From: Andreas U. <and...@ce...> - 2007-03-09 07:52:12
|
Hello Julio, in case you're interested I recently put together a page that describes our setup: https://twiki.cern.ch/twiki/bin/view/Virtualization/GDVirtualization We use SmartDomains which is a set of SF components but has no portal itself. In addition to that a portal (called vgrid) was developed to launch virtual machines. Experience showed that users are somehow reluctant to write SF descriptions and to learn about SF details in general. On the other hand there are users who deploy with sfStart. Anyway, because of our usage of .sf templates both, deploying through the portal as well as sfStart give the same component structure. We use sfManagementConsole to to change attributes in running SmartDomain components. The ManagementConsole is not integrated into the portal and my understanding is that this is not so straightforward (there was some discussion about this last year on this mailing list). So I'm not sure if we will ever achieve a "portal only" solution. Maybe the Avalanche project you mention in the other mail gives some answers... Having an sfStart with automatic signing would be very useful for us as it allows us to enable SF security without having to change our usage habits. So I'll put this request into the tracker as you suggested. Best regards, Andreas Guijarro, Julio wrote: > Hi Andreas, > > If you are using a portal to deploy your system (ex. Smartdomains), then > you can have the portal doing all the signing on behalf of the users in > a transparent way. Another way is that the user uses the portal to send > his description and then get a jar file properly signed that he can then > deploy. > > In any case, all this is possible today using the shell scripts > available in the dist/bin/security directory and the singing is done > using ant. The ant task that we don't have is one that combines sfStart > and signing in one single operation but that is very easy to implement. > If you are interested in something like this please put a request in > jira.smartfrog.org and we will try to make available for the next > release. > > About the Mananagement console, the same applies to it when it connects > to a daemon as an independent application and therefore it needs to be > signed before it can connect to the remote daemons. This should not be a > problem because the management console is part of the core services and > you will already have signed those for your deployment. > > For clarification follow the steps that I sent before and then try to > use the console using the signed jar (private dirs) and then the > unsigned jar (normal dist jar file). > > Regards, > > Julio Guijarro > > > > -----Original Message----- > From: sma...@li... > [mailto:sma...@li...] On Behalf Of > Andreas Unterkircher > Sent: 08 March 2007 12:28 > To: Steve Loughran > Cc: Smartfrog Support > Subject: Re: [Smartfrog-support] SF Security: How to enable > > Hello Steve & Antonio, > > thanks for your replies. So my understanding now is that it is currently > > not possible to, I cite from my mail,: > > What we want to achieve is that only certain users can deploy into the > SF daemons we are running on several machines. > > But that there is a plan to do this via ant tasks. When this is > available on could think of modifying the sfStart script so that it > calls the ant task behind the scenes to do the deployment. > > Another question related to security: > > When security is switched on what happens to the sfManagementConsole ? > Is it still possible to use it (and to terminate components or modify > attributes) ? > > Thanks, > Andreas > > Steve Loughran wrote: >> Andreas Unterkircher wrote: >>>> -- Note that when using security you cannot load descriptions from > the >>>> file system, the descriptions have to be contained in singed jars. >>> What we want to achieve is that only certain users can deploy into > the >>> SF daemons we are running on several machines. If I understand > correctly >>> to achieve this a user who wants to deploy when security is enabled > has >>> to do: >>> >>> - have the key >>> - create the description (a ascii .sf file) >>> - put the description in a jar >>> - sign the jar >>> - deploy >>> >>> Am i right with this ? If yes, is there a sfStart script that does > this >>> in a transparent way ? I mean the user still types "sfStart host name > >>> description.sf" but behind the scenes the jar generation and signing >>> takes place. >> The world view has always been that you create and sign the JARs > before >> you start. >> >> There is some placeholder support for this in the Ant tasks, but as it > >> doesn't have any tests, it still doesnt exist. >> >> >> If it did exist, the code would contain: >> >> * a <security> datatype with keystore, policy file, alias and security > >> properties >> * a <sf-sign> task that signs jars, using a nested or referenced >> <security> datatype >> * all the ant tasks to start/call smartfrog to take a nested or >> referenced <security> datatype and to use it to set up their JVM > properties. >> what is not in the written-but-not-tested state is support for dynamic > >> JAR file creation and signing if you have any inline application using > >> <sf:deploy> or the like, which is something I've just added as JIRA >> feature SFOS-88. >> >> I may add this, but would do it as part of the move to Ant1.7 only >> tasks. Is everyone ready for that? >> >> -steve >> >> >> >> >> > ------------------------------------------------------------------------ > - >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to > share your >> opinions on IT & business topics through brief surveys-and earn cash >> > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE > V >> _______________________________________________ >> Smartfrog-support mailing list >> Sma...@li... >> https://lists.sourceforge.net/lists/listinfo/smartfrog-support > > -- Andreas Unterkircher IT Department Grid Deployment Group CERN CH-1211 Geneva 23 |