Timothy Ward commented on ARIES-1613:
The people responsible for security often like to avoid connections that are
initiated from the outside or dmz and have a target in the intranet.
Any request made to the front end that requires information from the back end
must initiate a connection from DMZ to the intranet. I agree that the number of
connections should be minimised and the firewall as strict as possible, but it
can't be avoided entirely.
The feeding mechanism could either be driven by the individual intranet servers
that host the services or by a separate bridge software that only talks with
the two zookeeper instances. I think it makes sense for us to at least design
both scenarios. I personally do not currently plan to implement any scenario
but maybe someone can jump in there.
For me the important part is that we provide the hooks in Aries RSA so such an
implementation can be plugged in at any time.
This model is already provided by the RSA specification. If you want to have
two separate discovery providers configured then you can! Simply do the
1. Have the Exporting Remote Service Admin generate two Endpoint Descriptions,
one which is "secure" (i.e. uses the proxy) and one which is not
2. Have two configured discovery providers, one which is for the dmz, and has a
"(secure=true)" (or equivalent) filter on its EndpointEventListener, and
another discovery for the internal zookeeper
3. Configure the "internal" Topology managers to prefer the internal endpoint
to the secure endpoint
In this model the internal servers have the choice of what they use and the DMZ
servers never discover anything other than the "secure" endpoint.
I'm not sure that I agree that this is more secure than the model where the DMZ
topology manager chooses to ignore the internal endpoints, as you have a much
bigger DMZ attack surface (an extra zookeeper which is trusted by the internal
network), but it does what you're asking. Importantly, Aries doesn't need (and
shouldn't have) special hooks to solve this, otherwise you end up with Aries
RSA not interoperating with other implementations.
> DiscoveryPlugin interface not exported
> Key: ARIES-1613
> URL: https://issues.apache.org/jira/browse/ARIES-1613
> Project: Aries
> Issue Type: Bug
> Components: Remote Service Admin
> Affects Versions: rsa-1.9.0
> Reporter: Panu Hämäläinen
> The package containing the interface
> org.apache.cxf.dosgi.discovery.zookeeper.publish.DiscoveryPlugin is not
> exported (MANIFEST.MF) from bundle cxf-dosgi-ri-discovery-distributed (1.7.0)
> which makes it impossible to implement 3rd party discovery plugins.
This message was sent by Atlassian JIRA