[
https://issues.apache.org/jira/browse/BROOKLYN-51?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14126774#comment-14126774
]
ASF GitHub Bot commented on BROOKLYN-51:
----------------------------------------
Github user aledsage commented on a diff in the pull request:
https://github.com/apache/incubator-brooklyn/pull/154#discussion_r17289211
--- Diff:
usage/launcher/src/main/java/brooklyn/launcher/BrooklynLauncher.java ---
@@ -595,16 +597,18 @@ private void handleSubsystemStartupError(boolean
ignoreSuchErrors, String system
}
protected void startWebApps() {
- if (BrooklynWebConfig.hasNoSecurityOptions(brooklynProperties)) {
- if (bindAddress==null) {
- LOG.info("Starting brooklyn web-console on loopback
interface because no security config is set");
- bindAddress = Networking.LOOPBACK;
- }
- if (skipSecurityFilter==null) {
- LOG.debug("Starting brooklyn web-console without security
because we are loopback and no security is set");
- skipSecurityFilter = true;
- }
+ // No security options in properties and no command line options
overriding.
+ if (Boolean.TRUE.equals(skipSecurityFilter) && bindAddress ==
null) {
+ LOG.info("Starting Brooklyn web-console on loopback because
security is explicitly disabled and no bind address was given");
+ bindAddress = Networking.LOOPBACK;
+ } else if
(BrooklynWebConfig.hasNoSecurityOptions(brooklynProperties) && bindAddress ==
null) {
+ LOG.info("Starting Brooklyn web-console with passwordless
access on localhost and protected access from other interfaces");
+ bindAddress = Networking.ANY_NIC;
+ brooklynProperties.put(
+ BrooklynWebConfig.SECURITY_PROVIDER_CLASSNAME,
+
BrooklynUserWithRandomPasswordSecurityProvider.class.getName());
--- End diff --
I think this is right, but just wanted to raise question... with
`ExplicitUsersSecurityProvider.authenticate` it will look up the
users+passwords from brooklyn properties, so a properties-reload will affect
subsequent authenticate attempts (but not existing sessions). However, if we've
set it to use `BrooklynUserWithRandomPasswordSecurityProvider` then the
properties-reload to add explicit users + passwords will have no affect. I
think that's fine as we've logged to tell the person starting brooklyn, so they
can restart if desired.
> Remote access without configuring a username and password
> ---------------------------------------------------------
>
> Key: BROOKLYN-51
> URL: https://issues.apache.org/jira/browse/BROOKLYN-51
> Project: Brooklyn
> Issue Type: Sub-task
> Affects Versions: 0.7.0-M1
> Reporter: Richard Downer
> Assignee: Sam Corbett
> Fix For: 0.7.0
>
>
> By default, if Brooklyn is not configured with a username+password in
> brooklyn.properties, Brooklyn will *only* bind to the localhost interface,
> refusing connections from the network.
> To ease first time users starting Brooklyn on a server, change Brooklyn to:
> 1. Always bind on all interfaces;
> 2. If no username and password is configured, generate one randomly and print
> the details to the console
> 3. Additionally, if no username and password is configured, continue to allow
> passwordless logins on the localhost interface.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
