Timothy Ward commented on ARIES-1613:

The people responsible for security often like to avoid connections that are 
initiated from the outside or dmz and have a target in the intranet.

Any request made to the front end that requires information from the back end 
must initiate a connection from DMZ to the intranet. I agree that the number of 
connections should be minimised and the firewall as strict as possible, but it 
can't be avoided entirely.

The feeding mechanism could either be driven by the individual intranet servers 
that host the services or by a separate bridge software that only talks with 
the two zookeeper instances. I think it makes sense for us to at least design 
both scenarios. I personally do not currently plan to implement any scenario 
but maybe someone can jump in there.

For me the important part is that we provide the hooks in Aries RSA so such an 
implementation can be plugged in at any time.

This model is already provided by the RSA specification. If you want to have 
two separate discovery providers configured then you can! Simply do the 

1. Have the Exporting Remote Service Admin generate two Endpoint Descriptions, 
one which is "secure" (i.e. uses the proxy) and one which is not
2. Have two configured discovery providers, one which is for the dmz, and has a 
"(secure=true)"  (or equivalent) filter on its EndpointEventListener, and 
another discovery for the internal zookeeper
3. Configure the "internal" Topology managers to prefer the internal endpoint 
to the secure endpoint

In this model the internal servers have the choice of what they use and the DMZ 
servers never discover anything other than the "secure" endpoint.

I'm not sure that I agree that this is more secure than the model where the DMZ 
topology manager chooses to ignore the internal endpoints, as you have a much 
bigger DMZ attack surface (an extra zookeeper which is trusted by the internal 
network), but it does what you're asking. Importantly, Aries doesn't need (and 
shouldn't have) special hooks to solve this, otherwise you end up with Aries 
RSA not interoperating with other implementations.

> DiscoveryPlugin interface not exported
> --------------------------------------
>                 Key: ARIES-1613
>                 URL: https://issues.apache.org/jira/browse/ARIES-1613
>             Project: Aries
>          Issue Type: Bug
>          Components: Remote Service Admin
>    Affects Versions: rsa-1.9.0
>            Reporter: Panu Hämäläinen
> The package containing the interface 
> org.apache.cxf.dosgi.discovery.zookeeper.publish.DiscoveryPlugin is not 
> exported (MANIFEST.MF) from bundle cxf-dosgi-ri-discovery-distributed (1.7.0) 
> which makes it impossible to implement 3rd party discovery plugins.

This message was sent by Atlassian JIRA

Reply via email to