Re: GBean permissions: how important are they?
Looks like there is also a JIRA https://issues.apache.org/jira/browse/GERONIMO-1487 created long time ago!! On Feb 8, 2008 3:13 PM, Vamsavardhana Reddy [EMAIL PROTECTED] wrote: I have always felt that Geronimo won't be suitable for a hosting kind of environment where applications owned by unrelated parties may be hosted on the same server (does such a thing happen in reality?). Irrespective of this, GBeans permissions appears to be something we can consider to have. The following is an excerpt from a private conversation I had with David Jencks on IRC. Read on... *vamsic007:* The usability of Geronimo in a hosting kind of environment has always bothered me. *djencks :* how? *vamsic007:* Any application running in G can get hold of any other application related GBeans and do what ever *vamsic007:* Any app can stop any configuration it wishes to *djencks :* realistically does anyone run apps from unrelated people on the same server? *vamsic007:* won't that be the situation in a hosting environment? *djencks :* I don't know *djencks :* I would expect if I rent server space I'd probably get my own vm *djencks :* but I'm not a hosting company *vamsic007:* hmm... *vamsic007:* will have to find out if my concern is genuine or I am worried unnecessarily. *vamsic007:* I always thought that we should have a mechanism to enforce GBean permissions. *djencks :* I can see several places gbean permissions could work *djencks :* 1. getting gbean from kernel. This is pretty non-intrusive *djencks :* 2. actually calling operations/accessing attributes on a gbean. I think this would require putting proxies back in *djencks :* there's also a bootstrap question of what enforces the permissions until the jacc system is operational *djencks :* since e.g datasources bound in jndi end up calling a gbean operation to get the datasource, this would have a lot of intersection with the normal server operations *vamsic007:* May be I will initiate a discussion on this on [EMAIL PROTECTED] to get others inputs too. I do not want to go on dev-list coz it is related to security and do not want to make the users feel insecure unnecessarily. *djencks :* I'd prefer to talk about it on dev, I think we could use all the input we can get. *vamsic007:* thanks David. Comments? Suggestions? Am I worried unnecessarily? Are GBean permissions something that we should consider? Thank you. ++Vamsi
GBean permissions: how important are they?
I have always felt that Geronimo won't be suitable for a hosting kind of environment where applications owned by unrelated parties may be hosted on the same server (does such a thing happen in reality?). Irrespective of this, GBeans permissions appears to be something we can consider to have. The following is an excerpt from a private conversation I had with David Jencks on IRC. Read on... *vamsic007:* The usability of Geronimo in a hosting kind of environment has always bothered me. *djencks :* how? *vamsic007:* Any application running in G can get hold of any other application related GBeans and do what ever *vamsic007:* Any app can stop any configuration it wishes to *djencks :* realistically does anyone run apps from unrelated people on the same server? *vamsic007:* won't that be the situation in a hosting environment? *djencks :* I don't know *djencks :* I would expect if I rent server space I'd probably get my own vm *djencks :* but I'm not a hosting company *vamsic007:* hmm... *vamsic007:* will have to find out if my concern is genuine or I am worried unnecessarily. *vamsic007:* I always thought that we should have a mechanism to enforce GBean permissions. *djencks :* I can see several places gbean permissions could work *djencks :* 1. getting gbean from kernel. This is pretty non-intrusive *djencks :* 2. actually calling operations/accessing attributes on a gbean. I think this would require putting proxies back in *djencks :* there's also a bootstrap question of what enforces the permissions until the jacc system is operational *djencks :* since e.g datasources bound in jndi end up calling a gbean operation to get the datasource, this would have a lot of intersection with the normal server operations *vamsic007:* May be I will initiate a discussion on this on [EMAIL PROTECTED] get others inputs too. I do not want to go on dev-list coz it is related to security and do not want to make the users feel insecure unnecessarily. *djencks :* I'd prefer to talk about it on dev, I think we could use all the input we can get. *vamsic007:* thanks David. Comments? Suggestions? Am I worried unnecessarily? Are GBean permissions something that we should consider? Thank you. ++Vamsi
Re: GBean permissions: how important are they?
