You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@continuum.apache.org by Deng Ching <oc...@apache.org> on 2011/05/31 10:57:18 UTC
Securing working copies in build agent (CONTINUUM-2632)
Currently, there is no security implemented for accessing (read-only) the
working copies in the build agent via webdav. For CONTINUUM-2632, I'm
planning to use a similar mechanism as with Maven when downloading/getting
artifacts from a secured repository:
1. Configure access credentials in continuum-buildagent.xml (or a new
configuration file, maybe continuum-buildagent-security.xml?). We can have
the access configuration either by user (Option A) or by project group
(Option B).
** Option A: Access to the working copy will be controlled per user,
making it more granular. The <projectGroupIds> element can contain a
comma-separated list of all the IDs of the project groups that the user
should be able to access. Drawback with this option is that the
configuration in the config file will be longer (compared to option B) if
there are a lot of users.
>
> <userAccess>
> <username>dev1</username>
> <password>encrypted.password</password>
> <projectGroupIds>continuum.pg.id.1,continuum.pg.id.2</projectGroupIds>
> </userAccess>
** Option B: Access to the working copy will be per project group. All
devs/users of a project group will use the same access key to view the
project group's working copy. Drawback with this option is that the secret
key is shared across multiple users (e.g. devs and users for the project
group).
<projectGroupAccess>
> <projectGroupAccessId>project.group.id</projectGroupAccessId>
> <secretKey>encryptedsecretkey</secretKey>
> </projectGroupAccess>
2. Use Maven's encryption API (that is used for encrypting/decrypting
server credentials in settings.xml) to encrypt and decrypt the secret keys,
and the use of a master password.
On a related note, for CONTINUUM-2044 (Build agent should only accept
requests from its master), it was suggested in the discussion threads linked
below to use a shared key between the master and the build agent. We can
extend the implementation proposed above by having a separate configuration
for the continuum master's access key, where the build agent can match the
access key provided by the master when it invokes a call to the build agent
(sample configuration below). In case we go in the direction of allowing a
build agent to have multiple masters in future, the following configuration
would be able to accomodate it as well.
<continuumMasterAccessKeys>
> <continuumMasterAccessKey>
> <id>master_url_id</id> // may not necessarily be the url of the
> continuum master, we can use a different identifier
> <secretKey>encryptedsecretkey</secretKey>
> </continuumMasterAccessKey>
> </continuumMasterAccessKeys>
http://old.nabble.com/How-can-an-agent-be-sure-that-a-request-comes-from-its-master--td21546892.html
http://old.nabble.com/Added-WebDAV-interface-for-displaying-the-working-copies-from-build--agent-td29202005.html
http://old.nabble.com/Build-agent-security-td30547566.html
Any thoughts or suggestions? :)
Thanks,
Deng
Re: Securing working copies in build agent (CONTINUUM-2632)
Posted by Wendy Smoak <ws...@gmail.com>.
On Wed, Jun 1, 2011 at 12:42 PM, Louis Smith <dr...@gmail.com> wrote:
> I have to ask - why would a remote build agent need to keep its copy after
> it is done? Shouldn't a remote be setup to checkout, build, cleanup?
...
> I'd much prefer an option where I can set the build agents to leave nothing
> around that anyone could backdoor into. Their remote lifecycle should be
> get it, do it, clean it.
That could definitely be an option (sounds familiar, it might be there
from before distributed builds, from someone just trying to save disk
space, or even for security, to not leave the source code lying
around.)
However the current implementation "prefers" to build on the same
agent it used before, in order to save the time and load of doing a
fresh checkout for every build.
--
Wendy
Re: Securing working copies in build agent (CONTINUUM-2632)
Posted by Louis Smith <dr...@gmail.com>.
I have to ask - why would a remote build agent need to keep its copy after
it is done? Shouldn't a remote be setup to checkout, build, cleanup?
If it does a full package/install or deploy, its final output is stored
where it belongs anyway.. And If I'm looking for site reports, they should
be deployed at my enterprise location; if I'm looking for compilation
results, the build log is all I need.
I'd much prefer an option where I can set the build agents to leave nothing
around that anyone could backdoor into. Their remote lifecycle should be
get it, do it, clean it.
Louis
On Wed, Jun 1, 2011 at 12:27 PM, Brett Porter <br...@apache.org> wrote:
> I'd agree with Wendy, at least at this point. There's no need for the
> complexity of user or project-level auth on the build agent. We also should
> remember that anyone that can run a build, can access every working copy on
> the agent via the backdoor :)
>
> I do think there's some value to per-user access to the WC from the agent
> over HTTP, as long as none of the info is duplicated - but I'd consider that
> a separate feature, not a core part of how this should be implemented.
