[jira] [Commented] (SLING-9556) add pipes execution through a simple text POST
[ https://issues.apache.org/jira/browse/SLING-9556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17173001#comment-17173001 ] Nicolas Peltier commented on SLING-9556: [~enorman] well yeah, this suppose that you authorize random POST request from the outside world, that is generally not permitted, but again, i don't want to play it smart here :) > add pipes execution through a simple text POST > -- > > Key: SLING-9556 > URL: https://issues.apache.org/jira/browse/SLING-9556 > Project: Sling > Issue Type: Improvement > Components: Extensions >Affects Versions: Pipes 4.0.0 >Reporter: Nicolas Peltier >Assignee: Nicolas Peltier >Priority: Major > Fix For: Pipes 4.0.0 > > > problem with configuration of most pipes is JCR serialization is difficult to > read/maintain (basic XML maintenance issue). > Since it can be executed through gogo commands, the pipe could also simply be > some piped command in a text file that would be posted to the plumber, using > same pipebuilder functionality (see > https://github.com/apache/sling-org-apache-sling-pipes/blob/master/src/main/java/org/apache/sling/pipes/internal/GogoCommands.java#L81) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9556) add pipes execution through a simple text POST
[ https://issues.apache.org/jira/browse/SLING-9556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17172555#comment-17172555 ] Eric Norman commented on SLING-9556: Hi Nicolas, First I must admit that I don't know much about the pipes solution, so I could be way off on what is possible. For completeness, let me express a couple of potential "bad guy" scenarios that had me initially concerned: # The "information disclosure" family of security attacks. In other words, streamlining a look around what is in the repository in general purpose command executor POST request can make it easier to refine an attack into the system. Some information that is not normally http accessible could be exposed and reveal details about how the server is configured. An administrator may want more control over what is accessible over http or at least make it more difficult to dig that information out. # The "denial of service" family of security attacks. In other words, imagine that the end user can construct a query/traversal/other scenario that is expensive to execute. Flooding the server with a few hundred concurrent requests that are invoking that expensive operation may exhaust all the http threads and prevent any other requests from getting a slice of time to do legitimate work. Is it possible to construct a chain of actions together in a pipe that loops forever and never completes? Regards, -Eric > add pipes execution through a simple text POST > -- > > Key: SLING-9556 > URL: https://issues.apache.org/jira/browse/SLING-9556 > Project: Sling > Issue Type: Improvement > Components: Extensions >Affects Versions: Pipes 4.0.0 >Reporter: Nicolas Peltier >Assignee: Nicolas Peltier >Priority: Major > Fix For: Pipes 4.0.0 > > > problem with configuration of most pipes is JCR serialization is difficult to > read/maintain (basic XML maintenance issue). > Since it can be executed through gogo commands, the pipe could also simply be > some piped command in a text file that would be posted to the plumber, using > same pipebuilder functionality (see > https://github.com/apache/sling-org-apache-sling-pipes/blob/master/src/main/java/org/apache/sling/pipes/internal/GogoCommands.java#L81) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9556) add pipes execution through a simple text POST
[ https://issues.apache.org/jira/browse/SLING-9556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17172382#comment-17172382 ] Nicolas Peltier commented on SLING-9556: [~bdelacretaz] [~olli] yes, i agree too :) will start a thread > add pipes execution through a simple text POST > -- > > Key: SLING-9556 > URL: https://issues.apache.org/jira/browse/SLING-9556 > Project: Sling > Issue Type: Improvement > Components: Extensions >Affects Versions: Pipes 4.0.0 >Reporter: Nicolas Peltier >Assignee: Nicolas Peltier >Priority: Major > Fix For: Pipes 4.0.0 > > > problem with configuration of most pipes is JCR serialization is difficult to > read/maintain (basic XML maintenance issue). > Since it can be executed through gogo commands, the pipe could also simply be > some piped command in a text file that would be posted to the plumber, using > same pipebuilder functionality (see > https://github.com/apache/sling-org-apache-sling-pipes/blob/master/src/main/java/org/apache/sling/pipes/internal/GogoCommands.java#L81) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9556) add pipes execution through a simple text POST
[
https://issues.apache.org/jira/browse/SLING-9556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17172334#comment-17172334
]
Bertrand Delacretaz commented on SLING-9556:
bq. Bertrand Delacretaz, Can you elaborate on dev@?
