Derby
  1. Derby
  2. DERBY-2466

Allow dynamic reloading of the security policy file

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 10.3.1.4
    • Component/s: Miscellaneous
    • Labels:
      None
    • Bug behavior facts:
      Security

      Description

      The spec attached to DERBY-2109 describes how to allow the policy file to be dynamically reloaded while a server is running: We add a getPolicy permission to the Basic policy and we add a DBA-owned system procedure, SYSCS_UTIL.SYSCS_REFRESH_SECURITY_POLICY(), which reloads the policy file. This JIRA tracks that work.

      1. derby-2466-01.diff
        37 kB
        Rick Hillegas
      2. derby-2466-02.diff
        4 kB
        Rick Hillegas
      3. derby-2466-03.diff
        0.9 kB
        Rick Hillegas
      4. derby-2466-04.diff
        3 kB
        Rick Hillegas
      5. derby-2466-05.diff
        1 kB
        Rick Hillegas

        Issue Links

          Activity

          Rick Hillegas created issue -
          Rick Hillegas made changes -
          Field Original Value New Value
          Link This issue is part of DERBY-2109 [ DERBY-2109 ]
          Hide
          Daniel John Debrunner added a comment -

          Shouldn't the name be SYSCS_RELOAD_SECURITY_POLICY, not refresh? Refresh implies that the actual policy file is being changed by this procedure.

          Show
          Daniel John Debrunner added a comment - Shouldn't the name be SYSCS_RELOAD_SECURITY_POLICY, not refresh? Refresh implies that the actual policy file is being changed by this procedure.
          Hide
          Rick Hillegas added a comment -

          I'm fine with SYSCS_RELOAD_SECURITY_POLICY. I will update the spec later to reflect this.

          Show
          Rick Hillegas added a comment - I'm fine with SYSCS_RELOAD_SECURITY_POLICY. I will update the spec later to reflect this.
          Hide
          Rick Hillegas added a comment -

          Attaching patch for this feature. This patch adds a system procedure for reloading the security policy file. This patch also adds a regression test which verifies that only the DBA can reload the policy file and only if the getPolicy() permission has been granted by the already-loaded policy.

          This patch touches the following files:

          M java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java
          M java/engine/org/apache/derby/impl/jdbc/Util.java
          M java/engine/org/apache/derby/catalog/SystemProcedures.java

          Wire the new procedure into our SQL machinery.

          M java/engine/org/apache/derby/loc/messages.xml
          M java/shared/org/apache/derby/shared/common/reference/SQLState.java

          Add a new error message, provoked when the procedure is called but getPolicy() wasn't granted.

          M java/drda/org/apache/derby/drda/server.policy

          Add getPolicy() privilege to the Basic policy file loaded by the secure server.

          A java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.modified.policy
          A java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.unreloadable.policy
          A java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.java
          M java/testing/org/apache/derbyTesting/functionTests/tests/lang/_Suite.java
          A java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.initial.policy

          Wire the new unit test into our JUnit machinery.

          M java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy

          Add getPolicy() permission to the default testing policy.

          M java/testing/org/apache/derbyTesting/junit/BaseTestCase.java
          M java/testing/org/apache/derbyTesting/junit/SecurityManagerSetup.java

          Make it possible for the decorators to unload the security manager and load a new one with a different policy file.

          M java/testing/org/apache/derbyTesting/junit/TestConfiguration.java

          Replace some magic strings with a constant and make the DBO;s name public. Also add a privilege execution block around a case exposed by the new test.

          M java/testing/org/apache/derbyTesting/junit/SupportFilesSetup.java

          Replace some magic strings with constants and make them public.

          Show
          Rick Hillegas added a comment - Attaching patch for this feature. This patch adds a system procedure for reloading the security policy file. This patch also adds a regression test which verifies that only the DBA can reload the policy file and only if the getPolicy() permission has been granted by the already-loaded policy. This patch touches the following files: M java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java M java/engine/org/apache/derby/impl/jdbc/Util.java M java/engine/org/apache/derby/catalog/SystemProcedures.java Wire the new procedure into our SQL machinery. M java/engine/org/apache/derby/loc/messages.xml M java/shared/org/apache/derby/shared/common/reference/SQLState.java Add a new error message, provoked when the procedure is called but getPolicy() wasn't granted. M java/drda/org/apache/derby/drda/server.policy Add getPolicy() privilege to the Basic policy file loaded by the secure server. A java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.modified.policy A java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.unreloadable.policy A java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.java M java/testing/org/apache/derbyTesting/functionTests/tests/lang/_Suite.java A java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.initial.policy Wire the new unit test into our JUnit machinery. M java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy Add getPolicy() permission to the default testing policy. M java/testing/org/apache/derbyTesting/junit/BaseTestCase.java M java/testing/org/apache/derbyTesting/junit/SecurityManagerSetup.java Make it possible for the decorators to unload the security manager and load a new one with a different policy file. M java/testing/org/apache/derbyTesting/junit/TestConfiguration.java Replace some magic strings with a constant and make the DBO;s name public. Also add a privilege execution block around a case exposed by the new test. M java/testing/org/apache/derbyTesting/junit/SupportFilesSetup.java Replace some magic strings with constants and make them public.
          Rick Hillegas made changes -
          Attachment derby-2466-01.diff [ 12354096 ]
          Hide
          Daniel John Debrunner added a comment -

          M java/drda/org/apache/derby/drda/server.policy

          Add getPolicy() privilege to the Basic policy file loaded by the secure server.

          Why is this needed. The builtin policy cannot change, so why is there any need to re-load it?

          Show
          Daniel John Debrunner added a comment - M java/drda/org/apache/derby/drda/server.policy Add getPolicy() privilege to the Basic policy file loaded by the secure server. Why is this needed. The builtin policy cannot change, so why is there any need to re-load it?
          Hide
          Rick Hillegas added a comment -

          Hi Dan,

          In my mind, the Basic server policy has two purposes:

          1) It captures the basic permissions needed to run the server under a security manager.

          2) It is the customizable template which users copy then edit in order to fit Derby into their secure runtime environment.

          I agree that the getPolicy() permission is not needed for the first purpose. However, it's good to have it for the second purpose because it brings this issue to customer's attention: they will need this permission if they want to change their customized policies on the fly.

          Show
          Rick Hillegas added a comment - Hi Dan, In my mind, the Basic server policy has two purposes: 1) It captures the basic permissions needed to run the server under a security manager. 2) It is the customizable template which users copy then edit in order to fit Derby into their secure runtime environment. I agree that the getPolicy() permission is not needed for the first purpose. However, it's good to have it for the second purpose because it brings this issue to customer's attention: they will need this permission if they want to change their customized policies on the fly.
          Hide
          Daniel John Debrunner added a comment -

          I think having the same policy file for a secure environment and a template is not a good approach.

          It leads to additional security analysis for the secure environment, e.g. in this case how does the getPolicy permission affect security? If it isn't there, then there's no need to worry about it.
          It can lead to lower security for the secure environment if the entries only for template purposes can somehow be abused.

          It's not like there's a huge amount of effort in creating a different template file, the contents are not that complex.

          Show
          Daniel John Debrunner added a comment - I think having the same policy file for a secure environment and a template is not a good approach. It leads to additional security analysis for the secure environment, e.g. in this case how does the getPolicy permission affect security? If it isn't there, then there's no need to worry about it. It can lead to lower security for the secure environment if the entries only for template purposes can somehow be abused. It's not like there's a huge amount of effort in creating a different template file, the contents are not that complex.
          Hide
          Rick Hillegas added a comment -

          I can separate (1) from (2) and create a different template file. As we add new Derby permissions, we will have to remember to add them to both files.

          In the interests of not muddying this initial patch, I propose to make these changes in follow-on submissions:

          1) Create the new template file.

          2) Adjust the release-build scripts so that the template policy rather than the Basic policy is copied to demo/templates/server.policy

          3) Make appropriate changes to the Secure Server spec (DERBY-2196) and System Privileges (DERBY-2109) spec.

          4) Adjust the user guides to reflect the separation of (1) from (2).

