This seems like a good idea to me, but I'm missing a lot of the picture
about how it will work and what else is needed.
Lets take a db pool as an example, with a username/password to get the
connections. We store the password in the safe. So, when the db pool
gbean (connection manager) starts, it needs to access the safe to get
the password. How does the safe trust the gbean? The only way I can
see is if the server is started as some kind of admin user, using a
credential of some kind such as a command line password. I've thought
for a long time that we needed "gbean permissions" of some kind. Would
accessing the safe require permissions or be a login-type operation?
With enough permissions, do we need a safe at all?
I'd like to know more :-)
thanks
david jencks
On Nov 20, 2005, at 11:59 PM, [EMAIL PROTECTED] wrote:
An idea of including deployment plan into configuration was kicked
around for some time now. I think that each configuration should
include deployment plan.
By itself, deployment plan is not a secret and as such it should not
contain sensitive data that we do not want to disclose (passwords
etc).
So the idea would be not to hide deployment plan, but to externalize
sensitive data.
One way to externalize sensitive data is to have a "vault" gbean that
can implement different qos vis keeping a secret, and have a reference
to this vault in the deployment plan together with some alias to the
secret in the vault:
<reference name="vault">bla</reference>
<attribute name="alias">myconfig.id.password</attribute>
Vault by itself can provide different qos. The simpliest case is to
have a file with all secrets in it and to install it in a secure
location. One step up would be to assign a master key to the geronimo
server at the deployment time, put it in a secure location and use it
to encrypt all other secrets. And so on...
If there is enough interest in this I can put it together
Simon
