Re: disable creations of new databases when running the network server

2023-09-16 Thread Rick Hillegas 
You are correct. Any valid user can create as many databases as they 
want, provided that the databases are created in a part of the file 
system which is write-accessible to the engine jar and to the account 
which runs the server. There is no way to prevent a valid user from 
creating databases.


On 9/15/23 11:51 PM, fed wrote:

Hi,

My doubt is that, if I am not wrong, every user that can connect to the
network server can create a new database and so indirectly a new directory
in the same places where the user that runs the network server have write
permissions.
I would prefer to create the database not directly on the network server
but with the embedded driver and then later make it available on the
network server.
Maybe it is possible to limit this behaviour via the security manager but I
don't think this can change a lot of the behaviour.

Is it possible to disable/prevent/limit this?

Thanks for the help
- fed

Re: disable creations of new databases when running the network server

2023-09-16 Thread Stanimir Stamenkov via derby-user 

Sat, 16 Sep 2023 08:51:39 +0200, /fed/:

My doubt is that, if I am not wrong, every user that can connect to the 
network server can create a new database and so indirectly a new 
directory in the same places where the user that runs the network server 
have write permissions.
I would prefer to create the database not directly on the network server 
but with the embedded driver and then later make it available on the 
network server.
Maybe it is possible to limit this behaviour via the security manager 
but I don't think this can change a lot of the behaviour.


Is it possible to disable/prevent/limit this?


That's an interesting question I'm also curios about.

I've found the following documentation references that could be explored 
while waiting for more knowledgeable respondents to chime in:


  * Configuring user authorization (Derby Security Guide) 

  * Configuring fine-grained user authorization 



If you are using LDAP authentication, then you will need to enable 
fine-grained  authorization by setting the derby.database.sqlAuthorization 
property to true.


If you use NATIVE authentication, there is no need to set the 
derby.database.sqlAuthorization property. NATIVE authentication 
automatically enables fine-grained authorization.


"SQL standard authorization":

  * derby.database.sqlAuthorization (Derby Reference Manual) 



I couldn't find specific privileges about creating a database – have you 
tried if enabling "SQL standard authorization" (if not already?) 
disables this for remote access and/or non-admin users?


--
Stanimir

disable creations of new databases when running the network server

2023-09-16 Thread fed 
Hi,

My doubt is that, if I am not wrong, every user that can connect to the
network server can create a new database and so indirectly a new directory
in the same places where the user that runs the network server have write
permissions.
I would prefer to create the database not directly on the network server
but with the embedded driver and then later make it available on the
network server.
Maybe it is possible to limit this behaviour via the security manager but I
don't think this can change a lot of the behaviour.

Is it possible to disable/prevent/limit this?

Thanks for the help
- fed