Willem Jiang Blog: http://willemjiang.blogspot.com (English) http://jnn.iteye.com (Chinese) Twitter: willemjiang Weibo: 姜宁willem
On Fri, Feb 2, 2018 at 4:44 PM, Eric Lee <[email protected]> wrote: > Currently, there are two known security concerns in Saga pack: > > *1. multi-tenants support* > When pack is deployed in a cluster, access to transaction events should be > limited to those have the corresponding permission. Without any > restrictions to that will cause chaos in the management of transaction > events and user can view all events pass through pack and have a peek of > other transactions' flows which will be a serious security problem. > It's make sense that we add tenant or application id for separating transactions between two different application or users. > > *2. encrypted transportation between alpha and omega* > Currently, we use plain gRPC channel to communicate between alpha and > omega. However, when it comes to production environment, users may want > more secure transportation options. Settings of gRPC transportation should > be configurable. > > As alpha can invoke the omega compensation operation, it's important to make sure that omega connects to the right alpha server . > > We will solve the above security concerns ASAP in the next release. Any > solution to the above security concerns is welcome. Besides, are there any > other security concerns we miss? Welcome to point them out. Thanks. > > > Best Regards! > Eric Lee >
