<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Dec 3, 2016 at 1:22 PM, David M. Lloyd <span dir="ltr"><<a href="mailto:david.lloyd@redhat.com" target="_blank">david.lloyd@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I think this is a smart idea. I must ask though, why can I not start a<br>
batch job from another deployment? Is it just a design limitation?<br></blockquote><div><br></div><div>To start a job you need access to the job XML file and the CDI beans for the deployment. However there is no limitation on the other operations.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Usually we'd want to restrict access to things not by deployment (which<br>
is a somewhat fluid concept) but by identity and authorization permissions.<br></blockquote><div><br></div><div>I'm going to be adding permissions too for each operation. My plan was to have a start, stop, restart, abandon and read permission for each operation. This proposal is more just not allowing A.war to stop a job from B.war if the two deployments are not setup as dependent on each other.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div class="h5"><br>
On 12/02/2016 07:09 PM, James Perkins wrote:<br>
> Currently a deployment can view, stop, restart or abandon any batch job<br>
> that has been submitted or has been executed that exists in the job<br>
> repository. This includes batch jobs from other deployments if the job<br>
> repository is shared, which is the default. I cannot however start a<br>
> batch job from another deployment.<br>
><br>
> I'm proposing we limit visibility so that a deployment can only access<br>
> jobs which belong to that deployment.<br>
><br>
> I'd like to get some opinions on this.<br>
><br>
> There are some, possibly unacceptable, repercussions. For example if a<br>
> user has a deployment that displays information about batch jobs for all<br>
> deployments this change would break that. However it does seem wrong to<br>
> allow any deployment using a shared repository to stop, start or abandon<br>
> a job from a different deployment.<br>
><br>
> One, probably more complicated, option would be to have an attribute on<br>
> the job-repository to allow jobs to be visible to any deployment with<br>
> access to the job-repository.<br>
><br>
> --<br>
> James R. Perkins<br>
> JBoss by Red Hat<br>
><br>
><br>
</div></div>> ______________________________<wbr>_________________<br>
> wildfly-dev mailing list<br>
> <a href="mailto:wildfly-dev@lists.jboss.org">wildfly-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/wildfly-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/wildfly-dev</a><br>
><br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
- DML<br>
______________________________<wbr>_________________<br>
wildfly-dev mailing list<br>
<a href="mailto:wildfly-dev@lists.jboss.org">wildfly-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/wildfly-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/wildfly-dev</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>James R. Perkins</div><div>JBoss by Red Hat</div></div></div></div></div>
</div></div>