Hi It would be nice if we can reject any security issues irrelevant with features of ElasticJob. We have spent some efforts on handling security issues, which is helpless to enhance user experience or features of ElasticJob.
----------------------------------------------- Weijie Wu 吴伟杰 Apache ShardingSphere Committer GitHub@TeslaCN Haoran Meng <menghao...@apache.org> 于2022年2月14日周一 14:43写道: > > Hi, all > > I agree with Weijie Wu's suggestion. We can remove the authentication > and declare in the project description that it is not recommended to > deploy in the public network, and no longer accept any security > issues caused by the deprecated deployment. > > zhangli...@apache.org <zhangli...@apache.org> 于2022年2月12日周六 15:00写道: > > > > Yes, It is better to remove authentication. > > Because it is the LAN web-console, can we declare that we do not accept any > > security issues in the ElasticJob-UI? > > > > ------------------ > > > > Sincerely, > > Liang Zhang (John) > > Apache ShardingSphere > > > > > > 吴伟杰 <wuwei...@apache.org> 于2022年2月11日周五 18:12写道: > > > > > Hi Liang > > > > > > I have an idea. ShardingSphere ElasticJob-UI aims to provide a > > > convenient way to manage jobs. The current authentication and > > > authority is too simple to satisfied the security requirements. And > > > some users may have requirements such as LDAP. > > > Could we consider removing the authentications and roles? Let users do > > > the security stuff on their own. > > > > > > ----------------------------------------------- > > > > > > Weijie Wu 吴伟杰 > > > Apache ShardingSphere Committer > > > GitHub@TeslaCN > > > > > > zhangli...@apache.org <zhangli...@apache.org> 于2022年2月3日周四 11:35写道: > > > > > > > > Hi team, > > > > > > > > We received serval security issues report in ShardingSphere > > > ElasticJob-UI. > > > > > > > > As you know, The ShardingSphere ElasticJob-UI is for LAN only. We may > > > > not > > > > need to care about the security issue here. > > > > The UI is an optional tool, all ShardingSphere committers are > > > > backend background, they are not familiar with frontend. > > > > > > > > Some security teams only care about CVE as their result, but do not care > > > > about the real usage. It really trouble us. > > > > > > > > The team wants to spend time on more meaningful things, so I want to > > > > discuss the necessity of ShardingSphere ElasticJob-UI. It looks like > > > > we'd > > > > better to remove it from ShardingSphere ElasticJob, > > > > > > > > What do you think? > > > > > > > > ------------------ > > > > > > > > Sincerely, > > > > Liang Zhang (John) > > > > Apache ShardingSphere > > >
