karaf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Claus Ibsen <claus.ib...@gmail.com>
Subject Re: Database commands for Karaf
Date Sun, 15 Jan 2012 09:56:45 GMT

At first thought the commands seems cool.

However one part (the SQL execute) they risk introduce a security
vulnerability, as a malicious user can use these commands to access
production database, and manipulate the data. And by using the same
datasource/connection that applications uses, so its harder for the
RDBMS to control user access.
In some industrires, users must *never* access a database using an
application account, by must always use their personal account (such
as health care)
to ensure that they can always track who have accessed the data
(auditing). So with this new command, a malicious user can SSH into a
remote box, and use the application database connection to access the
production database. And thus "hide" as the RDMBS would think it was
the application that did the SQL.

I guess this could be remedied by having the SQL execute command to
must have the username / password provided, and "somehow" create a new
connection to the application database. So its 100% separated from the
application usage.

The other pieces of the command is nice. Being able to list the
datasources and details about their connection pools would be great.
Just as you have in JEE servers. People may expect something similar
in the world of Karaf.

Maybe a "Karaf Shell Extensions" or "Karaf App Store" :) is in place.
There could be a ton of small and custom shells being created.
That people can install and use in their Karaf. I guess some targeted
for developers, and others may for production usage.
And having a SQL executor shell could be nice for the developer.

On Fri, Jan 13, 2012 at 5:13 PM, Christian Schneider
<chris@die-schneider.net> wrote:
> Hi all,
> as part of my Karaf Tutorial about database access I have writte some handy
> Karaf shell commands for databases.
> They are described with screen dumps in my Tutorial
> http://www.liquid-reality.de/x/LYBk .
> Especially for embedded databases like derby and h2 I missed a simple access
> to the database for a long time. So I think these commands could be
> interesting for many developers.
> So I would like to add them to Karaf and also add a feature for them. Of
> course DB commands are not the core domain of Karaf so this is surely
> nothing for the Karaf minimal distro but I propose to add them to the
> standard distro.
> The reasons are simple:
> - I think many people could have use for the commands
> - They add no dependencies
> - The code is really small (just 16kb)
> Christian
> --
> Christian Schneider
> http://www.liquid-reality.de
> Open Source Architect
> Talend Application Integration Division http://www.talend.com

Claus Ibsen
Email: cibsen@fusesource.com
Web: http://fusesource.com
Twitter: davsclaus, fusenews
Blog: http://davsclaus.blogspot.com/
Author of Camel in Action: http://www.manning.com/ibsen/

View raw message