[JIRA] Commented: (NXP-5019) Add restriction on SystemLogin usage

Wed, 09 Jun 2010 06:34:40 -0700 

    [ 
https://jira.nuxeo.org/browse/NXP-5019?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=75731#action_75731
 ] 

Julien Carsique commented on NXP-5019:
--------------------------------------

nuxeo-shell updated

> Add restriction on SystemLogin usage
> ------------------------------------
>
>                 Key: NXP-5019
>                 URL: https://jira.nuxeo.org/browse/NXP-5019
>             Project: Nuxeo Enterprise Platform
>          Issue Type: Improvement
>          Components: Runtime
>    Affects Versions: 5.3.1
>            Reporter: Thierry Delprat
>            Assignee: Thierry Delprat
>             Fix For: 5.3.2
>
>
> Nuxeo Runtime provides a way to do a SystemLogin via Framework.login().
> This is used to be able to login as a system account without having to 
> provide a login/password.
> This is used in Nuxeo :
>  - when current user needs to gain "root privileges" : typically usage of 
> UnrestrictedSessionRunner
>  - when an unauthenticated thread needs to access the repository : typically 
> a async listener
> This system login can also be used for RMI access : this is the case for 
> Nuxeo Shell that connect to a remote Nuxeo instance as system.
> In order to better handle restrictions on this SystemLogin we introduce :
>  - a identifier for Nuxeo Runtime instances :
>    This identifier will be by default a automatically generated VMID, but can 
> be set explicitly via nuxeo.properties (org.nuxeo.runtime.instance.id)
>  - properties to configure restrictions for SystemLogin
>    - org.nuxeo.systemlogin.restrict : true/false (default true) ; turns 
> on/off restrictions
>    - org.nuxeo.systemlogin.trusted.instances : comma separated list of 
> trusted runtime instances (default : empty)
>    When restrictions are on, SystemLogin calls will be granted only :
>      - when it comes from the same JVM (necessary for have 
> UnrestrictedSessionRunner working)
>      - when it comes from a trusted host
>   Turning off restrictions will result in a fallback to the old behavior : 
> always grant SystemLogin
> NB : The trusted hosts are identfiied by a simple id, but technically this is 
> a shared secret between the clients and the server, so this should be enough 
> for most cases.
> Direct impacts on Nuxeo are :
>  - Nuxeo Shell won't be able to connect as system anymore with the default 
> Nuxeo configuration
>   => need to update the NXShell to force login
>  - Stateless/Statefull package needs to be updated
>    
>   

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://jira.nuxeo.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        
_______________________________________________
ECM-tickets mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets

Reply via email to