If we are only doing post-processing for get and query, then it's not too
much work adding it into the new model.

On Fri, Jun 17, 2016 at 12:00 PM, Michael Stolz <mst...@pivotal.io> wrote:

> Post processing is there to filter the data returned by a get or a query.
> But it requires that they write code, so it is probably only pertinent for
> the old security model not for the new fully configurable End-to-end model
> that we have begun discussing.
>
> So MAYBE we're actually doing too much work in keeping it for the new
> model.
>
> Thoughts?
>
>
> --
> Mike Stolz
> Principal Engineer, GemFire Product Manager
> Mobile: 631-835-4771
>
> On Fri, Jun 17, 2016 at 11:44 AM, Jinmei Liao <jil...@pivotal.io> wrote:
>
> > While working on the integrated security for gemfire9/geode1, we are
> > frequently baffled by this post-processing functionality that's been
> lumped
> > into security. Here are a few observations we've come up with and want to
> > run with the dev community for comments:
> >
> > 1. Post processing is not authorization. At this point, all necessary
> > authorization should already be done and satisfied.
> >
> > 2. Post processing is related to security in the sense that it needs a
> > Principal in the context, but it's not part of the authorization.
> >
> > 3. Previous implementation (client-server) adds post process after every
> > authorization checks. We want to make a clean separation of these two
> > concepts. New interfaces of post processing will be introduced (so that
> we
> > can preserve the old behavior if user is implementing the old interface),
> > and will ONLY be added to the "get" and "query" data operations.
> >
> > 4. The new interface will look like below:
> > public Object processValue(Principal principal, String regionPath, Object
> > key, Object value)
> >
> > Is this a sufficient interface to begin with? Do you have any client that
> > would need post processor to do something completely different?
> >
> > Thank you for all your feedback.
> >
> > --
> > Cheers
> >
> > Jinmei
> >
>



-- 
Cheers

Jinmei

Reply via email to