[
https://jira.nuxeo.org/browse/NXP-5019?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=73121#action_73121
]
Thierry Delprat commented on NXP-5019:
--------------------------------------
Comit done : http://hg.nuxeo.org/nuxeo/nuxeo-runtime/rev/1d22e1b443d2
=> waiting for Hudson to validate that it does not introduce any regression ...
> Add restriction on SystemLogin usage
> ------------------------------------
>
> Key: NXP-5019
> URL: https://jira.nuxeo.org/browse/NXP-5019
> Project: Nuxeo Enterprise Platform
> Issue Type: Improvement
> Components: Runtime
> Affects Versions: 5.3.1
> Reporter: Thierry Delprat
> Assignee: Thierry Delprat
> Fix For: 5.3.2
>
>
> Nuxeo Runtime provides a way to do a SystemLogin via Framework.login().
> This is used to be able to login as a system account without having to
> provide a login/password.
> This is used in Nuxeo :
> - when current user needs to gain "root privileges" : typically usage of
> UnrestrictedSessionRunner
> - when an unauthenticated thread needs to access the repository : typically
> a async listener
> This system login can also be used for RMI access : this is the case for
> Nuxeo Shell that connect to a remote Nuxeo instance as system.
> In order to better handle restrictions on this SystemLogin we introduce :
> - a identifier for Nuxeo Runtime instances :
> This identifier will be by default a automatically generated VMID, but can
> be set explicitly via nuxeo.properties (org.nuxeo.runtime.instance.id)
> - properties to configure restrictions for SystemLogin
> - org.nuxeo.systemlogin.restrict : true/false (default true) ; turns
> on/off restrictions
> - org.nuxeo.systemlogin.trusted.instances : comma separated list of
> trusted runtime instances (default : empty)
> When restrictions are on, SystemLogin calls will be granted only :
> - when it comes from the same JVM (necessary for have
> UnrestrictedSessionRunner working)
> - when it comes from a trusted host
> Turning off restrictions will result in a fallback to the old behavior :
> always grant SystemLogin
> NB : The trusted hosts are identfiied by a simple id, but technically this is
> a shared secret between the clients and the server, so this should be enough
> for most cases.
> Direct impacts on Nuxeo are :
> - Nuxeo Shell won't be able to connect as system anymore with the default
> Nuxeo configuration
> => need to update the NXShell to force login
> - Stateless/Statefull package needs to be updated
>
>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.nuxeo.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
ECM-tickets mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets
