                     New Feature Analysis
                             --------------------
Author/Date: *
        Jens-Otto Larsen, 2004-06-06

Change log: *       

 Version Comments                               Date        Author       
 0.1     Initial version                        2004-06-06  J.O.L
 0.2     Comments from David and Bernt          2004-06-08  J.O.L

Synopsis: *
	Add management operation authentication

Parity or Differentiator: *
        This is not a key differentiator.  

Bug/RFE Number:               
        5058227

Requestor: *
	Heidi.Bergh-Hoff@sun.com

Feature(s) Description: *
        The management agent does not require authentication of
        connections. This will allow applications other than hadbm
        with knowledge about the agent interface to connect
        to agent and invoke operations on MBeans hosted by the agent.
        
        This feature is primarily needed to prevent disruption
        of HADB operation in a more open environment where
        applications can reach agents over the network.
        
        The situation for HADB in Appserver 7.0 and 7.1 on Solaris
        is that operations that needed remote program invocations
        were partly secured due to the requirement for a password-
        less SSH setup. Given acess to the hadbm helper programs
        cladm and cluma, and a DB cfg-file one could still interrupt
        HADB operation by stopping databases and single nodes.
   
        The feature proposal is to implement a simple authentication
        mechanism whereby management clients will need to provide
        a valid HADB management password to gain access to agents:
        * From hadbm there will be one, implicit admin user (no username).
        * The password for this admin user is set at at initial domain
          definition (through definedomain or create), or one can
          specify a no-authentication setup. 
        * The admin password must be supplied to all hadbm commands.
        * hadbm will accept passwords from a passwordfile, specified
          by an option or environment variable, from the command line,
          through an option or env. variable, or from prompting users
          (if the other specification alternatives are not given).
        * hadbm hashes passwords before transmitting them in the
          authentication interaction with the agent.
          hadbm will provide a default user "admin" for the agent.
          The hash will be as in the JDBC driver: SHA1 (FIPS PUB
          180-1) - no publicly known weaknesses.
        * The agent ConnectorServer will require a user and a password
          for all access to MBeans, and it will provide a
          challenge-response mechanism for authentication.
        * The agents will store hashed passwords locally in a file
          which is part of the agent configuration repository.
          The agents will hash (the client-hashed) password with
          a seed common to the domain before storing the password.

        Changes to the hadbm interface (see [1] for type definitions):
        * New common option "admpassword":
          - Long format: --admpassword
          - Short format: -w
          - Argument type: type:password 
          - Default value: <None>
          - Environment var: HADBM_ADMPASSWORD
        * New common option "admpasswordfile":
          - Long format: --admpasswordfile
          - Short format: -W
          - Argument type: type:filepathname
          - Default value: <None>
          - Environment var: HADBM_ADMPASSWORDFILE
        * New option "no-adminpwd" for definedomain and create
          - Long format: --no-adminpwd
          - Short format: -U
          - Argument type: type:Boolean
          - Default value: FALSE
          - Environment var: HADBM_NO-ADMINPWD
        * New error code "Invalid admin password"
          - Action taken: Display error and terminate
          - Error message: "Admin authentication failed"
          - Error code: To be defined

        Examples:
          hadbm definedomain --no-adminpasswd <hostA>,<hostB>

          hadbm status --admpasswordfile=/home/secretpasswd mydb
              
        
        Notes:      
        Some hadbm commands will now require two passwords - one admin
        and one for the database: create, addnodes, and refragment. 
                
Non-feature(s):
	N/A

Dependencies: *
        HADB CLI Code ->  Mgmt Agent

Phases:
	This feature can be done in one single phase

Direction of Implementation:
	To be implemented by the HADM team.

Interfaces: *
	The CLI will provide three new options "admpassword",
        "admpasswordfile" and "no-adminpwd"

Cost:
        CLI Changes: 1 week to implement, 1 week for QA
        man pages for hadbm: 1 day
        Document changes: 1 day
        Total effort: 2 weeks, 2 days

Developer Tools Impact: *
        N/A

QA Impact: *
        Test infrastructure and all testcases are affected.

Doc Impact: *
        Functional specification for hadbm is affected
        User's Guide for hadbm is affected 
        man page for hadbm is affected
       
Installation Impact: *
        May need to prompt for password if running definedomain

Admin/Config Impact: *
        This is the admin tool. 

HA Impact: *
	N/A

I18N/L10N Impact: *
	No

Security Impact: *
	Yes, improves security.

Support Impact:
	Increases the complexity of the product.
	
Risks:
	Addresses some security issues
        Significant and overall change of user interface.
        Low risk to implement the support in the CLI.

See Also:
        [1] HADB Admin CLI Functional specifications:
        http://clustra.norway.sun.com/projects/odin/dbmgmt/funspec/hadbm_for_Odin.sxw