continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brett Porter <>
Subject Re: Securing working copies in build agent (CONTINUUM-2632)
Date Wed, 01 Jun 2011 16:27:13 GMT
I'd agree with Wendy, at least at this point. There's no need for the complexity of user or
project-level auth on the build agent. We also should remember that anyone that can run a
build, can access every working copy on the agent via the backdoor :)

I do think there's some value to per-user access to the WC from the agent over HTTP, as long
as none of the info is duplicated - but I'd consider that a separate feature, not a core part
of how this should be implemented.

- Brett

On 01/06/2011, at 9:18 PM, Wendy Smoak wrote:

> On Tue, May 31, 2011 at 4:57 AM, Deng Ching <> wrote:
>> Currently, there is no security implemented for accessing (read-only) the
>> working copies in the build agent via webdav. For CONTINUUM-2632, I'm
>> planning to use a similar mechanism as with Maven when downloading/getting
>> artifacts from a secured repository:
> ...
> This seems to imply that people would be accessing the build agent
> individually?  I don't think the build agent needs to know about users
> -- the access should all go through the master which can handle
> security via the user database.
> If you introduce an xml file on the build agent, how would it get
> populated for a new build agent, or updated for an existing one?  It
> also seems like that file would duplicate information already stored
> in the user database (what user can see what group).
> I think the build agent should only respond to requests from the
> master.  It shouldn't be talking to anybody else.  As long as it has
> some way to verify that the request is indeed coming from the master,
> I think that's enough to keep the working copies reasonably secure.
> -- 
> Wendy

Brett Porter

View raw message