stanbol-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reto Bachmann-Gmür <r...@apache.org>
Subject Re: [POLL] make "-no-security" the default
Date Fri, 05 Apr 2013 20:36:10 GMT
Hi,

My question to Bertrand about which user questions indicated to him that
Stanbol is not working as well as it did is still open.

Rather than having a discussion based on assumptions I'd like to see a list
of the concrete issues so that we can evaluate:

- The effort of fixing the issues
- The possibility and effort needed for work a rounds (as mentioned in the
answer to Rupert)
- The disadvantages for those requiring security if this issues aren't fixed
- The disadvantages for those not requiring security if this issues aren't
fixed

Based on that we can decide what to do. To be as speculative as this whole
discussion has been so far, if the effort invested in this thread would
have been invested in fixing the issues we would have no open issue left.

Is there any concrete issue that remained open for so long that would
justify the radical step of disabling security altogether? I don't find any
in jira. You write that you see issues and they are not getting fixed. But
we have a process to rise issues and some polls based on diffuse claims is
not part of this process but imho a waste of energy.

Cheers,
Reto

On Fri, Apr 5, 2013 at 9:47 PM, Fabian Christ
<christ.fabian@googlemail.com>wrote:

> Hi,
>
> the reason why I agreed to have the security features enabled by
> default in the full launcher was because it is the "full" launcher
> that includes everything we have. So security should not be an
> exclusion.
>
> An important point in Stanbol is that we do not have something like
> "default". We can only discuss what is enabled in certain launcher
> configurations. But I see that users just take the full launcher - so
> that looks like the "default".
>
> I agree with Rupert that the security level was introduced without
> carefully foresee its consequences and ensuring that everything
> initially is working with security. Now we have a feature in the full
> launcher enabled that breaks some things. The hope was that the
> problems will get fixed over time but I do not see this happen at the
> moment. This is an open source project and we can not force people to
> fix their components because we have enabled security. This may be an
> indicator that people are not that interested in spending effort on
> this. No matter if they "should" do it because security is important
> to some.
>
> Ruperts suggestion to have security in the integration-tests but not
> enabled by default in the full launcher sounds reasonable to me. Once
> we have enough tests and ensured that security is supported well, we
> should switch back and have it activated by default in the full
> launcher. I assume that it will become easier to handle and
> configurable with ongoing development.
>
> My initial hope was to get better support for different launchers. We
> have worked on this but it it still an open point. We agreed that
> disabling security should be no problem by omitting the corresponding
> bundles in a launcher configuration. So if many people do not want
> security, we could offer another full launcher with no security or
> something like this. Another option would be to make it really easy
> for users to define their own launcher configuration and exclude what
> they do not want to have. That would be nice.
>
> Best,
>  - Fabian
>
> 2013/4/5 Reto Bachmann-Gmür <reto@apache.org>:
> > Hi Danny,
> >
> > What about having a big "disable security" button in the user manager
> which
> > would grey out everything (after a confirm dialog) but leave a "enable
> > security" button?
> >
> > Then we could add a command line option that would disable security at
> > start up.
> >
> > Technically "disabling security" would just add AllPermission to the
> > default role.
> >
> > I think this approach would be better because:
> > - it's easier to change the settings, even at runtime
> > - There isn't the possibility to manage users if this has no effect
> anyway
> > (as this would be greyed out and disabled)
> > - The same infrastructure and filters could be running with and without
> > security (as without security just means "everybody is root" - which
> > sounds frightening but that's intentional)
> >
> > Cheers,
> > Reto
> >
> >
> > On Fri, Apr 5, 2013 at 3:09 PM, Danny Ayers <danny.ayers@gmail.com>
> wrote:
> >
> >> Ok, personally I'd lean towards leaving security on by default, being
> >> general good practice. But I'm not so familiar with the typical
> >> applications as everyone else here, so don't take that view too
> strongly.
> >>
> >> But, just a thought: starting up usually needs quite a lengthy command,
> I
> >> for one have got it in a script for convenience.
> >>
> >> So why not offer a selection of startup scripts, something like:
> >>
> >> start.sh
> >> start.bat
> >> start-secure.sh
> >> start-secure.bat
> >> ...
> >>
> >> Cheers,
> >> Danny.
> >>
> >>
> >>
> >> On 5 April 2013 14:36, Rupert Westenthaler <
> rupert.westenthaler@gmail.com
> >> >wrote:
> >>
> >> > On Fri, Apr 5, 2013 at 2:17 PM, Reto Bachmann-Gmür <reto@wymiwyg.com>
> >> > wrote:
> >> > > Hi Rupert
> >> > >
> >> > >>
> >> > >> * Disabling Security as default: Stanbol is still not functioning
> to
> >> > >> 100% if the Security-Manager is enabled hence IMHO deactivating
> this
> >> > >> feature is the logical consequence.
> >> > >>
> >> > >
> >> > > You're referring to the situation when stanbol is started without
> the
> >> > > "-no-security" argument but without the authentication bundles?
> >> > >
> >> >
> >> > Including the Security Modules, but with -no-security as default
> >> > (basically by adding an option -enable-security)
> >> >
> >> >
> >> > > What's not functioning?
> >> > >
> >> > > *Want To Fix*
> >> >
> >> > The dev.iks-project.eu server was running for some time with security
> >> > enabled. From what I can remember all Engines for remote services
> >> > where failing because they where not allowed to connect to those hosts
> >> > - Zemanta, Calai, Celi, Spotlight. I would also expect the
> >> > FileContentItem implementation (enhancer.core) to fail creating the
> >> > temporary files. The EntityDereferencer and EntitySearcher
> >> > implementation of the Entityhub for SPARQL and CoolURI
> >> > (entityhub.site.linkeddata). But there might be additional one -
> >> > especially from other Stanbol Components (e.g. the CMS Adapter might
> >> > be affected)
> >> >
> >> > best
> >> > Rupert
> >> >
> >> > >
> >> > > Reto
> >> >
> >> >
> >> >
> >> > --
> >> > | Rupert Westenthaler             rupert.westenthaler@gmail.com
> >> > | Bodenlehenstraße 11                             ++43-699-11108907
> >> > | A-5500 Bischofshofen
> >> >
> >>
> >>
> >>
> >> --
> >> http://dannyayers.com
> >>
> >> http://webbeep.it  - text to tones and back again
> >>
>
>
>
> --
> Fabian
> http://twitter.com/fctwitt
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message