geode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Juan José Ramos <jra...@pivotal.io>
Subject Re: [PROPOSAL]: Improve OQL Method Invocation Security
Date Fri, 12 Jul 2019 13:29:01 GMT
Hello Mike,

Agreed, we'll probably need to create an enhancement request for this
feature in JIRA.
Cheers.

On Thu, Jul 11, 2019 at 5:37 PM Michael Stolz <mstolz@pivotal.io> wrote:

> One thing I will mention regarding DATA:READ:RegionName allowing query
> behavior is that we have been asked by some users already to separate
> DATA:READ:RegionName from DATA:QUERY:RegionName. This request is to protect
> against arbitrary query execution by administrators that can cause huge
> resource consumption.
>
> So regardless of all the rest of the proposal, that's something we should
> probably consider standardizing on.
>
> --
> Mike Stolz
> Principal Engineer, Pivotal Cloud Cache
> Mobile: +1-631-835-4771
>
>
>
> On Thu, Jul 11, 2019 at 11:36 AM Juan José Ramos <jramos@pivotal.io>
> wrote:
>
> > Hello all,
> >
> > Friendly reminder regarding the deadline to rise concerns and/or
> objections
> > regarding the *OQL Method InvocationSecurity Proposal [1]*, I'll go ahead
> > and move it to *Development* on July 13th.
> > Best regards.
> >
> > [1]:
> >
> >
> https://cwiki.apache.org/confluence/display/GEODE/OQL+Method+Invocation+Security#OQLMethodInvocationSecurity-PriorArt
> >
> >
> > On Mon, Jul 8, 2019 at 3:29 PM Juan José Ramos <jramos@pivotal.io>
> wrote:
> >
> > > Done [1]!.
> > > Please remember that, if no major concerns arise before Friday this
> week,
> > > I'll go ahead and move the proposal to *Development* on July 13th.
> > > Best regards.
> > >
> > > [1]:
> > >
> >
> https://cwiki.apache.org/confluence/display/GEODE/OQL+Method+Invocation+Security#OQLMethodInvocationSecurity-PriorArt
> > >
> > > On Fri, Jul 5, 2019 at 3:48 PM Jacob Barrett <jbarrett@pivotal.io>
> > wrote:
> > >
> > >> Can you please add a Prior Art section to your proposal discussing
> these
> > >> alternative solutions and why they are insufficient?
> > >>
> > >> Thanks,
> > >> Jake
> > >>
> > >>
> > >> > On Jul 5, 2019, at 10:41 AM, Juan José Ramos <jramos@pivotal.io>
> > wrote:
> > >> >
> > >> > Hello Jake,
> > >> >
> > >> > I've replied something similar *here [1]*.
> > >> > Long story short, I haven't found anything that really applies to
> our
> > >> use
> > >> > case. The "most similar solution" is *Spring Method Security [2]*,
> > which
> > >> > basically implies annotating methods with explicit configuration
> about
> > >> the
> > >> > roles required to execute them. The same goes for *Shiro
> > >> **Annotation-based
> > >> > Authorization [3]*. The *AnnotationBasedMethodAuthorize**r [3]*
> > approach
> > >> > from the proposal is somewhat similar to this, but I've discarded
it
> > >> > because if forces the user to annotate classes with our own
> > annotations,
> > >> > basically forcing them to modify their domain model.
> > >> > The proposal basically allows our users to use one of the default
of
> > the
> > >> > box implementations and, if they don't like them for whatever
> reason,
> > is
> > >> > flexible enough so they can ultimately provide their own.
> > >> > Hope this helps.
> > >> > Cheers.
> > >> >
> > >> > [1]:
> > >> >
> > >>
> >
> https://markmail.org/message/ekons7ixtz4jtf7n#query:+page:1+mid:snxgpsqd3yuppmsc+state:results
> > >> > [2]:
> > >> >
> > >>
> >
> https://docs.spring.io/spring-security/site/docs/5.1.5.RELEASE/reference/html/jc.html#jc-method
> > >> > [3]:
> > >> >
> > >>
> >
> https://shiro.apache.org/authorization.html#Authorization-AnnotationbasedAuthorization
> > >> > [4]:
> > >> >
> > >>
> >
> https://cwiki.apache.org/confluence/display/GEODE/OQL+Method+Invocation+Security#OQLMethodInvocationSecurity-AnnotationBasedMethodAuthorizer
> > >> >
> > >> > On Fri, Jul 5, 2019 at 1:46 PM Jacob Barrett <jbarrett@pivotal.io>
> > >> wrote:
> > >> >
> > >> >> So if we don’t want to use the Java built in SecurityManager
to
> solve
> > >> >> this, because we feel it's too big or too inflexible for our needs,
> > >> have
> > >> >> other projects implemented something we can borrow? We can’t
be the
> > >> first
> > >> >> to need something like this if Java’s solution isn’t a good
fit.
> > >> >>
> > >> >> Again I want to avoid inventing something new. What prior art
is
> out
> > >> there?
> > >> >>
> > >> >>
> > >> >>> On Jul 4, 2019, at 1:29 PM, Juan José Ramos <jramos@pivotal.io>
> > >> wrote:
> > >> >>>
> > >> >>> Hello all,
> > >> >>>
