ace-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jorge Martín Cuervo <jo...@martincuervo.com>
Subject custom security
Date Mon, 25 Jul 2016 21:26:07 GMT
Hello,

I would like to implement a custom security, first of all let me explain to
get your opinion if this has any sense.
I have a server (compiled from run-server) instance accessible from public
network, the rest of the components (obr and client) are only accessible
from the local network.

I had set up single-way SSL in the server (mainly because of the targets
will not have a fixed IP nor hostname)

Now I think is the time to add some authentication; I have been reading the
documentation and monitoring HTTP communication of the server.

#agent updating
POST /auditlog/send HTTP/1.1
GET /auditlog/query?tid=target-1&logid=1469475605103 HTTP/1.1
GET /agent/target-1/org.apache.ace.agent/versions/ HTTP/1.1
GET /deployment/target-1/versions/ HTTP/1.1
GET /repository/query?customer=apache&name=deployment HTTP/1.1
GET /deployment/target-1/versions/6.0.0 HTTP/1.1

#client viewing
GET /auditlog/query HTTP/1.1
GET /repository/query?customer=apache&name=user HTTP/1.1
* GET /repository/checkout?customer=apache&name=user&version=1 HTTP/1.1
GET /repository/query?customer=apache&name=shop HTTP/1.1
GET /repository/checkout?customer=apache&name=shop&version=1 HTTP/1.1
GET /repository/checkout?customer=apache&name=target&version=7 HTTP/1.1
GET /repository/checkout?customer=apache&name=deployment&version=7 HTTP/1.1

#client updating repository
POST /repository/commit?customer=apache&name=shop&version=1 HTTP/1.1
POST /repository/commit?customer=apache&name=target&version=7 HTTP/1.1
POST /repository/commit?customer=apache&name=deployment&version=7 HTTP/1.1

POST /repository/commit?customer=apache&name=shop&version=2 HTTP/1.1
POST /repository/commit?customer=apache&name=target&version=8 HTTP/1.1
POST /repository/commit?customer=apache&name=deployment&version=8 HTTP/1.1

Seems that I could secure (add authentication) the POST actions on
/repository/commit and leave the other GET open to everybody. With this I
do not need to manage passwords for the agents; In my case all the agents
will get the same bundles.

For the current implementation, I was checking
org.apache.ace.authentication and
org.apache.ace.authentication.processor.basicauth, so I could implement a
processor for requests with method POST use the basicauth and requests with
GET no check is needed.
For GETs I could simply return predefined User with the minimum operations:

<memberof>viewArtifact</memberof>
<memberof>viewFeature</memberof>
<memberof>viewDistribution</memberof>
<memberof>viewTarget</memberof>

Does it sound reasonable?
Are these the steps to follow?

- edit run-server/conf/org.apache.ace.connectionfactory/repository.cfg to
enable authentication (not sure about that??, in the documentation mention
o.a.a.repository.servlet, but the source code there is not such file, only
exists run-server/conf/org.apache.ace.http.context.cfg)
- edit
run-server/conf/org.apache.ace.server.repository.factory/ace-user.cfg to
customize the users
- implement the processor
- configure the new processor (no idea how to do it)
- in the run-client/conf/org.apache.ace.connectionfactory/repository.cfg to
set the authentication and credentials

Many thanks!!

____________________________________
Jorge Martin Cuervo

email <jorge@martincuervo.com>
voice 0032 489 336 802
voice 0034 660 026 384
skype jorgemartincuervo
____________________________________

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message