>
> - Brett
>
> On 01/06/2011, at 9:18 PM, Wendy Smoak wrote:
>
> > On Tue, May 31, 2011 at 4:57 AM, Deng Ching <oc...@apache.org> wrote:
> >> Currently, there is no security implemented for accessing (read-only)
> the
> >> working copies in the build agent via webdav. For CONTINUUM-2632, I'm
> >> planning to use a similar mechanism as with Maven when
> downloading/getting
> >> artifacts from a secured repository:
> > ...
> >
> > This seems to imply that people would be accessing the build agent
> > individually? I don't think the build agent needs to know about users
> > -- the access should all go through the master which can handle
> > security via the user database.
> >
> > If you introduce an xml file on the build agent, how would it get
> > populated for a new build agent, or updated for an existing one? It
> > also seems like that file would duplicate information already stored
> > in the user database (what user can see what group).
> >
> > I think the build agent should only respond to requests from the
> > master. It shouldn't be talking to anybody else. As long as it has
> > some way to verify that the request is indeed coming from the master,
> > I think that's enough to keep the working copies reasonably secure.
> >
> > --
> > Wendy
>
> --
> Brett Porter
> brett@apache.org
> http://brettporter.wordpress.com/
> http://au.linkedin.com/in/brettporter
>
>
>
>
>
--
Dr. Louis Smith, ThD
Chief Technology Officer, Kyra InfoTech
Colonel, Commemorative Air Force
Re: Securing working copies in build agent (CONTINUUM-2632)
Posted by Wendy Smoak <ws...@gmail.com>.
On Mon, Jun 13, 2011 at 1:45 AM, Jevica Arianne B. Zurbano
<je...@gmail.com> wrote:
> Are we using the security system of Continuum to authenticate or are we
> going to need a webservice for Redback authentication?
On the build agent? My preference is for the build agent to talk to
the master, and for the master to handle all who-can-see-what
questions.
I think introducing user-based security on the build agent adds more
complexity than we need to solve the immediate problem of protecting
the source code from open access.
--
Wendy
Re: Securing working copies in build agent (CONTINUUM-2632)
Posted by "Jevica Arianne B. Zurbano" <je...@gmail.com>.
Are we using the security system of Continuum to authenticate or are we going to need a webservice for Redback authentication?
On Tuesday, 07 June, 2011 10:43 AM, Deng Ching wrote:
> Ok, makes sense :) I thought we'll be allowing per user access at the
> project level when I drafted the proposal.
>
> Thanks,
> Deng
>
> On Thu, Jun 2, 2011 at 12:27 AM, Brett Porter<br...@apache.org> wrote:
>
>> I'd agree with Wendy, at least at this point. There's no need for the
>> complexity of user or project-level auth on the build agent. We also should
>> remember that anyone that can run a build, can access every working copy on
>> the agent via the backdoor :)
>>
>> I do think there's some value to per-user access to the WC from the agent
>> over HTTP, as long as none of the info is duplicated - but I'd consider that
>> a separate feature, not a core part of how this should be implemented.
>>
>> - Brett
>>
>> On 01/06/2011, at 9:18 PM, Wendy Smoak wrote:
>>
>>> On Tue, May 31, 2011 at 4:57 AM, Deng Ching<oc...@apache.org> wrote:
>>>> Currently, there is no security implemented for accessing (read-only)
>> the
>>>> working copies in the build agent via webdav. For CONTINUUM-2632, I'm
>>>> planning to use a similar mechanism as with Maven when
>> downloading/getting
>>>> artifacts from a secured repository:
>>> ...
>>>
>>> This seems to imply that people would be accessing the build agent
>>> individually? I don't think the build agent needs to know about users
>>> -- the access should all go through the master which can handle
>>> security via the user database.
>>>
>>> If you introduce an xml file on the build agent, how would it get
>>> populated for a new build agent, or updated for an existing one? It
>>> also seems like that file would duplicate information already stored
>>> in the user database (what user can see what group).
>>>
>>> I think the build agent should only respond to requests from the
>>> master. It shouldn't be talking to anybody else. As long as it has
>>> some way to verify that the request is indeed coming from the master,
>>> I think that's enough to keep the working copies reasonably secure.
>>>
>>> --
>>> Wendy
>> --
>> Brett Porter
>> brett@apache.org
>> http://brettporter.wordpress.com/
>> http://au.linkedin.com/in/brettporter
>>
>>
>>
>>
>>
--
Thanks,
Jev
Re: Securing working copies in build agent (CONTINUUM-2632)
Posted by Deng Ching <oc...@apache.org>.