> > >> >>> If you haven't added my email to the spam folder already :-),
then
> > I'd
> > >> >> like
> > >> >>> to let you know that I've update again the *Proposal [1]*
and
> > >> >> incorporated
> > >> >>> most of the feedback provided, along with some additional
> > information
> > >> and
> > >> >>> context I missed on the previous versions, thanks all that
brought
> > >> >> concerns
> > >> >>> and suggestions to the discussion. Please take some time to
review
> > it
> > >> >>> thoroughly, adding comments and/or concerns *only on this
email
> > >> thread*,
> > >> >>> all feedback is more than welcome.
> > >> >>> If no major concerns arise before July 12th 2019, I'll go
ahead
> and
> > >> mark
> > >> >>> move the proposal to *Development* on July 13th.
> > >> >>> Best regards.
> > >> >>>
> > >> >>> [1]:
> > >> >>>
> > >> >>
> > >>
> >
> https://cwiki.apache.org/confluence/display/GEODE/OQL+Method+Invocation+Security
> > >> >>
> > >> >>
> > >> >
> > >> > --
> > >> > Juan José Ramos Cassella
> > >> > Senior Technical Support Engineer
> > >> > Email: jramos@pivotal.io
> > >> > Office#: +353 21 4238611
> > >> > Mobile#: +353 87 2074066
> > >> > After Hours Contact#: +1 877 477 2269
> > >> > Office Hours: Mon - Thu 08:30 - 17:00 GMT. Fri 08:30 - 16:00 GMT
> > >> > How to upload artifacts:
> > >> > https://support.pivotal.io/hc/en-us/articles/204369073
> > >> > How to escalate a ticket:
> > >> > https://support.pivotal.io/hc/en-us/articles/203809556
> > >> >
> > >> > [image: support] <https://support.pivotal.io/> [image: twitter]
> > >> > <https://twitter.com/pivotal> [image: linkedin]
> > >> > <https://www.linkedin.com/company/3048967> [image: facebook]
> > >> > <https://www.facebook.com/pivotalsoftware> [image: google plus]
> > >> > <https://plus.google.com/+Pivotal> [image: youtube]
> > >> > <
> > >>
> > https://www.youtube.com/playlist?list=PLAdzTan_eSPScpj2J50ErtzR9ANSzv3kl
> >
> > >>
> > >>
> > >
> > > --
> > > Juan José Ramos Cassella
> > > Senior Technical Support Engineer
> > > Email: jramos@pivotal.io
> > > Office#: +353 21 4238611
> > > Mobile#: +353 87 2074066
> > > After Hours Contact#: +1 877 477 2269
> > > Office Hours: Mon - Thu 08:30 - 17:00 GMT. Fri 08:30 - 16:00 GMT
> > > How to upload artifacts:
> > > https://support.pivotal.io/hc/en-us/articles/204369073
> > > How to escalate a ticket:
> > > https://support.pivotal.io/hc/en-us/articles/203809556
> > >
> > > [image: support] <https://support.pivotal.io/> [image: twitter]
> > > <https://twitter.com/pivotal> [image: linkedin]
> > > <https://www.linkedin.com/company/3048967> [image: facebook]
> > > <https://www.facebook.com/pivotalsoftware> [image: google plus]
> > > <https://plus.google.com/+Pivotal> [image: youtube]
> > > <
> > https://www.youtube.com/playlist?list=PLAdzTan_eSPScpj2J50ErtzR9ANSzv3kl
> >
> > >
> >
> >
> > --
> > Juan José Ramos Cassella
> > Senior Technical Support Engineer
> > Email: jramos@pivotal.io
> > Office#: +353 21 4238611
> > Mobile#: +353 87 2074066
> > After Hours Contact#: +1 877 477 2269
> > Office Hours: Mon - Thu 08:30 - 17:00 GMT. Fri 08:30 - 16:00 GMT
> > How to upload artifacts:
> > https://support.pivotal.io/hc/en-us/articles/204369073
> > How to escalate a ticket:
> > https://support.pivotal.io/hc/en-us/articles/203809556
> >
> > [image: support] <https://support.pivotal.io/> [image: twitter]
> > <https://twitter.com/pivotal> [image: linkedin]
> > <https://www.linkedin.com/company/3048967> [image: facebook]
> > <https://www.facebook.com/pivotalsoftware> [image: google plus]
> > <https://plus.google.com/+Pivotal> [image: youtube]
> > <
> https://www.youtube.com/playlist?list=PLAdzTan_eSPScpj2J50ErtzR9ANSzv3kl>
> >
>


-- 
Juan José Ramos Cassella
Senior Technical Support Engineer
Email: jramos@pivotal.io
Office#: +353 21 4238611
Mobile#: +353 87 2074066
After Hours Contact#: +1 877 477 2269
Office Hours: Mon - Thu 08:30 - 17:00 GMT. Fri 08:30 - 16:00 GMT
How to upload artifacts:
https://support.pivotal.io/hc/en-us/articles/204369073
How to escalate a ticket:
https://support.pivotal.io/hc/en-us/articles/203809556

[image: support] <https://support.pivotal.io/> [image: twitter]
<https://twitter.com/pivotal> [image: linkedin]
<https://www.linkedin.com/company/3048967> [image: facebook]
<https://www.facebook.com/pivotalsoftware> [image: google plus]
<https://plus.google.com/+Pivotal> [image: youtube]
<https://www.youtube.com/playlist?list=PLAdzTan_eSPScpj2J50ErtzR9ANSzv3kl>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message