brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (BROOKLYN-51) Remote access without configuring a username and password
Date Tue, 09 Sep 2014 09:02:28 GMT

    [ https://issues.apache.org/jira/browse/BROOKLYN-51?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14126774#comment-14126774
] 

ASF GitHub Bot commented on BROOKLYN-51:
----------------------------------------

Github user aledsage commented on a diff in the pull request:

    https://github.com/apache/incubator-brooklyn/pull/154#discussion_r17289211
  
    --- Diff: usage/launcher/src/main/java/brooklyn/launcher/BrooklynLauncher.java ---
    @@ -595,16 +597,18 @@ private void handleSubsystemStartupError(boolean ignoreSuchErrors,
String system
         }
     
         protected void startWebApps() {
    -        if (BrooklynWebConfig.hasNoSecurityOptions(brooklynProperties)) {
    -            if (bindAddress==null) {
    -                LOG.info("Starting brooklyn web-console on loopback interface because
no security config is set");
    -                bindAddress = Networking.LOOPBACK;
    -            }
    -            if (skipSecurityFilter==null) {
    -                LOG.debug("Starting brooklyn web-console without security because we
are loopback and no security is set");
    -                skipSecurityFilter = true;
    -            }
    +        // No security options in properties and no command line options overriding.
    +        if (Boolean.TRUE.equals(skipSecurityFilter) && bindAddress == null) {
    +            LOG.info("Starting Brooklyn web-console on loopback because security is explicitly
disabled and no bind address was given");
    +            bindAddress = Networking.LOOPBACK;
    +        } else if (BrooklynWebConfig.hasNoSecurityOptions(brooklynProperties) &&
bindAddress == null) {
    +            LOG.info("Starting Brooklyn web-console with passwordless access on localhost
and protected access from other interfaces");
    +            bindAddress = Networking.ANY_NIC;
    +            brooklynProperties.put(
    +                    BrooklynWebConfig.SECURITY_PROVIDER_CLASSNAME,
    +                    BrooklynUserWithRandomPasswordSecurityProvider.class.getName());
    --- End diff --
    
    I think this is right, but just wanted to raise question... with `ExplicitUsersSecurityProvider.authenticate`
it will look up the users+passwords from brooklyn properties, so a properties-reload will
affect subsequent authenticate attempts (but not existing sessions). However, if we've set
it to use `BrooklynUserWithRandomPasswordSecurityProvider` then the properties-reload to add
explicit users + passwords will have no affect. I think that's fine as we've logged to tell
the person starting brooklyn, so they can restart if desired.


> Remote access without configuring a username and password
> ---------------------------------------------------------
>
>                 Key: BROOKLYN-51
>                 URL: https://issues.apache.org/jira/browse/BROOKLYN-51
>             Project: Brooklyn
>          Issue Type: Sub-task
>    Affects Versions: 0.7.0-M1
>            Reporter: Richard Downer
>            Assignee: Sam Corbett
>             Fix For: 0.7.0
>
>
> By default, if Brooklyn is not configured with a username+password in brooklyn.properties,
Brooklyn will *only* bind to the localhost interface, refusing connections from the network.
> To ease first time users starting Brooklyn on a server, change Brooklyn to:
> 1. Always bind on all interfaces;
> 2. If no username and password is configured, generate one randomly and print the details
to the console
> 3. Additionally, if no username and password is configured, continue to allow passwordless
logins on the localhost interface.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message