Vamsi,
I do agree with you that there should be a mechanism to enforce GBean
permissions, but I'm not entirely sure how prevalent the desire for
'shared hosting' on Geronimo really is, but this might be a direct
result of the problem at hand. I think it is true that for a JEE app
server, real world paid hosting services would often be either a
dedicated machine or at least a virtualized instance.
I also thing that Geronimo would mostly be used in a true 'shared
hosting' (multiple clients information deployed under one instance)
environment only when being managed by the hosting company, so as to
not necessitate giving the client any abilities to muck with the
server via admin console or other means... in this case a solid GBean
security mechanism would be critical.
Other than this, as far as hosts are concerned, what they might
consider to be a 'shared hosting' configuration of Geronimo may be
simply multiple instances/VMs bound to different IP addresses sharing
hardware and giving clients administrative access to their own
instance of Geronimo.
Thanks,
Erik B. Craig
[EMAIL PROTECTED]
On Feb 8, 2008, at 3:43 AM, Vamsavardhana Reddy wrote:
I have always felt that Geronimo won't be suitable for a hosting
kind of environment where applications owned by unrelated parties
may be hosted on the same server (does such a thing happen in
reality?). Irrespective of this, GBeans permissions appears to be
something we can consider to have. The following is an excerpt from
a private conversation I had with David Jencks on IRC. Read on...
vamsic007: The usability of Geronimo in a hosting kind of
environment has always bothered me.
djencks : how?
vamsic007: Any application running in G can get hold of any other
application related GBeans and do what ever
vamsic007: Any app can stop any configuration it wishes to
djencks : realistically does anyone run apps from unrelated people
on the same server?
vamsic007: won't that be the situation in a hosting environment?
djencks : I don't know
djencks : I would expect if I rent server space I'd probably get my
own vm
djencks : but I'm not a hosting company
vamsic007: hmm...
vamsic007: will have to find out if my concern is genuine or I am
worried unnecessarily.
vamsic007: I always thought that we should have a mechanism to
enforce GBean permissions.
djencks : I can see several places gbean permissions could work
djencks : 1. getting gbean from kernel. This is pretty non-intrusive
djencks : 2. actually calling operations/accessing attributes on a
gbean. I think this would require putting proxies back in
djencks : there's also a bootstrap question of what enforces the
permissions until the jacc system is operational
djencks : since e.g datasources bound in jndi end up calling a
gbean operation to get the datasource, this would have a lot of
intersection with the normal server operations
vamsic007: May be I will initiate a discussion on this on
[EMAIL PROTECTED] to get others inputs too. I do not want to go on
dev-list coz it is related to security and do not want to make the
users feel insecure unnecessarily.
djencks : I'd prefer to talk about it on dev, I think we could use
all the input we can get.
vamsic007: thanks David.
Comments? Suggestions? Am I worried unnecessarily? Are GBean
permissions something that we should consider?
Thank you.
++Vamsi
