geode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Lindsey <alind...@pivotal.io>
Subject Re: [PROPOSAL]: Improve OQL Method Invocation Security
Date Fri, 12 Jul 2019 15:52:00 GMT
+1

I just re-reviewed this proposal and it looks good to me.

- Aaron

> On Jul 12, 2019, at 6:29 AM, Juan José Ramos <jramos@pivotal.io> wrote:
> 
> Hello Mike,
> 
> Agreed, we'll probably need to create an enhancement request for this
> feature in JIRA.
> Cheers.
> 
> On Thu, Jul 11, 2019 at 5:37 PM Michael Stolz <mstolz@pivotal.io> wrote:
> 
>> One thing I will mention regarding DATA:READ:RegionName allowing query
>> behavior is that we have been asked by some users already to separate
>> DATA:READ:RegionName from DATA:QUERY:RegionName. This request is to protect
>> against arbitrary query execution by administrators that can cause huge
>> resource consumption.
>> 
>> So regardless of all the rest of the proposal, that's something we should
>> probably consider standardizing on.
>> 
>> --
>> Mike Stolz
>> Principal Engineer, Pivotal Cloud Cache
>> Mobile: +1-631-835-4771
>> 
>> 
>> 
>> On Thu, Jul 11, 2019 at 11:36 AM Juan José Ramos <jramos@pivotal.io>
>> wrote:
>> 
>>> Hello all,
>>> 
>>> Friendly reminder regarding the deadline to rise concerns and/or
>> objections
>>> regarding the *OQL Method InvocationSecurity Proposal [1]*, I'll go ahead
>>> and move it to *Development* on July 13th.
>>> Best regards.
>>> 
>>> [1]:
>>> 
>>> 
>> https://cwiki.apache.org/confluence/display/GEODE/OQL+Method+Invocation+Security#OQLMethodInvocationSecurity-PriorArt
>>> 
>>> 
>>> On Mon, Jul 8, 2019 at 3:29 PM Juan José Ramos <jramos@pivotal.io>
>> wrote:
>>> 
>>>> Done [1]!.
>>>> Please remember that, if no major concerns arise before Friday this
>> week,
>>>> I'll go ahead and move the proposal to *Development* on July 13th.
>>>> Best regards.
>>>> 
>>>> [1]:
>>>> 
>>> 
>> https://cwiki.apache.org/confluence/display/GEODE/OQL+Method+Invocation+Security#OQLMethodInvocationSecurity-PriorArt
>>>> 
>>>> On Fri, Jul 5, 2019 at 3:48 PM Jacob Barrett <jbarrett@pivotal.io>
>>> wrote:
>>>> 
>>>>> Can you please add a Prior Art section to your proposal discussing
>> these
>>>>> alternative solutions and why they are insufficient?
>>>>> 
>>>>> Thanks,
>>>>> Jake
>>>>> 
>>>>> 
>>>>>> On Jul 5, 2019, at 10:41 AM, Juan José Ramos <jramos@pivotal.io>
>>> wrote:
>>>>>> 
>>>>>> Hello Jake,
>>>>>> 
>>>>>> I've replied something similar *here [1]*.
>>>>>> Long story short, I haven't found anything that really applies to
>> our
>>>>> use
>>>>>> case. The "most similar solution" is *Spring Method Security [2]*,
>>> which
>>>>>> basically implies annotating methods with explicit configuration
>> about
>>>>> the
>>>>>> roles required to execute them. The same goes for *Shiro
>>>>> **Annotation-based
>>>>>> Authorization [3]*. The *AnnotationBasedMethodAuthorize**r [3]*
>>> approach
>>>>>> from the proposal is somewhat similar to this, but I've discarded
it
>>>>>> because if forces the user to annotate classes with our own
>>> annotations,
>>>>>> basically forcing them to modify their domain model.
