[#DERBY-4128] Failure in ServerPropertiesTest due to java.security.AccessControlException on the server side, in 10.4 to 10.5.1. soft upgrade mode

Derby

Failure in ServerPropertiesTest due to java.security.AccessControlException on the server side, in 10.4 to 10.5.1. soft upgrade mode

Created: 27/Mar/09 07:56 PM Updated: 01/Jul/09 04:16 PM

Component/s:

Test

Affects Version/s:

None

Fix Version/s:

10.5.1.1, 10.6.0.0

Time Tracking:

Not Specified

File Attachments:

File Name	Date Attached	Attached By	Size
d4128.diff	2009-04-08 09:07 AM	Knut Anders Hatlen	2 kB
derby-4128_kmarsden_diff.txt	2009-04-08 10:35 PM	Kathey Marsden	8 kB
derby-4128_part2_diff.txt	2009-04-10 03:29 PM	Kathey Marsden	0.8 kB

Environment:

Windows Vista 64, Sun JDK 1.6.0_10, Junit 3.8.2

Issue Links:

Blocker

This issue blocks:

DERBY-4153 Document that starting with 10.5 network server will attempt to create the trace directory if it does not exist

Reference

This issue is related to:

~~DERBY-3701~~ java.lang.Exception: DRDA_UnableToAccept.S:Unable to accept connections and client hang if tracing is turned on but traceDirectory does not exist

Urgency:	Urgent
Issue & fix info:	Patch Available
Bug behavior facts:	Regression Test Failure, Regression
Resolution Date:	10/Apr/09 06:01 PM

Description

« Hide

Soft upgrade from 10.4.2.0 to 10.5.1.0 (RC1).

This test fails when run under suites.All as well as by itself.

Steps to reproduce
---------------------------
Steps followed are as follows.
1. Run setEmbeddedCP.bat from version 10.4.2.0's bin folder
2. In a test folder run ij
3. create system/wombat database.
     ij> connect 'jdbc:derby:system/wombat;create=true';
4. exit ij
5. Copy the 10.5.1.0 derby jars (from lib folder) and the derbyTesting.jar from 10.4.2.0 to the test folder and set classpath with them (including junit and ORO)
6. Run test
      java -Xmx512M -Xms512M -Dderby.tests.trace=true junit.textui.TestRunner org.apache.derbyTesting.functionTests.tests.derbynet.ServerPropertiesTest
-------------------------------

The test failure stack trace is
---------------------------------------
testToggleTrace(org.apache.derbyTesting.functionTests.tests.derbynet.ServerPropertiesTest)junit.framework.AssertionFailedError: expected:<0> but was:<1>
        at org.apache.derbyTesting.junit.BaseTestCase.assertExecJavaCmdAsExpected(BaseTestCase.java:505)
        at org.apache.derbyTesting.functionTests.tests.derbynet.ServerPropertiesTest.assertSuccessfulCmd(ServerPropertiesTest.java:389)
        at org.apache.derbyTesting.functionTests.tests.derbynet.ServerPropertiesTest.testToggleTrace(ServerPropertiesTest.java:586)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at org.apache.derbyTesting.junit.BaseTestCase.runBare(BaseTestCase.java:102)
        at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24)
        at junit.extensions.TestSetup$1.protect(TestSetup.java:21)
        at junit.extensions.TestSetup.run(TestSetup.java:25)
        at org.apache.derbyTesting.junit.BaseTestSetup.run(BaseTestSetup.java:57)
        at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24)
        at junit.extensions.TestSetup$1.protect(TestSetup.java:21)
        at junit.extensions.TestSetup.run(TestSetup.java:25)
        at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24)
        at junit.extensions.TestSetup$1.protect(TestSetup.java:21)
        at junit.extensions.TestSetup.run(TestSetup.java:25)
        at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24)
        at junit.extensions.TestSetup$1.protect(TestSetup.java:21)
        at junit.extensions.TestSetup.run(TestSetup.java:25)

The Server's log shows this exception.
----------------------------------------------------
2009-03-27 19:13:54.754 GMT : Apache Derby Network Server - 10.5.1.0 - (757599) started and ready to accept connections on port 1527
2009-03-27 19:13:55.475 GMT : access denied (java.io.FilePermission D:\projects\derby-testing\test-10.4-3\system read)
java.security.AccessControlException: access denied (java.io.FilePermission D:\projects\derby-testing\test-10.4-3\system read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
at java.io.File.exists(File.java:731)
at java.io.File.mkdirs(File.java:1181)
at org.apache.derby.impl.drda.DssTrace$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.derby.impl.drda.DssTrace.startComBufferTrace(Unknown Source)
at org.apache.derby.impl.drda.Session.initTrace(Unknown Source)
at org.apache.derby.impl.drda.Session.setTraceOn(Unknown Source)
at org.apache.derby.impl.drda.NetworkServerControlImpl.setTrace(Unknown Source)
at org.apache.derby.impl.drda.NetworkServerControlImpl.processCommands(Unknown Source)
at org.apache.derby.impl.drda.DRDAConnThread.sessionInitialState(Unknown Source)
at org.apache.derby.impl.drda.DRDAConnThread.run(Unknown Source)

