You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@teaclave.apache.org by ly137062117 <no...@github.com> on 2020/06/29 13:06:14 UTC

[apache/incubator-teaclave] Access Control 服务中的python脚本参与实际环境中的权限校验吗 (#374)

最近读Access Control模块源码时,发现几个不太理解的问题:
(1)acs.rs 中权限校验的逻辑最终调用了acs_enforce_request() 和acs_announce_fact() 函数,而这两个函数是在acs_engine.py 脚本中实现的。请问下,teaclave 服务启动后,acs_engine.py 是被编译为二进制参与到权限校验中吗?如果没有被编译,那么当 py 脚本被人为篡改(例如篡改了acs_enforce_request() 和 acs_announce_fact()的逻辑),那么权限校验岂不是失效了?
(2)model.conf 文件被加载时,没有任何的加解密或验证措施,当人为修改了model.conf的内容(例如将user_access_data始终设置为true),那么权限校验逻辑岂不是也失效了?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/374

Re: [apache/incubator-teaclave] Access Control 服务中的python脚本参与实际环境中的权限校验吗 (#374)

Posted by Mingshen Sun <no...@github.com>.
Since there's no more question, I'm closing this issue.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/374#issuecomment-671582871

Re: [apache/incubator-teaclave] Access Control 服务中的python脚本参与实际环境中的权限校验吗 (#374)

Posted by Mingshen Sun <no...@github.com>.
`acs_engine.py` 和 `model.conf` 都是静态编译进 enclave 里的。

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/374#issuecomment-651418057

Re: [apache/incubator-teaclave] Access Control 服务中的python脚本参与实际环境中的权限校验吗 (#374)

Posted by ly137062117 <no...@github.com>.
请问下,model.conf 文件是如何编译到 enclave 中的呢?配置文件也能静态编译吗?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/374#issuecomment-651473037

Re: [apache/incubator-teaclave] Access Control 服务中的python脚本参与实际环境中的权限校验吗 (#374)

Posted by Mingshen Sun <no...@github.com>.
通过 `include_str!` (https://doc.rust-lang.org/std/macro.include_str.html)。

https://github.com/apache/incubator-teaclave/blob/80fe5e9b78f3d5a023a07f9b44cabf4bd994a919/services/access_control/enclave/src/acs.rs#L33

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/374#issuecomment-651473582

Re: [apache/incubator-teaclave] Access Control 服务中的python脚本参与实际环境中的权限校验吗 (#374)

Posted by Mingshen Sun <no...@github.com>.
Closed #374.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/374#event-3640439690