[jira] Commented: (DERBY-2470) No authentication required to restore a backup

Tue, 27 Mar 2007 12:19:52 -0800 

    [ 
https://issues.apache.org/jira/browse/DERBY-2470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12484573
 ] 

Dag H. Wanvik commented on DERBY-2470:
--------------------------------------

Discussed this issue a bit with Rick off line, and came to the conclusion 
that this action should probably be protected by system privileges. The 
reasoning is 
as follows: a) If there is no database at the url location, this is really a 
create database
operation. b) if there is an existing database in the url location, the 
operation involves
more than a single database: Only the latter seems the right scope for database 
level 
privileges. 

If one did consider checking against database level (owner) privileges, which 
database
image should determine the ownership of the database, the backup or the url 
image?
(While we can not change ownership right now, that might change.)
It seems cleaner to me to make this a system level privilege (DERBY-2109).

Linking this issue to DERBY-2109 for reference.



> No authentication required to restore a backup
> ----------------------------------------------
>
>                 Key: DERBY-2470
>                 URL: https://issues.apache.org/jira/browse/DERBY-2470
>             Project: Derby
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 10.2.2.0
>         Environment: Java 1.6.0-b105
> Linux 2.6.20 i686
>            Reporter: Juha Heljoranta
>
> My Derby has following properties set:
> derby.connection.requireAuthentication=true
> derby.authentication.provider=BUILTIN
> derby.database.defaultConnectionMode=noAccess
> derby.database.fullAccessUsers=foo
> derby.user.foo=bar
> If I'll execute a restore statement from ij the backup will be restored plus 
> it gives an authentication error:
> ij> connect 'jdbc:derby:sample;restoreFrom=backup1';
> ERROR 08004: Connection refused : Invalid authentication
> If I add the user and password arguments to the url then the restore works as 
> before without the error message.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to