geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Donald Woods <dwo...@apache.org>
Subject Re: GBean permissions: how important are they?
Date Fri, 08 Feb 2008 13:22:47 GMT
Wouldn't we steer hosting providers towards multiple server instances 
instead, since each user/customer would want access to the Admin Console 
and deployer?

The only similarity I could come up with, is there are some providers 
offering shared Tomcat hosting, where they front-end Tomcat with Apache 
HTTP Server or another solution to proxy the web context into what you 
want. They offer their own front-end for uploading your web app, so the 
use never has admin access to Tomcat.  But for a Java EE server, I'm not 
aware of any such hosting of shared app severs.

Seems that for now, multiple server instances each with its own repo 
would be a viable solution.  If we have hosting providers interested in 
sharing a single instance between customers, then we need them to chime 
in on the user/dev list with their requirements and scenarios.

I could see where requiring admin credentials to access the kernel and 
other GBeans would be a welcomed solution for even some enterprise 
users, but we really need to here from our users on this....


-Donald

Vamsavardhana Reddy wrote:
> I have always felt that Geronimo won't be suitable for a hosting kind of 
> environment where applications owned by unrelated parties may be hosted 
> on the same server (does such a thing happen in reality?).  Irrespective 
> of this, GBeans permissions appears to be something we can consider to 
> have.  The following is an excerpt from a private conversation I had 
> with David Jencks on IRC.  Read on...
> 
> *vamsic007:* The usability of Geronimo in a hosting kind of environment 
> has always bothered me.
> *djencks  :* how?
> *vamsic007:* Any application running in G can get hold of any other 
> application related GBeans and do what ever
> *vamsic007:* Any app can stop any configuration it wishes to
> *djencks  :* realistically does anyone run apps from unrelated people on 
> the same server?
> *vamsic007:* won't that be the situation in a hosting environment?
> *djencks  :* I don't know
> *djencks  :* I would expect if I rent server space I'd probably get my 
> own vm
> *djencks  :* but I'm not a hosting company
> *vamsic007:* hmm...
> *vamsic007:* will have to find out if my concern is genuine or I am 
> worried unnecessarily.
> *vamsic007:* I always thought that we should have a mechanism to enforce 
> GBean permissions.
> *djencks  :* I can see several places gbean permissions could work
> *djencks  :* 1. getting gbean from kernel. This is pretty non-intrusive
> *djencks  :* 2. actually calling operations/accessing attributes on a 
> gbean. I think this would require putting proxies back in
> *djencks  :* there's also a bootstrap question of what enforces the 
> permissions until the jacc system is operational
> *djencks  :* since e.g datasources bound in jndi end up calling a gbean 
> operation to get the datasource, this would have a lot of intersection 
> with the normal server operations
> *vamsic007:* May be I will initiate a discussion on this on 
> private@geronimo to get others inputs too. I do not want to go on 
> dev-list coz it is related to security and do not want to make the users 
> feel insecure unnecessarily.
> *djencks  :* I'd prefer to talk about it on dev, I think we could use 
> all the input we can get.
> *vamsic007:* thanks David.
> 
> Comments?  Suggestions?  Am I worried unnecessarily?  Are GBean 
> permissions something that we should consider?
> 
> Thank you.
> 
> ++Vamsi
> 

Mime
View raw message