geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Erik B. Craig" <ecr...@apache.org>
Subject Re: GBean permissions: how important are they?
Date Fri, 08 Feb 2008 16:51:29 GMT
Vamsi,

I do agree with you that there should be a mechanism to enforce GBean  
permissions, but I'm not entirely sure how prevalent the desire for  
'shared hosting' on Geronimo really is, but this might be a direct  
result of the problem at hand. I think it is true that for a JEE app  
server, real world paid hosting services would often be either a  
dedicated machine or at least a virtualized instance.

I also thing that Geronimo would mostly be used in a true 'shared  
hosting' (multiple clients information deployed under one instance)  
environment only when being managed by the hosting company, so as to  
not necessitate giving the client any abilities to muck with the  
server via admin console or other means... in this case a solid GBean  
security mechanism would be critical.

Other than this, as far as hosts are concerned, what they might  
consider to be a 'shared hosting' configuration of Geronimo may be  
simply multiple instances/VMs bound to different IP addresses sharing  
hardware and giving clients administrative access to their own  
instance of Geronimo.


Thanks,
Erik B. Craig
ecraig@apache.org




On Feb 8, 2008, at 3:43 AM, Vamsavardhana Reddy wrote:

> I have always felt that Geronimo won't be suitable for a hosting  
> kind of environment where applications owned by unrelated parties  
> may be hosted on the same server (does such a thing happen in  
> reality?).  Irrespective of this, GBeans permissions appears to be  
> something we can consider to have.  The following is an excerpt from  
> a private conversation I had with David Jencks on IRC.  Read on...
>
> vamsic007: The usability of Geronimo in a hosting kind of  
> environment has always bothered me.
> djencks  : how?
> vamsic007: Any application running in G can get hold of any other  
> application related GBeans and do what ever
> vamsic007: Any app can stop any configuration it wishes to
> djencks  : realistically does anyone run apps from unrelated people  
> on the same server?
> vamsic007: won't that be the situation in a hosting environment?
> djencks  : I don't know
> djencks  : I would expect if I rent server space I'd probably get my  
> own vm
> djencks  : but I'm not a hosting company
> vamsic007: hmm...
> vamsic007: will have to find out if my concern is genuine or I am  
> worried unnecessarily.
> vamsic007: I always thought that we should have a mechanism to  
> enforce GBean permissions.
> djencks  : I can see several places gbean permissions could work
> djencks  : 1. getting gbean from kernel. This is pretty non-intrusive
> djencks  : 2. actually calling operations/accessing attributes on a  
> gbean. I think this would require putting proxies back in
> djencks  : there's also a bootstrap question of what enforces the  
> permissions until the jacc system is operational
> djencks  : since e.g datasources bound in jndi end up calling a  
> gbean operation to get the datasource, this would have a lot of  
> intersection with the normal server operations
> vamsic007: May be I will initiate a discussion on this on  
> private@geronimo to get others inputs too. I do not want to go on  
> dev-list coz it is related to security and do not want to make the  
> users feel insecure unnecessarily.
> djencks  : I'd prefer to talk about it on dev, I think we could use  
> all the input we can get.
> vamsic007: thanks David.
>
> Comments?  Suggestions?  Am I worried unnecessarily?  Are GBean  
> permissions something that we should consider?
>
> Thank you.
>
> ++Vamsi
>


Mime
View raw message