www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Upayavira ...@odoko.co.uk>
Subject Re: Asylum v2
Date Fri, 23 Jul 2010 08:45:53 GMT
Interesting idea. One thought though. If we have two sets of audiences
(members and committers) we'll probably want two jails.

If I'm a committer, and I set up a webapp, I'll get ssh onto the asylum
box. A simple netstat command would tell me what apps are running on
what ports. A simple ssh tunnel would allow me to connect to those apps
without worrying about authentication.

If we put them into seperate jails, we could get around this. Or do you
see another way?

Upayavira


On Thu, 2010-07-22 at 23:35 -0700, Paul Querna wrote: 
> Goal: Enable 'random' committers and members to more easily create
> authenticated web applications for use by other members and
> committers.
> 
> Recently we have had a few requests from ASF members to have an easy
> way to expose a web application for others -- the whole web based
> voting experience seems to have created some yearning for more
> infrastructure features.
> 
> The Setup
> 
> Running inside a jail is the Asylum webserver, just a standard Apache
> 2.2 configured as a reverse proxy.  It would require authentication
> against LDAP for /, any committer could access that base path.
> /members/ would require the user to be part of the members group.
> 
> The frontend webserver would reverse proxy to web applications running
> on localhost.  It would pass through several X- headers to let
> applications customize themselves:
>   X-ASF-Username: pquerna
>   X-Forwarded-For: 1.2.3.4
> 
> Any HTTP authorization headers however will be stripped, so that the
> backend web applications have no access to user passwords.
> 
> Any committer wanting to run a webapp would open an INFRA Jira issue,
> with an application name, and weither it was for all committers or
> members only.  Infra would create them a non-root, no sudo account on
> the asylum for them.  They would be assigned a TCP port on localhost
> to run their web application, and their application with a one line
> description will be added to the index.html page.
> 
> The footer of all HTML pages from a users webapp, would be appended
> with <h1>This webapp is maintained by username@apache.org</h1>.  This
> would be done via an Apache Module.  If the User's webapp was not
> responding, the 5xx page error page would also reference their
> username, rather than infrastructure for support questions.
> 
> Infrastructure team will only provide support for the frontend proxy
> server, individual webapps are supported by whomever requested them.
> 
> If an application proves to be popular, and there is agreement to
> 'productionize it', it must be properly documented so infrastructure
> can run it somewhere else -- but lets just get this running first.
> 
> Resources needed:
>  - Jail to get started
>  - Access to LDAP
>  - existing ssl cert
> 
> Thoughts?
> 
> Thanks,
> 
> Paul



Mime
View raw message