Wouldn't we steer hosting providers towards multiple server instances instead, since each user/customer would want access to the Admin Console and deployer? The only similarity I could come up with, is there are some providers offering shared Tomcat hosting, where they front-end Tomcat with Apache HTTP Server or another solution to proxy the web context into what you want. They offer their own front-end for uploading your web app, so the use never has admin access to Tomcat. But for a Java EE server, I'm not aware of any such hosting of shared app severs. Seems that for now, multiple server instances each with its own repo would be a viable solution. If we have hosting providers interested in sharing a single instance between customers, then we need them to chime in on the user/dev list with their requirements and scenarios. I could see where requiring admin credentials to access the kernel and other GBeans would be a welcomed solution for even some enterprise users, but we really need to here from our users on this -Donald Vamsavardhana Reddy wrote: I have always felt that Geronimo won't be suitable for a hosting kind of environment where applications owned by unrelated parties may be hosted on the same server (does such a thing happen in reality?). Irrespective of this, GBeans permissions appears to be something we can consider to have. The following is an excerpt from a private conversation I had with David Jencks on IRC. Read on... *vamsic007:* The usability of Geronimo in a hosting kind of environment has always bothered me. *djencks :* how? *vamsic007:* Any application running in G can get hold of any other application related GBeans and do what ever *vamsic007:* Any app can stop any configuration it wishes to *djencks :* realistically does anyone run apps from unrelated people on the same server? *vamsic007:* won't that be the situation in a hosting environment? *djencks :* I don't know *djencks :* I would expect if I rent server space I'd probably get my own vm *djencks :* but I'm not a hosting company *vamsic007:* hmm... *vamsic007:* will have to find out if my concern is genuine or I am worried unnecessarily. *vamsic007:* I always thought that we should have a mechanism to enforce GBean permissions. *djencks :* I can see several places gbean permissions could work *djencks :* 1. getting gbean from kernel. This is pretty non-intrusive *djencks :* 2. actually calling operations/accessing attributes on a gbean. I think this would require putting proxies back in *djencks :* there's also a bootstrap question of what enforces the permissions until the jacc system is operational *djencks :* since e.g datasources bound in jndi end up calling a gbean operation to get the datasource, this would have a lot of intersection with the normal server operations *vamsic007:* May be I will initiate a discussion on this on [EMAIL PROTECTED] to get others inputs too. I do not want to go on dev-list coz it is related to security and do not want to make the users feel insecure unnecessarily. *djencks :* I'd prefer to talk about it on dev, I think we could use all the input we can get. *vamsic007:* thanks David. Comments? Suggestions? Am I worried unnecessarily? Are GBean permissions something that we should consider? Thank you. ++Vamsi smime.p7s Description: S/MIME Cryptographic Signature
Re: GBean permissions: how important are they?
Vamsi, I do agree with you that there should be a mechanism to enforce GBean permissions, but I'm not entirely sure how prevalent the desire for 'shared hosting' on Geronimo really is, but this might be a direct result of the problem at hand. I think it is true that for a JEE app server, real world paid hosting services would often be either a dedicated machine or at least a virtualized instance. I also thing that Geronimo would mostly be used in a true 'shared hosting' (multiple clients information deployed under one instance) environment only when being managed by the hosting company, so as to not necessitate giving the client any abilities to muck with the server via admin console or other means... in this case a solid GBean security mechanism would be critical. Other than this, as far as hosts are concerned, what they might consider to be a 'shared hosting' configuration of Geronimo may be simply multiple instances/VMs bound to different IP addresses sharing hardware and giving clients administrative access to their own instance of Geronimo. Thanks, Erik B. Craig [EMAIL PROTECTED] On Feb 8, 2008, at 3:43 AM, Vamsavardhana Reddy wrote: I have always felt that Geronimo won't be suitable for a hosting kind of environment where applications owned by unrelated parties may be hosted on the same server (does such a thing happen in reality?). Irrespective of this, GBeans permissions appears to be something we can consider to have. The following is an excerpt from a private conversation I had with David Jencks on IRC. Read on... vamsic007: The usability of Geronimo in a hosting kind of environment has always bothered me. djencks : how? vamsic007: Any application running in G can get hold of any other application related GBeans and do what ever vamsic007: Any app can stop any configuration it wishes to djencks : realistically does anyone run apps from unrelated people on the same server? vamsic007: won't that be the situation in a hosting environment? djencks : I don't know djencks : I would expect if I rent server space I'd probably get my own vm djencks : but I'm not a hosting company vamsic007: hmm... vamsic007: will have to find out if my concern is genuine or I am worried unnecessarily. vamsic007: I always thought that we should have a mechanism to enforce GBean permissions. djencks : I can see several places gbean permissions could work djencks : 1. getting gbean from kernel. This is pretty non-intrusive djencks : 2. actually calling operations/accessing attributes on a gbean. I think this would require putting proxies back in djencks : there's also a bootstrap question of what enforces the permissions until the jacc system is operational djencks : since e.g datasources bound in jndi end up calling a gbean operation to get the datasource, this would have a lot of intersection with the normal server operations vamsic007: May be I will initiate a discussion on this on [EMAIL PROTECTED] to get others inputs too. I do not want to go on dev-list coz it is related to security and do not want to make the users feel insecure unnecessarily. djencks : I'd prefer to talk about it on dev, I think we could use all the input we can get. vamsic007: thanks David. Comments? Suggestions? Am I worried unnecessarily? Are GBean permissions something that we should consider? Thank you. ++Vamsi
Re: GBean permissions: how important are they?
