[jboss-as7-dev] Independent / Orphaned Hosts

Brian Stansberry brian.stansberry at redhat.com
Tue Feb 8 13:25:34 EST 2011 

For a host to start without contacting the DC, we are going to require a 
flag to be passed on the command line; if that flag is passed the host 
can boot using the domain config it last received from the DC. So it 
would have domain configuration information that way.

We could say that passing that flag on the command line is insufficient 
to let the host be normally manageable and lock it down like you say. 
But I'm not sure trying to use an alternate security config that only 
lets someone (who?, authenticated how?) do some things (which things are 
hard coded in java) is worth it.  Some alternatives:

1) The command line flag described above applies to management security 
as well; i.e. the last known config is used.

2) The command line flag does not apply to management security; a 
separate flag is used. If that second flag is provided, the last known 
config is used. If someone wants to manage the host and doesn't want to 
pass that flag, they need to edit the xml.


On 2/8/11 11:01 AM, Darran Lofthouse wrote:
>    From some discussions today it has become apparent that we may need to
> receive requests over the management APIs on hosts not currently
> connected to a domain controller.  The hosts may not be connected either
> because the domain controller has gone or because they are a new host
> not currently connected to a domain controller.
>
>   From a securing the management APIs perspective could it be reasonable
> to consider this a special case and maybe approach it with a host
> specific user account defined that if used to connect to the host will
> only allow verification of the domain controller connection and
> modification of the domain controller connection.
>
> Anything beyond that would require a domain controller connection so
> that the full configuration for management API security can be pulled
> from the domain controller.
>
> Regards,
> Darran Lofthouse.
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev


-- 
Brian Stansberry
Principal Software Engineer
JBoss by Red Hat

More information about the jboss-as7-dev mailing list