[OTDev] A&A: Policy cleanup
Nina Jeliazkova jeliazkova.nina at gmail.comMon Jan 31 11:05:58 CET 2011
- Previous message: [OTDev] A&A: Policy cleanup
- Next message: [OTDev] A&A: Policy cleanup
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Andreas, All, On 31 January 2011 11:00, Andreas Maunz <andreas at maunz.de> wrote: > Hi Nina, Martin, > > Martin Guetlein wrote on 01/31/2011 09:20 AM: > > On Mon, Jan 31, 2011 at 9:18 AM, Martin Guetlein >> <martin.guetlein at googlemail.com> wrote: >> >>> On Mon, Jan 31, 2011 at 8:30 AM, Nina Jeliazkova >>> <jeliazkova.nina at gmail.com> wrote: >>> >>>> Dear Andreas, All, >>>> >>>> >>>> On 31 January 2011 09:02, Andreas Maunz<andreas at maunz.de> wrote: >>>> >>>> Dear all, >>>>> >>>>> I see many of you using A&A facilities for test-driving their local >>>>> installations. >>>>> This is apparent through the use of host names without a top-level >>>>> domain >>>>> (no fully qualified domain names (FQDN), such as 'localhost'). >>>>> A problem is that people many times seem to throw away their testbeds >>>>> and >>>>> forget to clean up the policies they created. >>>>> This results in a mass of policies taking resources unnecessarily. >>>>> Thus, I propose a scheduled garbage collection on the policy service >>>>> that >>>>> cleans up policies without an FQDN every Sunday (let's say). >>>>> >>>>> What do you think about it? >>>>> >>>> >>>> Fully agree. >>>> >>>> IMHO, "localhost" URIs should not be used anywhere in OpenTox services >>>> (including AA), as this defeats the purpose of OpenTox URIs being >>>> dereferencable. Using "localhost" should be considered a bug. >>>> >>>> We are also seeing lot of "localhost" URIs in Ambit services and could >>>> consider similar "garbage collecting". >>>> >>>> Best regards, >>>> Nina >>>> >>> >>> Agree as well. I would propose to not allow the host "localhost" (on >>> the SSO servers part, if possible), as this only leads to problems. >>> >> > Right, host names are evil. "localhost" was also just an example- people > use other hostnames and have their local name resolution mechanism resolve > them (aliases for 127.0.0.1). > Thus, the criterion should indeed be "dereferencability", i.e. DNS > resolution. > For IP adresses in URIs, I propose to use a regex that excludes 127.0.0.1 > and known private IPv4 subnets. > > Obviously, for the upcoming IPv6 we will need an elaborate solution. > > Would be better to avoid IP addresses all together and use FQDN only. > > Is there a common test-user that everybody can use? The policies of >>> this user can be deleted from time to time. I started to use 'test' >>> and/or 'anonymous' for test runs with Ambit/Ntua/Tum, and I cannot >>> promise to keep track of all created policies. >>> >> > A common test user would be great. Indeed, people use "guest", But since > that name coincides with the public login for human end users, we should > think about a different solution. > > AFAIK there is user test, created by our request some months ago, exactly for testing purposes. Ideally, there should be completely separate OpenSSO+policy service installation, and not mix testing and production services. Best regards, Nina > In summary, as a first step I propose to clean up policies based on DNS > resolution and IP address filtering as described above, starting with an > extraordinary run tomorrow and then with a weekly schedule on Sundays. > > > Regards > Andreas > _______________________________________________ > Development mailing list > Development at opentox.org > http://www.opentox.org/mailman/listinfo/development >
- Previous message: [OTDev] A&A: Policy cleanup
- Next message: [OTDev] A&A: Policy cleanup
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Development mailing list