geode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Juan José Ramos <jra...@pivotal.io>
Subject Re: [PROPOSAL]: Improve OQL Method Invocation Security
Date Wed, 26 Jun 2019 17:46:59 GMT
Helo all,

Thanks for all the feedback.
I'll go over the comments and reply accordingly, hopefully between tomorrow
and Friday.
Best regards.



On Wed, Jun 26, 2019 at 2:12 PM Dan Smith <dsmith@pivotal.io> wrote:

> A couple of other things to keep in mind to make sure you aren't
> introducing security holes
>
> 1) Queries can be executed by users with read privileges. So if it needs to
> be really clear to the operator whether the MethodInvocationAuthorizer they
> are configuring is going to let users call methods that modify the data or
> not.
> 2) OQL lets you invoke methods on objects that are passed as parameters to
> the query. So that means that any class that exists on the server and is
> serializable could potentially have methods invoked in it through a query
> when someone opens up access with one of these MethodInvocationAuthorizers.
> So the RegexBasedMethodAuthorizer needs to be used with care.
>
> -Dan
>
> On Tue, Jun 25, 2019 at 11:53 AM Anthony Baker <abaker@pivotal.io> wrote:
>
> > Here are the things I think are important:
> >
> > 1) I shouldn’t have to change my domain classes in order to run a query.
> > 2) I shouldn’t have to configure anything to run a “normal” query that
> > uses classes deployed into the cluster and stored in the region.
> > 3) By default the cluster is secure from malicious users trying to
> execute
> > untrusted code*.
> >
> >
> > Anthony
> >
> > * if a user chooses to deploy code into the cluster that does bad things
> > that’s on them
> >
> >
> > > On Jun 25, 2019, at 11:07 AM, Aaron Lindsey <alindsey@pivotal.io>
> wrote:
> > >
> > > +1 to the proposal
> > >
> > > Some comments:
> > >
> > >   - There is almost always trade-off between security and ease-of-use.
> > The
> > >   proposed implementation of JavaBeanAccessorBasedMethodAuthorizer
> makes
> > me
> > >   feel uneasy because it would be super easy to create a method that
> > begins
> > >   with "get" or "is" but is not actually a JavaBean accessor method.
> > However,
> > >   I can also see how nice this would be in terms of ease-of-use.
> > >   - From a security standpoint I prefer AnnotationBasedMethodAuthorizer
> > >   because it's very explicit on which methods may be executed. To
> remove
> > the
> > >   coupling between the configuration and domain classes, you could
> > separate
> > >   out the mapping of which methods are allowed into a different class
> > and not
> > >   use annotations.
> > >   - How have other projects solved this problem? Can we add a "related
> > >   work" section to the proposal? If you've already looked and didn't
> > really
> > >   find anything relevant you could also mention that in the proposal.
> > >
> > > - Aaron
> > >
> > >
> > > On Mon, Jun 24, 2019 at 4:31 PM Jason Huynh <jhuynh@pivotal.io> wrote:
> > >
> > >> +1
> > >>
> > >> I have some concerns about all of the different ways we configure
> geode
> > to
> > >> be secure, but that's a different issue ;-)
> > >> Overall, very thorough proposal Juan!
> > >>
> > >>
> > >>
> > >> On Mon, Jun 24, 2019 at 4:22 PM Dan Smith <dsmith@pivotal.io> wrote:
> > >>
> > >>> +1
> > >>>
> > >>> This proposal looks good to me!
> > >>>
> > >>> On Mon, Jun 24, 2019 at 4:15 PM Udo Kohlmeyer <udo@apache.org>
> wrote:
> > >>>
> > >>>> +1, Count me in
> > >>>>
> > >>>> On 6/24/19 13:06, Juan José Ramos wrote:
> > >>>>> Hey Jake,
> > >>>>>
> > >>>>> Sure, I guess we could do a live session if there's enough
interest
> > >>> after
> > >>>>> people have reviewed the proposal.
> > >>>>> Best regards.
> > >>>>>
> > >>>>> On Mon, Jun 24, 2019 at 4:17 PM Jacob Barrett <jbarrett@pivotal.io
> >
> > >>>> wrote:
> > >>>>>
> > >>>>>>
> > >>>>>>> On Jun 24, 2019, at 11:49 AM, Juan José Ramos <jramos@pivotal.io
> >
> > >>>> wrote:
> > >>>>>>>
> > >>>>>>>  I’d rather get feedback in any way and aggregate
everything on
> my
> > >>> own
> > >>>>>> than
> > >>>>>>> maybe not getting anything because I'm explicitly limiting
the
> > >>> options
> > >>>> to
> > >>>>>>> provide it.
> > >>>>>> Dealers choice so both it is!
> > >>>>>>
> > >>>>>> Could you also consider public live session on some medium,
like
> > >> Zoom,
> > >>>>>> where you can walk through the proposal and take like feedback
and
> > >>>>>> questions?
> > >>>>>>
> > >>>>>> Thanks,
> > >>>>>> Jake
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>
> > >>>
> > >>
> >
> >
>


-- 
Juan José Ramos Cassella
Senior Technical Support Engineer
Email: jramos@pivotal.io
Office#: +353 21 4238611
Mobile#: +353 87 2074066
After Hours Contact#: +1 877 477 2269
Office Hours: Mon - Thu 08:30 - 17:00 GMT. Fri 08:30 - 16:00 GMT
How to upload artifacts:
https://support.pivotal.io/hc/en-us/articles/204369073
How to escalate a ticket:
https://support.pivotal.io/hc/en-us/articles/203809556

[image: support] <https://support.pivotal.io/> [image: twitter]
<https://twitter.com/pivotal> [image: linkedin]
<https://www.linkedin.com/company/3048967> [image: facebook]
<https://www.facebook.com/pivotalsoftware> [image: google plus]
<https://plus.google.com/+Pivotal> [image: youtube]
<https://www.youtube.com/playlist?list=PLAdzTan_eSPScpj2J50ErtzR9ANSzv3kl>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message