DB2 UDB Security Plug-in Overview

A security plug-in is a dynamically loadable library that is invoked when the DB2 UDB authenticates or looks for a user from a group member. Prior to version 8.2, these operations were managed by facilities other than DB2 UDB, such as the operating system, the domain manager, or the Kerberos security system. Figure 1 provides a scenario that illustrates how DB2 UDB security Works before version 8.2. The next section describes the changes that occurred in version 8.2. Figure 1. Security scene 498) this.width=498 ' OnMouseWheel = ' javascript:return big (This) ' height=236 alt= security Scenario src= '/files/uploadimg/ 20061213/1741050.gif "Width=550> Figure 1 illustrates 4 security scenarios: Security Considerations when the client system connects to the database through the server system. On the left-hand side of Figure 1, a user emits the statement connect to MyDB user Raul using RAULPSW in the command line Processor (CLP) window of the DB2 client system to connect to the database DB2 on Aries database server MyDB. DB2 the client communicates with the server and negotiates which authentication method to use. For simplicity's sake, let's assume that the client uses the authentication method returned by the server. In the diagram, authentication is set to SERVER. This means that the operating system on server (I) will authenticate by checking whether the supplied user ID and password match the values stored in the operating system security database. Once the user is authenticated, DB2 obtains group membership information from the operating system. From that time on, DB2 no longer uses a user ID or password in subsequent checks; instead, DB2 uses the authorization ID (authid). Typically, Authid is an uppercase version of the user ID. Security considerations when executing SQL statements after connecting to a database. The lower-left part of Figure 1 shows a SELECT statement that is issued with a authid RAUL connection to the database MyDB. In this example, the internal DB2 security facility audits The DB2 Catalog table to confirm that Authid RAUL was granted to the table KEVIN. TABLE1 performs authorization (authorization) Checks by executing the permissions of the SELECT operation. If Authid RAUL and public are not granted this permission, DB2 checks whether the user is a few specialA member of a group (for example, SYSADM, Sysctrl, Sysmaint, or SYSMON). For each of these groups, there are Database Manager configuration (dbm cfg) parameters that can be set to the value of one operating system group. When connected, DB2 obtains the user's group information from the operating system and caches it in memory. DB2 then audits the cached data (II) to check if Authid RAUL is a member of a group in those groups. For example, if Authid is a member of the SYSADM group, the SELECT can continue, or an error message (SQLCODE-551) will be returned. Security considerations when the client enforces security. In Figure 1, if the authentication is set to client, the operating system on the client computer will implement authentication (III). The authorization check for the SELECT statement will be as follows: DB2 checks Authid RAUL from the database's DB2 catalog table for KEVIN. The SELECT permission for the TABLE1 table. If Authid RAUL and public do not have this permission, a group member check is performed. When connected, DB2 obtains group membership information from the client and caches it on the server. Security considerations when issuing instance-level commands. On the server in Figure 1, the DB2 instance owner Db2inst1 issued a command db2stop. DB2 checks whether the currently logged-on user belongs to a group defined in Sysadm_group, Sysctrl_group, or Sysmaint_group. (IV) If the user ID belongs to any of these groups, then the Db2stop command will be executed. Otherwise, an error message is returned. Depending on the instance-level operation, the user may have to belong to a group in SYSADM, Sysctrl, Sysmaint, or SYSMON. In each of these scenarios, the operating system is invoked for security checks. Starting with version 8.2, you can use security plug-ins for each of these scenarios. Thus, you do not have to always invoke the operating system, you can invoke the server and group Plug-ins in Scenario 1, you can invoke the group Plug-ins in Scenario 2, and the client and group Plug-ins can be invoked in scenario 3 and Scenario 4. This example describes three types of security Plug-ins: Server-side authentication security plug-in (that is, server Authentication plug-in) client Authentication security plug-in (that is, client authentication plug-in) group member lookup Security plug-in (that is, group plug-in) the server Authentication plug-in performs authentication on the database server. It is also used to check whether a authid is known to the plug-in. For example, considerSQL statement grant Select on table User1.t1 to FOO,DB2 does not know whether FOO is a user or a group. In this case, DB2 asks all server-side Plug-ins and group member Plug-ins to check whether FOO is a user or group, or both, or not, so that the SQL statement can be responded to. The client authentication plug-in performs authentication on the client computer. It is also used to perform instance-level local authorization when executing instance-level commands such as Db2start, Db2stop, DB2TRC, update dbm CFG, and so on. As a result, you can often see that both client Authentication plug-ins and server authentication plug-ins are specified on a database server. The Group plug-in performs group member lookups on both the client and the database server. It is also used to check whether a authid is known to the plug-in. Each security plug-in consists of a set of APIs that need to be implemented. DB2 provides a security plug-in infrastructure and some default security plug-ins. The implementation of a custom security plug-in is up to your discretion. Responsible Editor Zhao Zhaoyi#51cto.com TEL: (010) 68476636-8001 to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passing (0 Votes) Text: DB2 UDB Security Plug-in overview back to network security home