>>>>>> The proposal basically allows our users to use one of the default
of
>>> the
>>>>>> box implementations and, if they don't like them for whatever
>> reason,
>>> is
>>>>>> flexible enough so they can ultimately provide their own.
>>>>>> Hope this helps.
>>>>>> Cheers.
>>>>>> 
>>>>>> [1]:
>>>>>> 
>>>>> 
>>> 
>> https://markmail.org/message/ekons7ixtz4jtf7n#query:+page:1+mid:snxgpsqd3yuppmsc+state:results
>>>>>> [2]:
>>>>>> 
>>>>> 
>>> 
>> https://docs.spring.io/spring-security/site/docs/5.1.5.RELEASE/reference/html/jc.html#jc-method
>>>>>> [3]:
>>>>>> 
>>>>> 
>>> 
>> https://shiro.apache.org/authorization.html#Authorization-AnnotationbasedAuthorization
>>>>>> [4]:
>>>>>> 
>>>>> 
>>> 
>> https://cwiki.apache.org/confluence/display/GEODE/OQL+Method+Invocation+Security#OQLMethodInvocationSecurity-AnnotationBasedMethodAuthorizer
>>>>>> 
>>>>>> On Fri, Jul 5, 2019 at 1:46 PM Jacob Barrett <jbarrett@pivotal.io>
>>>>> wrote:
>>>>>> 
>>>>>>> So if we don’t want to use the Java built in SecurityManager
to
>> solve
>>>>>>> this, because we feel it's too big or too inflexible for our
needs,
>>>>> have
>>>>>>> other projects implemented something we can borrow? We can’t
be the
>>>>> first
>>>>>>> to need something like this if Java’s solution isn’t a good
fit.
>>>>>>> 
>>>>>>> Again I want to avoid inventing something new. What prior art
is
>> out
>>>>> there?
>>>>>>> 
>>>>>>> 
>>>>>>>> On Jul 4, 2019, at 1:29 PM, Juan José Ramos <jramos@pivotal.io>
>>>>> wrote:
>>>>>>>> 
>>>>>>>> Hello all,
>>>>>>>> 
>>>>>>>> If you haven't added my email to the spam folder already
:-), then
>>> I'd
>>>>>>> like
>>>>>>>> to let you know that I've update again the *Proposal [1]*
and
>>>>>>> incorporated
>>>>>>>> most of the feedback provided, along with some additional
>>> information
>>>>> and
>>>>>>>> context I missed on the previous versions, thanks all that
brought
>>>>>>> concerns
>>>>>>>> and suggestions to the discussion. Please take some time
to review
>>> it
>>>>>>>> thoroughly, adding comments and/or concerns *only on this
email
>>>>> thread*,
>>>>>>>> all feedback is more than welcome.
>>>>>>>> If no major concerns arise before July 12th 2019, I'll go
ahead
>> and
>>>>> mark
>>>>>>>> move the proposal to *Development* on July 13th.
>>>>>>>> Best regards.
