Hardening s-Server

For many purposes, running SQLstream s-Server single user with no password is fine when inside a firewalled environment.

If you need JDBC access over the internet or you want to run with multiple users with restricted privileges, some of the following steps should be taken to harden s-Server:

You can also use Sandboxing in s-Server to further limit what users can access.

Configuring JDBC over SSL

You can enable s-Server to use the Secure Sockets Layer (SSL) protocol for secure communication between itself, SQLline client, and other clients that access s-Server through JDBC. SSL lets you use server authentication, client authentication, and data encryption. See Configuring s-Server to Use SSL for more details.

Setting a Password for the "sa" Account

Set a password for the “sa” account. This is the default, and administrative, account for s-Server. To do so:

  • Run sqllineClient or SQLline and connect to s-Server.
  • Enter the following:
ALTER USER “sa” IDENTIFIED BY ‘aPassword’;

Configure s-Server Clients to Use a Password

Once you set a password for this user, you will need to configure s-Server clients to use a password. To use sqllineClient, you will need to start it using

sqllineClient –PASSWORD

or

sqllineClient –PASSWORD="aPassword”.

You’ll also need to specify user and password in any SQLstream JDBC URLs, along the lines of: See the topic SQLstream JDBC Driver for more details.

When connecting to s-Server through sqlline, you can specify a username with -n and a password by passing -p For s-Studio, you can enter a user name and password in the Connection Properties dialog box. See Entering a JDBC URL for s-Studio.

To use StreamLab or s-Dashboard after adding user passwords, you will need to set a default user name and password through webAgent.

webAgent has command line arguments for setting the default user/password. See Command Line Arguments for webAgent in the Integrating with Other Systems*.

Creating Other Users and Granting Them Privileges

You can create other users and grant them privileges by following the instructions below. If you want a more controlled experience for your users, you may want to set up sandboxing.

CREATE USER Syntax

CREATE USER <user> [IDENTIFIED BY ‘aPassword’] DEFAULT CATALOG localdb;

This will create a new non-administrator user that by default will not have access to any system tables or functions (even in non-sandboxed environments). Only the creator of an object or schema (or the administrator) is allowed to drop or alter it.

Granting Users Permissions

Administrators can use the following SQL to grant access to foreign streams and tables, as well as system tables and streams or views based on system tables and streams:

GRANT <permission> { , <permission> }
TO <user>;

Administrators can use the following SQL to grant access to system functions:

GRANT EXECUTE ON SPECIFIC FUNCTION <function> TO <user>;

List of Permissions

Permission Repository objects to which permission applies
Select Tables, streams, views
Insert Tables, streams
Update Tables
Delete Streams
Execute user-defined routines, user defined functions, user-defined procedures, or user-defined transforms)