continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jevica Arianne B. Zurbano" <>
Subject Re: Securing working copies in build agent (CONTINUUM-2632)
Date Mon, 13 Jun 2011 05:45:09 GMT
Are we using the security system of Continuum to authenticate or are we going to need a webservice
for Redback authentication?

On Tuesday, 07 June, 2011 10:43 AM, Deng Ching wrote:
> Ok, makes sense :) I thought we'll be allowing per user access at the
> project level when I drafted the proposal.
> Thanks,
> Deng
> On Thu, Jun 2, 2011 at 12:27 AM, Brett Porter<>  wrote:
>> I'd agree with Wendy, at least at this point. There's no need for the
>> complexity of user or project-level auth on the build agent. We also should
>> remember that anyone that can run a build, can access every working copy on
>> the agent via the backdoor :)
>> I do think there's some value to per-user access to the WC from the agent
>> over HTTP, as long as none of the info is duplicated - but I'd consider that
>> a separate feature, not a core part of how this should be implemented.
>> - Brett
>> On 01/06/2011, at 9:18 PM, Wendy Smoak wrote:
>>> On Tue, May 31, 2011 at 4:57 AM, Deng Ching<>  wrote:
>>>> Currently, there is no security implemented for accessing (read-only)
>> the
>>>> working copies in the build agent via webdav. For CONTINUUM-2632, I'm
>>>> planning to use a similar mechanism as with Maven when
>> downloading/getting
>>>> artifacts from a secured repository:
>>> ...
>>> This seems to imply that people would be accessing the build agent
>>> individually?  I don't think the build agent needs to know about users
>>> -- the access should all go through the master which can handle
>>> security via the user database.
>>> If you introduce an xml file on the build agent, how would it get
>>> populated for a new build agent, or updated for an existing one?  It
>>> also seems like that file would duplicate information already stored
>>> in the user database (what user can see what group).
>>> I think the build agent should only respond to requests from the
>>> master.  It shouldn't be talking to anybody else.  As long as it has
>>> some way to verify that the request is indeed coming from the master,
>>> I think that's enough to keep the working copies reasonably secure.
>>> --
>>> Wendy
>> --
>> Brett Porter




View raw message