Description

Soft upgrade from 10.4.2.0 to 10.5.1.0 (RC1). This test fails when run under suites.All as well as by itself. Steps to reproduce --------------------------- Steps followed are as follows. 1. Run setEmbeddedCP.bat from version 10.4.2.0's bin folder 2. In a test folder run ij 3. create system/wombat database. ij> connect 'jdbc:derby:system/wombat;create=true'; 4. exit ij 5. Copy the 10.5.1.0 derby jars (from lib folder) and the derbyTesting.jar from 10.4.2.0 to the test folder and set classpath with them (including junit and ORO) 6. Run test java -Xmx512M -Xms512M -Dderby.tests.trace=true junit.textui.TestRunner org.apache.derbyTesting.functionTests.tests.derbynet.ServerPropertiesTest ------------------------------- The test failure stack trace is --------------------------------------- testToggleTrace(org.apache.derbyTesting.functionTests.tests.derbynet.ServerPropertiesTest)junit.framework.AssertionFailedError: expected:<0> but was:<1> at org.apache.derbyTesting.junit.BaseTestCase.assertExecJavaCmdAsExpected(BaseTestCase.java:505) at org.apache.derbyTesting.functionTests.tests.derbynet.ServerPropertiesTest.assertSuccessfulCmd(ServerPropertiesTest.java:389) at org.apache.derbyTesting.functionTests.tests.derbynet.ServerPropertiesTest.testToggleTrace(ServerPropertiesTest.java:586) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at org.apache.derbyTesting.junit.BaseTestCase.runBare(BaseTestCase.java:102) at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24) at junit.extensions.TestSetup$1.protect(TestSetup.java:21) at junit.extensions.TestSetup.run(TestSetup.java:25) at org.apache.derbyTesting.junit.BaseTestSetup.run(BaseTestSetup.java:57) at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24) at junit.extensions.TestSetup$1.protect(TestSetup.java:21) at junit.extensions.TestSetup.run(TestSetup.java:25) at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24) at junit.extensions.TestSetup$1.protect(TestSetup.java:21) at junit.extensions.TestSetup.run(TestSetup.java:25) at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24) at junit.extensions.TestSetup$1.protect(TestSetup.java:21) at junit.extensions.TestSetup.run(TestSetup.java:25) The Server's log shows this exception. ---------------------------------------------------- 2009-03-27 19:13:54.754 GMT : Apache Derby Network Server - 10.5.1.0 - (757599) started and ready to accept connections on port 1527 2009-03-27 19:13:55.475 GMT : access denied (java.io.FilePermission D:\projects\derby-testing\test-10.4-3\system read) java.security.AccessControlException: access denied (java.io.FilePermission D:\projects\derby-testing\test-10.4-3\system read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkRead(SecurityManager.java:871) at java.io.File.exists(File.java:731) at java.io.File.mkdirs(File.java:1181) at org.apache.derby.impl.drda.DssTrace$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at org.apache.derby.impl.drda.DssTrace.startComBufferTrace(Unknown Source) at org.apache.derby.impl.drda.Session.initTrace(Unknown Source) at org.apache.derby.impl.drda.Session.setTraceOn(Unknown Source) at org.apache.derby.impl.drda.NetworkServerControlImpl.setTrace(Unknown Source) at org.apache.derby.impl.drda.NetworkServerControlImpl.processCommands(Unknown Source) at org.apache.derby.impl.drda.DRDAConnThread.sessionInitialState(Unknown Source) at org.apache.derby.impl.drda.DRDAConnThread.run(Unknown Source)

Show »

All

Comments

Work Log

Change History

Subversion Commits

Sort Order:

[ Permlink | « Hide ]

Suran Jayathilaka added a comment - 27/Mar/09 07:58 PM

Linking as the issues might be related.

[ Permlink | « Hide ]

Kathey Marsden added a comment - 27/Mar/09 08:02 PM

~~DERBY-3701~~ had a different fix for 10.5 than the older branches. In 10.5 it attempts to create the trace directory if it doesn't exist. I am not sure yet, whether it requires a code change, default policy change, or just needs a 10.5 specific release note. I will investigate.

[ Permlink | « Hide ]

Kathey Marsden added a comment - 31/Mar/09 07:23 PM

I think there is a real bug here. It seems to be trying to make the directory even when the trace directory is not specified and we need to put the trace file in the default directory. That is not correct. I don't think it is a show stopper for the release, but it sure would be nice to get it fixed, so as not to regress the product. I will post when I have a fix.

[ Permlink | « Hide ]

Kathey Marsden added a comment - 31/Mar/09 11:27 PM

I discovered that the change to the policy file and addition of the new permission requirement came later than ~~DERBY-3701~~, with the removal of the PrivilegedFileOps class in ~~DERBY-2556~~ (svn 691576) . I am not sure yet why that change made the new permission necessary or more specifically why it wasn't necessary with just the ~~DERBY-3701~~ change. Looking ...

