This is straightforward to protect with Shiro, which I plan to work on this week as part of https://issues.apache.org/jira/browse/AURORA-31
On Tue, Sep 16, 2014 at 11:23 AM, Kevin Sweeney <kswee...@twitter.com> wrote: > To be clear I'm acknowledging the security concerns as real (unprivileged > accounts can usually run ps to see what's running locally, and write access > to this database is essentially root on the whole cluster, so some basic > protection is reasonable). > > As far as code burden, the difference between taking a flag and loading a > properties files is relatively small, and we already have precedent for > loading a secrets-filled properties file in DriverFactory.java. > > On Tue, Sep 16, 2014 at 10:54 AM, Maxim Khutornenko <ma...@apache.org> > wrote: > >> +1 on the command-line approach. There was a bit of a debate around it >> when it was proposed for the framework auth but its simplicity >> outweighed potential security concerns. >> >> On Tue, Sep 16, 2014 at 10:34 AM, Kevin Sweeney <kevi...@apache.org> >> wrote: >> > There's precedent to take secrets as a properties file on the >> command-line >> > (-framework_authentication_file), my vote is that we follow that. >> > >> > On Tue, Sep 16, 2014 at 10:17 AM, Joshua Cohen >> <jco...@twitter.com.invalid> >> > wrote: >> > >> >> Providing the password directly via the command line seems like it >> would be >> >> a security issue (anyone who can `ps` on the box could see the >> password?). >> >> Is there something I'm missing? Would it be possible (and if so, would >> it >> >> be desirable?) to start up the web console as a user who only has read >> >> access to the database? If we're only worried about someone tinkering >> with >> >> the data, but not worried about locking down read access that might be >> a >> >> cleaner solution. >> >> >> >> On Tue, Sep 16, 2014 at 9:58 AM, Bill Farner <wfar...@apache.org> >> wrote: >> >> >> >> > Since beginning migration of the internal database to H2, i've >> wanted to >> >> > include the H2 web console [1] as a means for debugging the internal >> >> > scheduler state. If we do that, we need to password-protect the >> database >> >> > to prevent unauthorized tinkering. >> >> > >> >> > Does anybody have a preference for where the scheduler gets that >> >> password? >> >> > The obvious choices are directly on the command line, or from a file >> >> > referenced on the command line. However, i'm open to ideas i haven't >> >> > thought of. >> >> > >> >> > [1] http://www.h2database.com/html/quickstart.html#h2_console >> >> > (ignore the windows/launching instructions - we will embed it as a >> >> servlet) >> >> > >> >> > >> >> > -=Bill >> >> > >> >> >> > > > > -- > Kevin Sweeney > @kts >