Ok, makes sense :) I thought we'll be allowing per user access at the
project level when I drafted the proposal.
Thanks,
Deng
On Thu, Jun 2, 2011 at 12:27 AM, Brett Porter <br...@apache.org> wrote:
> I'd agree with Wendy, at least at this point. There's no need for the
> complexity of user or project-level auth on the build agent. We also should
> remember that anyone that can run a build, can access every working copy on
> the agent via the backdoor :)
>
> I do think there's some value to per-user access to the WC from the agent
> over HTTP, as long as none of the info is duplicated - but I'd consider that
> a separate feature, not a core part of how this should be implemented.
>
> - Brett
>
> On 01/06/2011, at 9:18 PM, Wendy Smoak wrote:
>
> > On Tue, May 31, 2011 at 4:57 AM, Deng Ching <oc...@apache.org> wrote:
> >> Currently, there is no security implemented for accessing (read-only)
> the
> >> working copies in the build agent via webdav. For CONTINUUM-2632, I'm
> >> planning to use a similar mechanism as with Maven when
> downloading/getting
> >> artifacts from a secured repository:
> > ...
> >
> > This seems to imply that people would be accessing the build agent
> > individually? I don't think the build agent needs to know about users
> > -- the access should all go through the master which can handle
> > security via the user database.
> >
> > If you introduce an xml file on the build agent, how would it get
> > populated for a new build agent, or updated for an existing one? It
> > also seems like that file would duplicate information already stored
> > in the user database (what user can see what group).
> >
> > I think the build agent should only respond to requests from the
> > master. It shouldn't be talking to anybody else. As long as it has
> > some way to verify that the request is indeed coming from the master,
> > I think that's enough to keep the working copies reasonably secure.
> >
> > --
> > Wendy
>
> --
> Brett Porter
> brett@apache.org
> http://brettporter.wordpress.com/
> http://au.linkedin.com/in/brettporter
>
>
>
>
>
Re: Securing working copies in build agent (CONTINUUM-2632)
Posted by Brett Porter <br...@apache.org>.
I'd agree with Wendy, at least at this point. There's no need for the complexity of user or project-level auth on the build agent. We also should remember that anyone that can run a build, can access every working copy on the agent via the backdoor :)
I do think there's some value to per-user access to the WC from the agent over HTTP, as long as none of the info is duplicated - but I'd consider that a separate feature, not a core part of how this should be implemented.
- Brett
On 01/06/2011, at 9:18 PM, Wendy Smoak wrote:
> On Tue, May 31, 2011 at 4:57 AM, Deng Ching <oc...@apache.org> wrote:
>> Currently, there is no security implemented for accessing (read-only) the
>> working copies in the build agent via webdav. For CONTINUUM-2632, I'm
>> planning to use a similar mechanism as with Maven when downloading/getting
>> artifacts from a secured repository:
> ...
>
> This seems to imply that people would be accessing the build agent
> individually? I don't think the build agent needs to know about users
> -- the access should all go through the master which can handle
> security via the user database.
>
> If you introduce an xml file on the build agent, how would it get
> populated for a new build agent, or updated for an existing one? It
> also seems like that file would duplicate information already stored
> in the user database (what user can see what group).
>
> I think the build agent should only respond to requests from the
> master. It shouldn't be talking to anybody else. As long as it has
> some way to verify that the request is indeed coming from the master,
> I think that's enough to keep the working copies reasonably secure.
>
> --
> Wendy
--
Brett Porter
brett@apache.org
http://brettporter.wordpress.com/
http://au.linkedin.com/in/brettporter
Re: Securing working copies in build agent (CONTINUUM-2632)
Posted by Wendy Smoak <ws...@gmail.com>.
On Tue, May 31, 2011 at 4:57 AM, Deng Ching <oc...@apache.org> wrote:
> Currently, there is no security implemented for accessing (read-only) the
> working copies in the build agent via webdav. For CONTINUUM-2632, I'm
> planning to use a similar mechanism as with Maven when downloading/getting
> artifacts from a secured repository:
...
This seems to imply that people would be accessing the build agent
individually? I don't think the build agent needs to know about users
-- the access should all go through the master which can handle
security via the user database.
If you introduce an xml file on the build agent, how would it get
populated for a new build agent, or updated for an existing one? It
also seems like that file would duplicate information already stored
in the user database (what user can see what group).
I think the build agent should only respond to requests from the
master. It shouldn't be talking to anybody else. As long as it has
some way to verify that the request is indeed coming from the master,
I think that's enough to keep the working copies reasonably secure.
--
Wendy