[jboss-as7-dev] Independent / Orphaned Hosts
Darran Lofthouse
darran.lofthouse at jboss.com
Tue Feb 8 13:28:43 EST 2011
Do you think running a host that has never connected to a domain
controller is something we would need to support?
Using the console to then set the domain controller location - or can
the first domain controller be required in the host.xml?
Regards,
Darran Lofthouse.
On 02/08/2011 06:25 PM, Brian Stansberry wrote:
> For a host to start without contacting the DC, we are going to require a
> flag to be passed on the command line; if that flag is passed the host
> can boot using the domain config it last received from the DC. So it
> would have domain configuration information that way.
>
> We could say that passing that flag on the command line is insufficient
> to let the host be normally manageable and lock it down like you say.
> But I'm not sure trying to use an alternate security config that only
> lets someone (who?, authenticated how?) do some things (which things are
> hard coded in java) is worth it. Some alternatives:
>
> 1) The command line flag described above applies to management security
> as well; i.e. the last known config is used.
>
> 2) The command line flag does not apply to management security; a
> separate flag is used. If that second flag is provided, the last known
> config is used. If someone wants to manage the host and doesn't want to
> pass that flag, they need to edit the xml.
>
>
> On 2/8/11 11:01 AM, Darran Lofthouse wrote:
>> From some discussions today it has become apparent that we may need to
>> receive requests over the management APIs on hosts not currently
>> connected to a domain controller. The hosts may not be connected either
>> because the domain controller has gone or because they are a new host
>> not currently connected to a domain controller.
>>
>> From a securing the management APIs perspective could it be reasonable
>> to consider this a special case and maybe approach it with a host
>> specific user account defined that if used to connect to the host will
>> only allow verification of the domain controller connection and
>> modification of the domain controller connection.
>>
>> Anything beyond that would require a domain controller connection so
>> that the full configuration for management API security can be pulled
>> from the domain controller.
>>
>> Regards,
>> Darran Lofthouse.
>> _______________________________________________
>> jboss-as7-dev mailing list
>> jboss-as7-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
>
More information about the jboss-as7-dev
mailing list