[
https://jira.nuxeo.org/browse/NXP-5019?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Thierry Delprat updated NXP-5019:
---------------------------------
Description:
Nuxeo Runtime provides a way to do a SystemLogin via Framework.login().
This is used to be able to login as a system account without having to provide
a login/password.
This is used in Nuxeo :
- when current user needs to gain "root privileges" : typically usage of
UnrestrictedSessionRunner
- when an unauthenticated thread needs to access the repository : typically a
async listener
This system login can also be used for RMI access : this is the case for Nuxeo
Shell that connect to a remote Nuxeo instance as system.
In order to better handle restrictions on this SystemLogin we introduce :
- a identifier for Nuxeo Runtime instances :
This identifier will be by default a automatically generated VMID, but can
be set explicitly via nuxeo.properties (org.nuxeo.runtime.instance.id)
- properties to configure restrictions for SystemLogin
- org.nuxeo.systemlogin.restrict : true/false (default true) ; turns on/off
restrictions
- org.nuxeo.systemlogin.trusted.instances : comma separated list of trusted
runtime instances (default : empty)
When restrictions are on, SystemLogin calls will be granted only :
- when it comes from the same JVM (necessary for have
UnrestrictedSessionRunner working)
- when it comes from a trusted host
Turning off restrictions will result in a fallback to the old behavior :
always grant SystemLogin
NB : The trusted hosts are identfiied by a simple id, but technically this is a
shared secret between the clients and the server, so this should be enough for
most cases.
Direct impacts on Nuxeo are :
- Nuxeo Shell won't be able to connect as system anymore with the default
Nuxeo configuration
=> need to update the NXShell to force login
- Stateless/Statefull package needs to be updated
was:
Nuxeo Runtime provides a way to do a SystemLogin via Framework.login().
This is used to be able to login as a system account without having to provide
a login/password.
This is used in Nuxeo :
- when current user needs to gain "root privileges" : typically usage of
UnrestrictedSessionRunner
- when an unauthenticated thread needs to access the repository : typically a
async listener
This system login can also be used for RMI access : this is the case for Nuxeo
Shell that connect to a remote Nuxeo instance as system.
In order to better handle restrictions on this SystemLogin we introduce :
- a identifier for Nuxeo Runtime instances :
This identifier will be by default a automatically generated VMID, but can
be set explicitly via nuxeo.properties (org.nuxeo.runtime.instance.id)
- properties to configure restrictions for SystemLogin
- org.nuxeo.systemlogin.restrict : true/false (default true) ; turns on/off
restrictions
- org.nuxeo.systemlogin.trusted.instances : comma separated list of trusted
off (default : empty)
When restrictions are on, SystemLogin calls will be granted only :
- when it comes from the same JVM (necessary for have
UnrestrictedSessionRunner working)
- when it comes from a trusted host
Turning off restrictions will result in a fallback to the old behavior :
always grant SystemLogin
NB : The trusted hosts are identfiied by a simple id, but technically this is a
shared secret between the clients and the server, so this should be enough for
most cases.
Direct impacts on Nuxeo are :
- Nuxeo Shell won't be able to connect as system anymore with the default
Nuxeo configuration
=> need to update the NXShell to force login
- Stateless/Statefull package needs to be updated
> Add restriction on SystemLogin usage
> ------------------------------------
>
> Key: NXP-5019
> URL: https://jira.nuxeo.org/browse/NXP-5019
> Project: Nuxeo Enterprise Platform
> Issue Type: Improvement
> Components: Runtime
> Affects Versions: 5.3.1
> Reporter: Thierry Delprat
> Assignee: Thierry Delprat
> Fix For: 5.3.2
>
>
> Nuxeo Runtime provides a way to do a SystemLogin via Framework.login().
> This is used to be able to login as a system account without having to
> provide a login/password.
> This is used in Nuxeo :
> - when current user needs to gain "root privileges" : typically usage of
> UnrestrictedSessionRunner
> - when an unauthenticated thread needs to access the repository : typically
> a async listener
> This system login can also be used for RMI access : this is the case for
> Nuxeo Shell that connect to a remote Nuxeo instance as system.
> In order to better handle restrictions on this SystemLogin we introduce :
> - a identifier for Nuxeo Runtime instances :
> This identifier will be by default a automatically generated VMID, but can
> be set explicitly via nuxeo.properties (org.nuxeo.runtime.instance.id)
> - properties to configure restrictions for SystemLogin
> - org.nuxeo.systemlogin.restrict : true/false (default true) ; turns
> on/off restrictions
> - org.nuxeo.systemlogin.trusted.instances : comma separated list of
> trusted runtime instances (default : empty)
> When restrictions are on, SystemLogin calls will be granted only :
> - when it comes from the same JVM (necessary for have
> UnrestrictedSessionRunner working)
> - when it comes from a trusted host
> Turning off restrictions will result in a fallback to the old behavior :
> always grant SystemLogin
> NB : The trusted hosts are identfiied by a simple id, but technically this is
> a shared secret between the clients and the server, so this should be enough
> for most cases.
> Direct impacts on Nuxeo are :
> - Nuxeo Shell won't be able to connect as system anymore with the default
> Nuxeo configuration
> => need to update the NXShell to force login
> - Stateless/Statefull package needs to be updated
>
>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.nuxeo.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
ECM-tickets mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets
