Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BEC739F27 for ; Fri, 8 Jun 2012 11:07:10 +0000 (UTC) Received: (qmail 44472 invoked by uid 500); 8 Jun 2012 11:07:07 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 44347 invoked by uid 500); 8 Jun 2012 11:07:06 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 44315 invoked by uid 99); 8 Jun 2012 11:07:05 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Jun 2012 11:07:05 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of knst.kolinko@gmail.com designates 209.85.210.45 as permitted sender) Received: from [209.85.210.45] (HELO mail-pz0-f45.google.com) (209.85.210.45) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Jun 2012 11:07:00 +0000 Received: by dadv2 with SMTP id v2so2558296dad.18 for ; Fri, 08 Jun 2012 04:06:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=uFDgej9Y3RDLO6xvCuJHAO1esfq3IQV/CgF/TsPI6Z8=; b=Q13Yr1Ccb/Bi/jw5p5KO5vNj5OCyVziVXaqqotNkITnkzmanaMMA6P0F6XEelw/lVE xTyeOSJUQUt8j7xprl53FxgKWsKc+fIbi5XwR/ZrUF1fII0GUHt+YMVdLo2utieZeZLL Qip2TsgV5vUS0brHWYRnunL3nGoBBjv7bewXTyd749OAFM1lGOXjQZYZx+XLg5gYe12/ YsgZleinj8X8maY7ru19adzYk44NipQWJhPLOhxWtZucZGlNF6EoDvJSK+K2+VKk+MZv AN/q/f3sTerevV25L0acaPkVPAUkI6opzYMQzWWpXcsytkOXVTRwsXncP86b36LUJ2Tm YS7A== MIME-Version: 1.0 Received: by 10.68.225.6 with SMTP id rg6mr19366221pbc.100.1339153600213; Fri, 08 Jun 2012 04:06:40 -0700 (PDT) Received: by 10.68.72.130 with HTTP; Fri, 8 Jun 2012 04:06:40 -0700 (PDT) In-Reply-To: <4FD0F4CC.6050202@christopherschultz.net> References: <4FD0F4CC.6050202@christopherschultz.net> Date: Fri, 8 Jun 2012 15:06:40 +0400 Message-ID: Subject: Re: [POLL] Finer-grained "manager" user-access privileges? From: Konstantin Kolinko To: Tomcat Users List Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org 2012/6/7 Christopher Schultz : > > I was just answering a question on StackOverflow[1] about limiting the > operations a particular user could perform when using the manager app > (e.g. deploy, undeploy, start, stop, etc.). > > It seems to me that this has come up on the users' list once or twice > in the past, and it wouldn't be a big deal to support this kind of > thing right out of the box by just defining a number of additional > roles such as: > > =A0 manager-gui-deploy > =A0 manager-gui-undeploy > =A0 manager-gui-start > =A0 etc. > > Is there any interest in doing something like this? My general feeling > is that manager access should either be allowed read-only (which is > covered by the "manager-status" role) or full read/write (which is > covered by the "manager-gui" and "manager-sript" roles) because hey, > you should trust your managers or fire them ;) > > On the other hand, if there is significant interest in this kind of > thing, we should support it out of the box. > > > [1] > http://stackoverflow.com/questions/10909471/tomcat-web-application-manage= r-is-it-possible-to-limit-what-each-user-role-can/10937606#10937606 > I have several ideas where more fine-grained control would be useful. But all of them cannot be solved with configuration alone and need some checks in Java. I do not like to go there. Specifically I do not like hard-coding role names into code. I think there could be some helper component that could help in access checks. (To be discussed separately). It will need some model to map access checks to roles. What should we do with "list applications" page? Should it filter itself and hide unaccessible actions? I think that is what will be asked next. Overall, more complexity in configuration -> harder to manage and audit. There is such motto as KISS (keep it simple). The current separation of roles was introduced to split human-friendly UI (protected from CSRF) and other interfaces (which cannot be protected). Essentially it is the same as the "allow all" role of "manager" that we had until recently. If there is a way to implement your feature in a simple and transparent way, I would not mind it. But I do not see such a way. If one has specific requirements, to allow only some specific actions to "un-trusted" users, the current way is to implement a custom web application. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org