Here are links to previous discussions:
https://lists.apache.org/thread.html/e949e6328729e493ec0028642173228933ebf6d9b322da5aa0dd64d3%40%3Cdev.sling.apache.org%3E
which describes the general use case, and
https://lists.apache.org/thread.html/72475f31d9dda5128528d67f491468b081c958e9c3b93924de633c3e%40%3Cdev.sling.apache.org%3E
which suggests an API for a permissions checker service:
{code}
public void checkAllPermissions(
ResourceResolver context,
String ...permissionName)
throws PermissionDeniedException
{code}
None of that led to creating an implementation AFAIK.
[~npeltier] I agree with Oliver's "only the admin should be able to run pipes"
so now might be a good time to finally implement that permissions checking,
probably in a new module?
> add pipes execution through a simple text POST
> --
>
> Key: SLING-9556
> URL: https://issues.apache.org/jira/browse/SLING-9556
> Project: Sling
> Issue Type: Improvement
> Components: Extensions
>Affects Versions: Pipes 4.0.0
>Reporter: Nicolas Peltier
>Assignee: Nicolas Peltier
>Priority: Major
> Fix For: Pipes 4.0.0
>
>
> problem with configuration of most pipes is JCR serialization is difficult to
> read/maintain (basic XML maintenance issue).
> Since it can be executed through gogo commands, the pipe could also simply be
> some piped command in a text file that would be posted to the plumber, using
> same pipebuilder functionality (see
> https://github.com/apache/sling-org-apache-sling-pipes/blob/master/src/main/java/org/apache/sling/pipes/internal/GogoCommands.java#L81)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9556) add pipes execution through a simple text POST
[ https://issues.apache.org/jira/browse/SLING-9556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17172296#comment-17172296 ] Oliver Lietz commented on SLING-9556: - [~npeltier], Do not underrate the "just more efficient". In a managed services setup we have several people (including externals from system integrators) with read access to large (all) parts of the repo (including pipes) but only the admin (CSE) should be able to run the pipes. Removing read access on the pipes is therefore not an option and we can also not remove the POST access. The "permission resources" is an indirection but doesn't sound too bad... [~bdelacretaz], Can you elaborate on dev@? > add pipes execution through a simple text POST > -- > > Key: SLING-9556 > URL: https://issues.apache.org/jira/browse/SLING-9556 > Project: Sling > Issue Type: Improvement > Components: Extensions >Affects Versions: Pipes 4.0.0 >Reporter: Nicolas Peltier >Assignee: Nicolas Peltier >Priority: Major > Fix For: Pipes 4.0.0 > > > problem with configuration of most pipes is JCR serialization is difficult to > read/maintain (basic XML maintenance issue). > Since it can be executed through gogo commands, the pipe could also simply be > some piped command in a text file that would be posted to the plumber, using > same pipebuilder functionality (see > https://github.com/apache/sling-org-apache-sling-pipes/blob/master/src/main/java/org/apache/sling/pipes/internal/GogoCommands.java#L81) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9556) add pipes execution through a simple text POST
[
https://issues.apache.org/jira/browse/SLING-9556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17172258#comment-17172258
]
Bertrand Delacretaz commented on SLING-9556:
bq. what about just checking current resolver can read a configured path in the
repository?
I like this idea, I think we discussed it already in other similar cases but
don't remember if we ended up using it.
I like it because it allows using existing access control tools for setup,
validation etc. instead of inventing new mechanisms.
If you decide to use this I would suggest creating a (simple) standard, maybe
just define that such "permission resources" have paths like
{{/system/sling/permissions/sling/pipes/execution/http}}.
On the other hand I agree that if pipes are executed with the identity of the
incoming POST request, there's no privilege escalation so an additional
permission might not be required.
> add pipes execution through a simple text POST
> --
>
> Key: SLING-9556
> URL: https://issues.apache.org/jira/browse/SLING-9556
> Project: Sling
> Issue Type: Improvement
> Components: Extensions
>Affects Versions: Pipes 4.0.0
>Reporter: Nicolas Peltier
>Assignee: Nicolas Peltier
>Priority: Major
> Fix For: Pipes 4.0.0
>
>
> problem with configuration of most pipes is JCR serialization is difficult to
> read/maintain (basic XML maintenance issue).
