rmannibucau commented on issue #4: Accepted hosts ip range URL: https://github.com/apache/geronimo-metrics/pull/4#issuecomment-592204867 Second range not sure but last two yes. Main issue is to ensure it is not just becoming a wildcard which break all security mecanism. Im not an expert but thought cidr was related to subnet masks so opening the door to foebidden calls (typically only prometheus should be able to call and not other services of the sqme network). Using a custom impl was really the way to enable that network security but clean security setup was to use a real authentication - even just adding tomcat basic auth using a tomcat-users.xml and configuring geronimo-metrics roles. What I mean is we shouldnt enble to relax too much the enforcement at network level. Localhost relaxing is ok cause you have access to the binaries anyway, others assume env setup. So here what I'd do: 1. Document how to override the validator if not clear enough (i can take this point) 2. Potentially add a cdi event to plug a custom decider trivially if present (would enable you to plug any impl you want) - i cna do it too if needed 3. Maybe try role based security (works not bad with prometheus and avoids any network whitelisting) 4. If none works, use a range support forcing explicit ip but not just submasks which are almost wildcards and often leaks foebidden hosts Hope it makes sense, wdyt?
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