[ Permlink | « Hide ]

Kathey Marsden added a comment - 01/Apr/09 05:02 PM

The reason for the permission change in ~~DERBY-2556~~ was because the mkdirs logic moved from derby.jar to derbynet.jar, so derbynet.jar now needed the permissions. Still, we shouldn't require the permission if the trace is in the default location which already exists, so I will look at fixing that under this issue.

[ Permlink | « Hide ]

Kathey Marsden added a comment - 07/Apr/09 04:41 PM

Well, I can fix it so that it won't need read permission, just write permission if the trace directory is in user.dir or derby.system.home, because we know they exists, but for other directories, even if they exist, we will have to add the requirement that the user grant read as well as write permission to the trace directory to derbynet.jar.

Is this acceptable, or should I just revert back to the old behavior where it only needs write permission and will just fail if the directory does not exist? The downside is that the user will have to create the trace directory themselves instead of Derby doing it for them.

[ Permlink | « Hide ]

Myrna van Lunteren added a comment - 07/Apr/09 05:43 PM

If I understand correctly, we're talking about a bit of an edge case - the case where a user has got traceDirectory set, the directory exists, they've got read and write permissions for derby.jar to the directory, but they've got write, but not read permissions in the policy file for derbynet.jar to the directory?

I think it would be acceptable to introduce the incompatibility of requiring the users to modify the policy files...It will only be for as long as they have traceDirectory on, which you probably wouldn't do for a production environment.
I think forcing a user to create the trace directory is a bigger incompatibility.

But, do you need read permission to create a directory? Or would that overwrite what's in the directory if it exists?

[ Permlink | « Hide ]

Knut Anders Hatlen added a comment - 08/Apr/09 09:12 AM

Does the attached patch d4128.diff help on this problem? It attempts to create the directory with mkdir() first, and only if that doesn't work, it attempts mkdirs(). Since mkdir() doesn't require read permission, it will work without read permission if the parent directory already exists, and it will still create the directory if the parent directory doesn't exist and the required read permission has been granted.

[ Permlink | « Hide ]

Knut Anders Hatlen added a comment - 08/Apr/09 09:15 AM

By the way, that was the same approach we ended up with in ~~DERBY-2673~~.

[ Permlink | « Hide ]

Knut Anders Hatlen added a comment - 08/Apr/09 02:39 PM

My patch broke NetworkServerControlApiTest, GetCurrentPropertiesTest and SecureServerTest, so that's apparently *not* the way to fix it...

[ Permlink | « Hide ]

Kathey Marsden added a comment - 08/Apr/09 03:12 PM

I think it might be part of the solution though. I think the problem is that mkdir() will return false if the directory already exists, so we proceed to the mkdirs() call.

This morning it occurred to me that maybe we can use File.canWrite() to determine if the trace directory exists and is writable without needing read permission and then only if that returns false try the mkdir/mkdirs().

I'll try that.

Kathey

[ Permlink | « Hide ]

Kathey Marsden added a comment - 08/Apr/09 05:53 PM

Nope using traceDirectory.canWrite() won't work either because it still requires a new permission if the directory already existed. I think the only way to do this without creating a need for a new permission is to try to make the trace file and then if that fails, try to make the directory. I will try that next.

[ Permlink | « Hide ]

Kathey Marsden added a comment - 08/Apr/09 10:35 PM - edited

ok. Here I think is a trunk patch which has the minimal required permissions (derby-4128_kmarsden_diff.txt) If the trace directory already exists, it still only requires write permission on the contents of the directory. The patch attempts to make the trace file and if that fails on the first try with a FileNotFoundException, it will attempt to make the directory and try again.

SystemPropertiesTest and NetworkServerControlApiTest pass with the 10.4.2.0 derbyTesting.jar. Running trunk tests now.

We need to document that tracing will now attempt to create the directory and the permissions needed to do that. I will open an issue for that, but I don't see that it will cause any regression or require a release note, because turning on tracing where the directory did not exist would always fail before 10.5.

[ Permlink | « Hide ]

Kathey Marsden added a comment - 09/Apr/09 06:54 PM

Regression tests passed. Please review. I tried to do a soft upgrade run on trunk, but that doesn't seem to be possible without the upgrade logic in yet. I did run the 10.4.2.0 tests against 10.5 and saw no permissions related issues and 10.4.2.0 ServerPropertiesTest and NetworkServerControlApiTest now pass when run against 10.5.

[ Permlink | « Hide ]

Kathey Marsden added a comment - 10/Apr/09 03:29 PM

I noticed an issue with the patch I checked in yesterday for this issue. With the patch, we would not break out of the loop if we successfully created the trace file on the first try, so would create it a second time. I will commit the attached patch (derby-4128_part2_diff.txt) after running tests to correct that problem.

[ Permlink | « Hide ]

Kathey Marsden added a comment - 10/Apr/09 06:01 PM

Checked in fix to trunk and 10.5 branch. Thank you Suran for finding this issue.