>>>>>>>> 
>>>>>>>> [1]:
>>>>>>>> 
>>>>>>> 
>>>>> 
>>> 
>> https://cwiki.apache.org/confluence/display/GEODE/OQL+Method+Invocation+Security
>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> Juan José Ramos Cassella
>>>>>> Senior Technical Support Engineer
>>>>>> Email: jramos@pivotal.io
>>>>>> Office#: +353 21 4238611
>>>>>> Mobile#: +353 87 2074066
>>>>>> After Hours Contact#: +1 877 477 2269
>>>>>> Office Hours: Mon - Thu 08:30 - 17:00 GMT. Fri 08:30 - 16:00 GMT
>>>>>> How to upload artifacts:
>>>>>> https://support.pivotal.io/hc/en-us/articles/204369073
>>>>>> How to escalate a ticket:
>>>>>> https://support.pivotal.io/hc/en-us/articles/203809556
>>>>>> 
>>>>>> [image: support] <https://support.pivotal.io/> [image: twitter]
>>>>>> <https://twitter.com/pivotal> [image: linkedin]
>>>>>> <https://www.linkedin.com/company/3048967> [image: facebook]
>>>>>> <https://www.facebook.com/pivotalsoftware> [image: google plus]
>>>>>> <https://plus.google.com/+Pivotal> [image: youtube]
>>>>>> <
>>>>> 
>>> https://www.youtube.com/playlist?list=PLAdzTan_eSPScpj2J50ErtzR9ANSzv3kl
>>> 
>>>>> 
>>>>> 
>>>> 
>>>> --
>>>> Juan José Ramos Cassella
>>>> Senior Technical Support Engineer
>>>> Email: jramos@pivotal.io
>>>> Office#: +353 21 4238611
>>>> Mobile#: +353 87 2074066
>>>> After Hours Contact#: +1 877 477 2269
>>>> Office Hours: Mon - Thu 08:30 - 17:00 GMT. Fri 08:30 - 16:00 GMT
>>>> How to upload artifacts:
>>>> https://support.pivotal.io/hc/en-us/articles/204369073
>>>> How to escalate a ticket:
>>>> https://support.pivotal.io/hc/en-us/articles/203809556
>>>> 
>>>> [image: support] <https://support.pivotal.io/> [image: twitter]
>>>> <https://twitter.com/pivotal> [image: linkedin]
>>>> <https://www.linkedin.com/company/3048967> [image: facebook]
>>>> <https://www.facebook.com/pivotalsoftware> [image: google plus]
>>>> <https://plus.google.com/+Pivotal> [image: youtube]
>>>> <
>>> https://www.youtube.com/playlist?list=PLAdzTan_eSPScpj2J50ErtzR9ANSzv3kl
>>> 
>>>> 
>>> 
>>> 
>>> --
>>> Juan José Ramos Cassella
>>> Senior Technical Support Engineer
>>> Email: jramos@pivotal.io
>>> Office#: +353 21 4238611
>>> Mobile#: +353 87 2074066
>>> After Hours Contact#: +1 877 477 2269
>>> Office Hours: Mon - Thu 08:30 - 17:00 GMT. Fri 08:30 - 16:00 GMT
>>> How to upload artifacts:
>>> https://support.pivotal.io/hc/en-us/articles/204369073
>>> How to escalate a ticket:
>>> https://support.pivotal.io/hc/en-us/articles/203809556
>>> 
>>> [image: support] <https://support.pivotal.io/> [image: twitter]
>>> <https://twitter.com/pivotal> [image: linkedin]
>>> <https://www.linkedin.com/company/3048967> [image: facebook]
>>> <https://www.facebook.com/pivotalsoftware> [image: google plus]
>>> <https://plus.google.com/+Pivotal> [image: youtube]
>>> <
>> https://www.youtube.com/playlist?list=PLAdzTan_eSPScpj2J50ErtzR9ANSzv3kl>
>>> 
>> 
> 
> 
> -- 
> Juan José Ramos Cassella
> Senior Technical Support Engineer
> Email: jramos@pivotal.io
> Office#: +353 21 4238611
> Mobile#: +353 87 2074066
> After Hours Contact#: +1 877 477 2269
> Office Hours: Mon - Thu 08:30 - 17:00 GMT. Fri 08:30 - 16:00 GMT
> How to upload artifacts:
> https://support.pivotal.io/hc/en-us/articles/204369073
> How to escalate a ticket:
> https://support.pivotal.io/hc/en-us/articles/203809556
> 
> [image: support] <https://support.pivotal.io/> [image: twitter]
> <https://twitter.com/pivotal> [image: linkedin]
> <https://www.linkedin.com/company/3048967> [image: facebook]
> <https://www.facebook.com/pivotalsoftware> [image: google plus]
> <https://plus.google.com/+Pivotal> [image: youtube]
> <https://www.youtube.com/playlist?list=PLAdzTan_eSPScpj2J50ErtzR9ANSzv3kl>


Mime
View raw message