIVE authentication is
not already turned on, then...
1) The first user whose credentials are stored must be the DBO.
2) Calling this procedure will turn on NATIVE authentication the next time the
database is booted.
3) Once you turn on NATIVE authentication with this procedure, it remains
turned on permanently. There is no way to turn it off.
rrefnativedropuserproc:
I think that this page should state that you can't drop the credentials of the
DBO.
rrefnativemodifypasswordproc:
I would reword the first sentence slightly in order to distinguish this
procedure from the similar syscs_reset_password() procedure:
"The SYSCS_UTIL.SYSCS_MODIFY_PASSWORD system procedure is called by a user to
change her own password."
rrefnativeresetpasswordproc
Slight expansion of the first sentence:
"has been forgotten" -> "has expired or been forgotten"
rrefproper13766:
While you're in there, it would be good to cleanup an existing false statement.
The default value for derby.authentication.provider is "no authentication", not
BUILTIN. By default, no authentication mechanism protects the database.
rrefproper27467:
I see from the diff file that this section states that
derby.connection.requireAuthentication is irrelevant if NATIVE authentication
is turned on. That's good. For some reason, that change doesn't appear in the
html output in the zip file.
rrefproperpasswordthreshold:
I would reword the 3rd paragraph:
"A warning is raised when a user logs in and the remaining lifetime of her
password is less than this proportion of the maximum password lifetime. That
is, Derby rasies a warning when the remaining lifetime of a password is less
than (derby.authentication.native.passwordLifetimeThreshold *
derby.authentication.native.passwordLifetimeMillis).
rrefpropersqlauth:
Again, for some reason the extra material in the diff doesn't appear in the
html output in the zip file.
cdevcsecure866060:
Paragraph 5: "anabled" -> "enabled"
cdevcsecurenativeauth:
Bullet 3 under "Managing users and passwords":
"forgotten" -> "forgotten or expired"
Bullets under "Converting an existing database to use NATIVE authentication"
I would reword bullet 1 this way:
"If you specify NATIVE:credentialsDB, then add users of the existing database
to the credentialsDB. Typically, you would specify uppercase user names and
case-sensitive passwords. For instance, if the old database was created without
any authentication, then its default username is APP and you would do the
following:"
I would reword bullet 2 this way:
"If you plan to specify NATIVE:credentialsDB:LOCAL, then first connect to the
existing database as its database owner using its old authentication scheme.
Call SYSCS_UTIL.SYSCS_CREATE_USER to add credentials for the database owner.
For example, if the existing database was created with no authentication, then
the database owner is APP and you would add credentials for APP as shown above."
rdevcsecurenativeauthex:
Last paragraph of "NATIVE authentication and SQL authorization example":
"DERBY_LIB is DERBY_HOME/lib" -> "DERBY_LIB is the directory which holds
the Derby jar files, typically DERBY_HOME/lib"
Thanks,
-Rick
> Document the NATIVE authentication scheme.
> ------------------------------------------
>
> Key: DERBY-5522
> URL: https://issues.apache.org/jira/browse/DERBY-5522
> Project: Derby
> Issue Type: Improvement
> Components: Documentation
> Affects Versions: 10.9.0.0
> Reporter: Rick Hillegas
> Assignee: Kim Haase
> Attachments: CreateNativeUsers.java, CreateNativeUsers.java,
> DERBY-5522-devguide-2.diff, DERBY-5522-devguide-2.stat,
> DERBY-5522-devguide-2.zip, DERBY-5522-devguide.diff,
> DERBY-5522-devguide.stat, DERBY-5522-devguide.zip, DERBY-5522-ref.diff,
> DERBY-5522-ref.stat, DERBY-5522-ref.zip, NativeAuthExampleClient1.java,
> NativeAuthExampleClient2.java, NativeAuthExampleEmbedded.java,
> NativeAuthExampleEmbedded.java, NativeAuthExampleEmbedded.java,
> NativeAuthExampleEmbedded.java, NativeAuthExampleEmbedded.java,
> NativeAuthExampleEmbedded.java, NativeAuthenticationExample.java,
> NativeAuthenticationExample.java, NativeAuthenticationExample.java,
> NativeAuthenticationExample.java, NativeAuthenticationExample.java,
> UseNativeUsers.java, UseNativeUsers.java, derby.log
>
>
> We should document NATIVE authentication after we have implemented the
> changes described on DERBY-866. The documentation changes are described by
> the functional spec UserManagement.html attached to that issue.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