> Since it can be executed through gogo commands, the pipe could also simply be
> some piped command in a text file that would be posted to the plumber, using
> same pipebuilder functionality (see
> https://github.com/apache/sling-org-apache-sling-pipes/blob/master/src/main/java/org/apache/sling/pipes/internal/GogoCommands.java#L81)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9556) add pipes execution through a simple text POST
[
https://issues.apache.org/jira/browse/SLING-9556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17172068#comment-17172068
]
Nicolas Peltier commented on SLING-9556:
[~enorman] [~olli] first of all, your concerns prove that first security layer
of pipes that was its complexity starts to fade out which is a good news ;)
1. Then i have to admit i have difficulties picturing the "bad guy" scenario
here, as in those cases you will always run a pipe's action with the resolver
of the pipe requester. That is if your user has privileges to do bad actions A
& B in the whole repository, pipe will "just" make it more efficient, however
it's not its role imho to add a layer of security.
2. Second to kick things off you need those {{slingPipes/plumber}} or
{{slingPipes/exec}} resources to POST to. Of course, if your user has write
access somewhere on the repository, he can create that node, and then post
there. He then needs write access described in 1. but again i would fix the
fact that user has that POST access in the first place, right?
Finally i don't want to play it smart here as my bad guy imagination has its
limits beyond which some people can go, and i'll add a simple check. [~olli]
what about just checking current resolver can read a configured path in the
repository?
> add pipes execution through a simple text POST
> --
>
> Key: SLING-9556
> URL: https://issues.apache.org/jira/browse/SLING-9556
> Project: Sling
> Issue Type: Improvement
> Components: Extensions
>Affects Versions: Pipes 4.0.0
>Reporter: Nicolas Peltier
>Assignee: Nicolas Peltier
>Priority: Major
> Fix For: Pipes 4.0.0
>
>
> problem with configuration of most pipes is JCR serialization is difficult to
> read/maintain (basic XML maintenance issue).
> Since it can be executed through gogo commands, the pipe could also simply be
> some piped command in a text file that would be posted to the plumber, using
> same pipebuilder functionality (see
> https://github.com/apache/sling-org-apache-sling-pipes/blob/master/src/main/java/org/apache/sling/pipes/internal/GogoCommands.java#L81)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9556) add pipes execution through a simple text POST
[
https://issues.apache.org/jira/browse/SLING-9556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17171704#comment-17171704
]
Oliver Lietz commented on SLING-9556:
-
[~npeltier], [~enorman], I recommend to limit pipe execution to dedicated user
groups. Similar to what we have in
[{{ClamJcrScanServlet}}|https://github.com/apache/sling-org-apache-sling-clam/blob/543c4990808f4854ea3ebb52a1c3892cd7e6f67e/src/main/java/org/apache/sling/clam/http/internal/ClamJcrScanServlet.java#L116]
but making group mandatory.
> add pipes execution through a simple text POST
> --
>
> Key: SLING-9556
> URL: https://issues.apache.org/jira/browse/SLING-9556
> Project: Sling
> Issue Type: Improvement
> Components: Extensions
>Affects Versions: Pipes 4.0.0
>Reporter: Nicolas Peltier
>Assignee: Nicolas Peltier
>Priority: Major
> Fix For: Pipes 4.0.0
>
>
> problem with configuration of most pipes is JCR serialization is difficult to
> read/maintain (basic XML maintenance issue).
> Since it can be executed through gogo commands, the pipe could also simply be
> some piped command in a text file that would be posted to the plumber, using
> same pipebuilder functionality (see
> https://github.com/apache/sling-org-apache-sling-pipes/blob/master/src/main/java/org/apache/sling/pipes/internal/GogoCommands.java#L81)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9556) add pipes execution through a simple text POST
[ https://issues.apache.org/jira/browse/SLING-9556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17171592#comment-17171592 ] Eric Norman commented on SLING-9556: Are you sure this a safe thing to allow end users to do? Seems risky to me. > add pipes execution through a simple text POST > -- > > Key: SLING-9556 > URL: https://issues.apache.org/jira/browse/SLING-9556 > Project: Sling > Issue Type: Improvement > Components: Extensions >Affects Versions: Pipes 4.0.0 >Reporter: Nicolas Peltier >Assignee: Nicolas Peltier >Priority: Major > Fix For: Pipes 4.0.0 > > > problem with configuration of most pipes is JCR serialization is difficult to > read/maintain (basic XML maintenance issue). > Since it can be executed through gogo commands, the pipe could also simply be > some piped command in a text file that would be posted to the plumber, using > same pipebuilder functionality (see > https://github.com/apache/sling-org-apache-sling-pipes/blob/master/src/main/java/org/apache/sling/pipes/internal/GogoCommands.java#L81) -- This message was sent by Atlassian Jira (v8.3.4#803005)
