-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark,
On 6/8/12 1:54 PM, Mark Eggers wrote: > ----- Original Message ----- > >> From: Mark Thomas <ma...@apache.org> To: Tomcat Users List >> <users@tomcat.apache.org> Cc: Sent: Friday, June 8, 2012 10:02 >> AM Subject: Re: [POLL] Finer-grained "manager" user-access >> privileges? >> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 07/06/2012 19:37, Christopher Schultz wrote: >>> All, >>> >>> I was just answering a question on StackOverflow[1] about >>> limiting the operations a particular user could perform when >>> using the manager app (e.g. deploy, undeploy, start, stop, >>> etc.). >>> >>> It seems to me that this has come up on the users' list once >>> or twice in the past, and it wouldn't be a big deal to support >>> this kind of thing right out of the box by just defining a >>> number of additional roles such as: >>> >>> manager-gui-deploy manager-gui-undeploy manager-gui-start etc. >>> >>> Is there any interest in doing something like this? My general >>> feeling is that manager access should either be allowed >>> read-only (which is covered by the "manager-status" role) or >>> full >> read/write >>> (which is covered by the "manager-gui" and >> "manager-sript" roles) >>> because hey, you should trust your managers or fire them ;) >> >> +1. I'm not a fan of making things more complicated by default. >> There is plenty that can be done via additional configuration if >> desired. >> >> Mark > > > I'm also not seeing a clear use case that couldn't solved by > running virtual hosts or separate Tomcat instances. I'm not one to > rain on a person's parade, but I guess in light of additional > configuration complexity, I'd like to see a clear use case that > couldn't be solved with the existing setup plus virtual hosts or > multiple Tomcats. > > . . . just a beleaguered systems person who likes all boxes to > look the same. The configuration wouldn't get much more complicated. All currently-valid configurations would remain valid... it's just that more nuanced roles would also be available in cases where they are needed. All the new configuration would be in the manager's web.xml deployment descriptor (managed by us) and the configuration for the operator would still be in conf/tomcat-users.xml (or wherever they choose to put their credentials). The only difference would be the list of role-names available for operators to choose from. Again, I'm not personally motivated to do this, but it seems to have come up a few times and seems like an easy enough thing for us to do. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/Utb4ACgkQ9CaO5/Lv0PCrKgCeIDVdtsqhN+9rONxQx4khelZK iWcAnAuxJU9773b4JrwCNFZBUC2+VC0Q =ajvJ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
