Security plug-in APIs
To enable you to customize the Db2® database system authentication and group membership lookup behavior, the Db2 database system provides APIs that you can use to modify existing plug-in modules or build new security plug-in modules.
When you develop a security plug-in module, you need to implement the standard authentication or
group membership lookup functions that the Db2 database manager will
invoke. For the three available types of plug-in modules, the functionality you need to implement is
as follows:
- Group retrieval
- Retrieves group membership information for a given user and determines if a given string represents a valid group name.
- User ID/password authentication
- Authentication that identifies the default security context (client only), validates and optionally changes a password, determines if a given string represents a valid user (server only), modifies the user ID or password provided on the client before it is sent to the server (client only), returns the Db2 authorization ID associated with a given user.
- GSS-API authentication
- Authentication that implements the required GSS-API functions, identifies the default security context (client side only), generates initial credentials based on user ID and password, and optionally changes password (client side only), creates and accepts security tickets, and returns the Db2 authorization ID associated with a given GSS-API security context.
The following list shows the definitions for terminology used in the
descriptions of the plug-in APIs.
- Plug-in
- A dynamically loadable library that Db2 will load to access user-written authentication or group membership lookup functions.
- Implicit authentication
- A connection to a database without specifying a user ID or a password.
- Explicit authentication
- A connection to a database in which both the user ID and password are specified.
- Authid
- An internal ID representing an individual or group to which authorities and privileges within the database are granted. Internally, a Db2 authid is folded to upper-case and is a minimum of 8 characters (blank padded to 8 characters). Currently, Db2 requires authids, user IDs, passwords, group names, namespaces, and domain names that can be represented in 7-bit ASCII.
- Local authorization
- Authorization that is local to the server or client that implements it, that checks if a user is authorized to perform an action (other than connecting to the database), such as starting and stopping the database manager, turning Db2 trace on and off, or updating the database manager configuration.
- Namespace
- A collection or grouping of users within which individual user identifiers must be unique. Common examples include Windows domains and Kerberos Realms. For example, within the Windows domain "usa.company.com" all user names must be unique. For example, "user1@usa.company.com". The same user ID in another domain, as in the case of "user1@canada.company.com", however refers to a different person. A fully qualified user identifier includes a user ID and namespace pair; for example, "user@domain.name" or "domain\user".
- Input
- Indicates that Db2 will enter in the value for the security plug-in API parameter.
- Output
- Indicates that the security plug-in API will specify the value for the API parameter.