Hi, just giving my two cents. First, I'm not an expert of any sort, but i guess a user point of view wouldn't hurt. I've poked around here and there with hosting solutions and recall the feeling of what some users are looking for. It goes along very similarly to what Donald had just previously mentioned. The general opinion, i've gauged, is that when someone is looking for a web app solution they want to govern it for their own specific system. Along with that, i think it brings along the implied security because the only one controlling the app server is the one who intended to have it. So i could understand why it seems they may go with a VM a VPS/DS etc and deploy their own instance of the App Server to guarantee them the environment and performance they're looking. On the contrary, that is to go with the assumption that the app server admin knows exactly what they are deploying. I do think the security implementation would still help for the scenarios/stability where there admin may have deployed an app that inadvertently or maliciously tampers with the other components. However, I could see how the scenario you're talking about would exist (not sure to what extent) because it's additional service a host can offer for a lot less configuration/deploying work. The only two scenarios that i can think of for a shared app server is if: 1) There was some sort of a service where a provider is trying to offer a reseller type service, for those who don't want to or know how to manage an app server but want to add it to their product arsenal. 2) A provider wants to offer an app server solution for users who don't know how to manage one, but want to shortcut setting up the groundwork for multiple instances and management. On another thought, it seems that stability and uptime is key in the hosting industry and the multiple instances of the app server is a Great preventative measure for a hosting provider to increase stability from one client to another. I guess the main tradeoff would be memory, but to the hosting service provider thats pretty cheap tradeoff for higher stability? Anyhow, i'm just rambling my thoughts.. But i'd also really love to here what others users think as well. Wishing you all the best, Joseph Leong On Feb 8, 2008 4:43 AM, Vamsavardhana Reddy [EMAIL PROTECTED] wrote: I have always felt that Geronimo won't be suitable for a hosting kind of environment where applications owned by unrelated parties may be hosted on the same server (does such a thing happen in reality?). Irrespective of this, GBeans permissions appears to be something we can consider to have. The following is an excerpt from a private conversation I had with David Jencks on IRC. Read on... *vamsic007:* The usability of Geronimo in a hosting kind of environment has always bothered me. *djencks :* how? *vamsic007:* Any application running in G can get hold of any other application related GBeans and do what ever *vamsic007:* Any app can stop any configuration it wishes to *djencks :* realistically does anyone run apps from unrelated people on the same server? *vamsic007:* won't that be the situation in a hosting environment? *djencks :* I don't know *djencks :* I would expect if I rent server space I'd probably get my own vm *djencks :* but I'm not a hosting company *vamsic007:* hmm... *vamsic007:* will have to find out if my concern is genuine or I am worried unnecessarily. *vamsic007:* I always thought that we should have a mechanism to enforce GBean permissions. *djencks :* I can see several places gbean permissions could work *djencks :* 1. getting gbean from kernel. This is pretty non-intrusive *djencks :* 2. actually calling operations/accessing attributes on a gbean. I think this would require putting proxies back in *djencks :* there's also a bootstrap question of what enforces the permissions until the jacc system is operational *djencks :* since e.g datasources bound in jndi end up calling a gbean operation to get the datasource, this would have a lot of intersection with the normal server operations *vamsic007:* May be I will initiate a discussion on this on [EMAIL PROTECTED] to get others inputs too. I do not want to go on dev-list coz it is related to security and do not want to make the users feel insecure unnecessarily. *djencks :* I'd prefer to talk about it on dev, I think we could use all the input we can get. *vamsic007:* thanks David. Comments? Suggestions? Am I worried unnecessarily? Are GBean permissions something that we should consider? Thank you. ++Vamsi