Re: [jboss-as7-dev] Independent / Orphaned Hosts
For a host to start without contacting the DC, we are going to require a
flag to be passed on the command line; if that flag is passed the host
can boot using the domain config it last received from the DC. So it
would have domain configuration information that way.
We could say that passing that flag on the command line is insufficient
to let the host be normally manageable and lock it down like you say.
But I'm not sure trying to use an alternate security config that only
lets someone (who?, authenticated how?) do some things (which things are
hard coded in java) is worth it. Some alternatives:
1) The command line flag described above applies to management security
as well; i.e. the last known config is used.
2) The command line flag does not apply to management security; a
separate flag is used. If that second flag is provided, the last known
config is used. If someone wants to manage the host and doesn't want to
pass that flag, they need to edit the xml.
On 2/8/11 11:01 AM, Darran Lofthouse wrote:
From some discussions today it has become apparent that we may
need to
receive requests over the management APIs on hosts not currently
connected to a domain controller. The hosts may not be connected either
because the domain controller has gone or because they are a new host
not currently connected to a domain controller.
From a securing the management APIs perspective could it be reasonable
to consider this a special case and maybe approach it with a host
specific user account defined that if used to connect to the host will
only allow verification of the domain controller connection and
modification of the domain controller connection.
Anything beyond that would require a domain controller connection so
that the full configuration for management API security can be pulled
from the domain controller.
Regards,
Darran Lofthouse.
_______________________________________________
jboss-as7-dev mailing list
jboss-as7-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
--
Brian Stansberry
Principal Software Engineer
JBoss by Red Hat