          Show
          Rick Hillegas added a comment - I can separate (1) from (2) and create a different template file. As we add new Derby permissions, we will have to remember to add them to both files. In the interests of not muddying this initial patch, I propose to make these changes in follow-on submissions: 1) Create the new template file. 2) Adjust the release-build scripts so that the template policy rather than the Basic policy is copied to demo/templates/server.policy 3) Make appropriate changes to the Secure Server spec ( DERBY-2196 ) and System Privileges ( DERBY-2109 ) spec. 4) Adjust the user guides to reflect the separation of (1) from (2).
          Hide
          Rick Hillegas added a comment -

          Committed the first patch at subversion revision 522515.

          Show
          Rick Hillegas added a comment - Committed the first patch at subversion revision 522515.
          Hide
          Rick Hillegas added a comment -

          Commit derby-2466-02.diff at subversion revision 522579. This creates a separate template policy file exposed when we build a release. This patch removes the getPolicy() permission from the server's Basic policy.

          Show
          Rick Hillegas added a comment - Commit derby-2466-02.diff at subversion revision 522579. This creates a separate template policy file exposed when we build a release. This patch removes the getPolicy() permission from the server's Basic policy.
          Rick Hillegas made changes -
          Attachment derby-2466-02.diff [ 12354235 ]
          Rick Hillegas made changes -
          Link This issue incorporates DERBY-2489 [ DERBY-2489 ]
          Hide
          Rick Hillegas added a comment -

          Committed derby-2466-03.diff at subversion revision 522982. This causes the SecurityPolicyReloadingTest to only run against jar files. Touches the following file:

          M java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.java

          Show
          Rick Hillegas added a comment - Committed derby-2466-03.diff at subversion revision 522982. This causes the SecurityPolicyReloadingTest to only run against jar files. Touches the following file: M java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.java
          Rick Hillegas made changes -
          Attachment derby-2466-03.diff [ 12354332 ]
          Hide
          Rick Hillegas added a comment -

          Committed derby-2466-04.diff at subversion revision 523399.. This adds an upgrade test for the creation of the new policy-reloading procedure. Test runs successfully when upgrading from the following releases: 10.1.1.0 10.1.2.1 10.1.3.1 10.2.1.6 10.2.2.0.

          Show
          Rick Hillegas added a comment - Committed derby-2466-04.diff at subversion revision 523399.. This adds an upgrade test for the creation of the new policy-reloading procedure. Test runs successfully when upgrading from the following releases: 10.1.1.0 10.1.2.1 10.1.3.1 10.2.1.6 10.2.2.0.
          Rick Hillegas made changes -
          Attachment derby-2466-04.diff [ 12354452 ]
          Hide
          Rick Hillegas added a comment -

          Attaching derby-2466-05.diff, which I committed at subversion revision 524252. This attempts to fix an NPE in the SecurityPolicyReloadingTest setup, which I am unable to reproduce but which turns up in some environments, including the tinderbox.

          Show
          Rick Hillegas added a comment - Attaching derby-2466-05.diff, which I committed at subversion revision 524252. This attempts to fix an NPE in the SecurityPolicyReloadingTest setup, which I am unable to reproduce but which turns up in some environments, including the tinderbox.
          Rick Hillegas made changes -
          Attachment derby-2466-05.diff [ 12354633 ]
          Hide
          Rick Hillegas added a comment -

          I believe this work is done.

          Show
          Rick Hillegas added a comment - I believe this work is done.
          Rick Hillegas made changes -
          Resolution Fixed [ 1 ]
          Status Open [ 1 ] Resolved [ 5 ]
          Rick Hillegas made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Dag H. Wanvik made changes -
          Derby Categories [Security]
          Dag H. Wanvik made changes -
          Component/s Security [ 11411 ]
          Dag H. Wanvik made changes -
          Issue Type New Feature [ 2 ] Improvement [ 4 ]
          Rick Hillegas made changes -
          Component/s Miscellaneous [ 11400 ]
          Gavin made changes -
          Workflow jira [ 12399912 ] Default workflow, editable Closed status [ 12800212 ]

            People

            • Assignee:
              Rick Hillegas
              Reporter:
              Rick Hillegas
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development