You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@continuum.apache.org by Wendy Smoak <ws...@gmail.com> on 2011/01/10 02:59:43 UTC
Re: Build agent security
Any thoughts on this? -Wendy
On Tue, Dec 28, 2010 at 4:39 PM, Wendy Smoak <ws...@gmail.com> wrote:
> This bit of CONTINUUM-2599 caught my eye:
>
> "Current workaround to get Build Agent's installation is by directly
> using the Build Agent Web Service."
>
> I was under the impression that while the build agent would accept
> XML-RPC requests from anyone, it would only send responses back to the
> master defined in its config file. (See CONTINUUM-2044)
>
> Did something change and you are now able to connect directly to the
> agent and do things/get information without an authorization check?
> (There is no authentication/authorization on the build agent.
> (right?))
>
> In addition, a comment on 2044 reminded me that CONTINUUM-2545 added
> unsecured webdav access to the working copy.
>
> Any thoughts on whether build agents should be better secured, and if so how?
>
> * http://jira.codehaus.org/browse/CONTINUUM-2599
> * http://jira.codehaus.org/browse/CONTINUUM-2044
> * http://jira.codehaus.org/browse/CONTINUUM-2545
>
> --
> Wendy
>
Re: Build agent security
Posted by Marica Tan <ma...@gmail.com>.
Hi Wendy,
I think the shared key is the only way I can think of for now since it's not
possible to do user authorization/authentication in the agent.
--
Marica
On Mon, Jan 10, 2011 at 9:59 AM, Wendy Smoak <ws...@gmail.com> wrote:
> Any thoughts on this? -Wendy
>
> On Tue, Dec 28, 2010 at 4:39 PM, Wendy Smoak <ws...@gmail.com> wrote:
> > This bit of CONTINUUM-2599 caught my eye:
> >
> > "Current workaround to get Build Agent's installation is by directly
> > using the Build Agent Web Service."
> >
> > I was under the impression that while the build agent would accept
> > XML-RPC requests from anyone, it would only send responses back to the
> > master defined in its config file. (See CONTINUUM-2044)
> >
> > Did something change and you are now able to connect directly to the
> > agent and do things/get information without an authorization check?
> > (There is no authentication/authorization on the build agent.
> > (right?))
> >
> > In addition, a comment on 2044 reminded me that CONTINUUM-2545 added
> > unsecured webdav access to the working copy.
> >
> > Any thoughts on whether build agents should be better secured, and if so
> how?
> >
> > * http://jira.codehaus.org/browse/CONTINUUM-2599
> > * http://jira.codehaus.org/browse/CONTINUUM-2044
> > * http://jira.codehaus.org/browse/CONTINUUM-2545
> >
> > --
> > Wendy
> >
>