[jira] Commented: (DERBY-3462) Require new permissions in o.a.d.security.SystemPermission to allow control to Derby's JMX management and to ensure information is not leaked through JMX

Fri, 14 Mar 2008 08:56:53 -0700 

    [ 
https://issues.apache.org/jira/browse/DERBY-3462?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12578822#action_12578822
 ] 

Daniel John Debrunner commented on DERBY-3462:
----------------------------------------------

> an attempt to understand the relationship between the new system permissions 
> and MBeanPermission

There is no relationship, they are independent permissions.

It's a multi-step process for a jmx client using an MBean.

1) Get a handle to an MBean. This requires MBeanPermission in various forms, 
depending on how the MBean is obtained. This is standard JMX, the permissions 
are described in the javadoc for MBeanServerConnection.

2) Get/set an attribute or invoke an operation - This requires MBeanPermission 
in various different forms from step 1, e.g. the "Invoke" action on the 
target-name.

Note MBeanPermission allows fine grained control, the target-name is the 
{classname,field,ObjectName} for the MBean and supports patterns. Thus I can 
give a user the ability to only invoke a specific operation on a single 
DerbyMBean, or just get attributes on all Derby Mbeans, or only find 
VersionMBeans and perform gets on those, or access all Derby's Mbeans etc.

3) Get a Derby attribute or invoke an operation - This requires the Derby 
permission specific to that capability, at the moment it's one form of 
SystemPermission. With future capabilities it might require a database level 
GRANT/REVOKE permission.

Note that this mimics what the jmx does with its platform MBeans

> Require new permissions in o.a.d.security.SystemPermission to allow control 
> to Derby's JMX management and to ensure information is not leaked through JMX
> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-3462
>                 URL: https://issues.apache.org/jira/browse/DERBY-3462
>             Project: Derby
>          Issue Type: Sub-task
>          Components: JMX, Security
>            Reporter: Daniel John Debrunner
>            Priority: Minor
>
> Plan is to implement proposal defined in:
> http://wiki.apache.org/db-derby/JMXSecurityExpectations#head-de15a7e9d474784775933965fe963b6ac46e7ad0
> E.g.
> jmxControl for the ability to call the operations on ManagementMBean.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to