Announcing Sun MySQL!
January 16, 2008 | Leave a Comment
Sun has officially acquired MySQL! As a huge fan and supporter of MySQL, I have personal commitment and obvious concerns about this. In my experience most things Sun does are bloated and slow to develop (Solaris, Java, Open Office). Yet, I remain hopeful because they do seem to respect and work positively with open source initiatives.
The most positive things can come out of this are improved marketing, better name recognition, and funds injected into a project. Maybe they can compete with Oracle now? Hey, maybe Sun will stop using Berkeley DB to back most it’s existing products. I’ll admit that upon first reading this my heart skipped a few beats, but as the pains subsided I think its all going to be OK.
Tags: database, java, lamp, mysql, openoffice, oracle, solaris, Sun, sun microsystems
Debugging/Fixing Sun Calendar Permissions
July 5, 2006 | 2 Comments
As part of the Luminis Platform, we run the Sun Java Enterprise System Calendar Server, previously called SunOne Calendar Server, previously known as iPlanet Calendar Server. As expected, this calendar server has a fairly robust (read complicated) permission system. Invariably, users make setting changes that cause undesirable behavior with their calendar. A common symptom would be that suddenly no other users can find their calendar when searching for them and in turn can't subscribe to the calendar, even if they have the privileges to do that.
So, over the years I've developed a semi-effective process for debugging the calendar permissions from the backend.
- SSH to your calendar server
cdto the calendar server/bindirectory (for Luminis this is$CP_ROOT/products/SUNWics5/cal/bin)- use the cscal utility to query the trouble user. ex
./cscal -v list jpseudo - in the out put you get you'll see a line called 'aces' it will look something like:
CODE:
-
aces=@@o^c^WDEIC^g;@@o^a^RSF^g;someuser^a^rsf^g;someuser^c^^g;anotheruser^a^rsf^g;anotheruser^c^wd^g;someoneelse^a^rsf^g;someoneelse^c^^g;@^a^^g;@^c^^g;someuser^p^r^g;anotheruser^p^r^g;someoneelse^p^r^g
-
- This is the access control list or ACL, it is obviously very hard to read. I use EditPlus to do a regular expression find (;) and replace (;\n) on the permissions to clean it up a bit.
- Now it reads:
@@o^c^WDEIC^g;
@@o^a^RSF^g;
someuser^a^rsf^g;
someuser^c^^g;
anotheruser^a^rsf^g;
anotheruser^c^wd^g;
someoneelse^a^rsf^g;
someoneelse^c^^g;
@^a^^g;
@^c^^g;
someuser^p^r^g;
anotheruser^p^r^g;
someoneelse^p^r^g - Now for a brief aside explaining these individual permissions called access control entries or ACEs...
The ACE consists of four distinct elements separated by a caret (^):- Who - the user or type of user the permission applies to. Valid entries are:
- username
- @@o - all owners
- @@p - primary owner
- @@n - not an owner
- @ - anyone
- What - the thing being accessed. Valid entries here are:
- c - calendar component, events or tasks
- p - calendar properties such as name description owners and so forth
- a - entire calendar including components and properties
- How - what actions are permitted. Valid entries are:
- r - read
- w - write
- d - delete
- s - schedule or invite
- f - free/busy or availability
- e - accept or decline invitations
- i - send invites for events on the calendar
- c - cancel
- Grant - this determines whether or not the ACE is a grant (g) or deny (d)
Now that we have a clue what these ACEs actually represent, how do we go about finding a problem?
- Who - the user or type of user the permission applies to. Valid entries are:
- If the issue is about a single user experiencing trouble with the jpseudo's calendar, then extract only the ACEs that apply to that user or apply globally. If instead it is a generalized issue, eliminate all user specific ACEs and only look at global ones. Either way you should be able to drastically reduce the number of rules you are looking at.
- If this issue is the example originally given where the user's calendar cannot be seen by any users, then we are looking for a permission like @^p^r^g; or something similar. If the problem is not readily apparent, it is often useful to compare another user who you know works against this problem user.
- Now it is time to modify the permissions. More specific entries should be ordered first, this allows them to override entries that come later.
- Once you have the entries ordered properly, the command you need to execute will look something like this:
CODE:
-
./cscal -a "@@o^c^WDEIC^g;@@o^a^RSF^g;someuser^a^rsf^g;someuser^c^^g;anotheruser^a^rsf^g;anotheruser^c^wd^g;someoneelse^a^rsf^g;someoneelse^c^^g;@^a^^g;@^c^^g;someuser^p^r^g;anotheruser^p^r^g;someoneelse^p^r^g;@^p^r^g" modify jpseudo
-
- Hopefully the change you made succeeds and life is good, if not, rinse and repeat!
Tags: ACE, aces, ACL, acls, application administration, calendar, iPlanet Calendar Server, java, luminis, luminis platform, Sun, Sun Java Enterprise System Calendar Server, sungard, sungard higher education, SunOne Calendar Server, system administration