+1 This looks really good!
I put a couple of comments inline, and I have a few more general questions here: 1. Is the RegionQueryInvocationAuthorizer different than our existing shiro permissions? I thought users can already grant permissions for specific regions. What does this add in addition to that? 2. I'm a little unclear on if your MethodInvocationAuthorizer.authorizeMethodInvocation is supposed to take a region or the target object. If it is really accepting a region, do we actually have a region available in all cases? We could be invoking methods on an object in lots of places in the query tree. 3. The DataAwareBasedMethodAuthorizer seems a bit vague on how it's actually going to work. It also might be a security risk, since it will allow users with DATA:READ permission to invoke any method on these objects. -Dan On Wed, Jun 19, 2019 at 11:34 AM Jacob Barrett <jbarr...@pivotal.io> wrote: > Thanks Juan! > > > On Jun 19, 2019, at 9:55 AM, Juan José Ramos <jra...@pivotal.io> wrote: > > > > Hello all, > > > > I've removed all "biased" words I could find from the original document > so > > the *Proposal [1]* is ready for review and discussion now. All feedback > is > > welcome. > > Best regards. > > > > [1]: > > > https://cwiki.apache.org/confluence/display/GEODE/OQL+Method+Invocation+Security > > > >> On Fri, Jun 14, 2019 at 8:39 PM Juan José Ramos <jra...@pivotal.io> > wrote: > >> > >> Hey Jake, > >> > >> Thanks for bringing this up. As you might have found out already, > english > >> is not my native language, I actually had to do some research to find > out > >> *exactly what you meant* regarding the bias around the "whitelist" word > >> :-|... It was an honest mistake and I sincerely apologize in advance if > >> anyone got offended in any way. > >> That said, I won't have time to go through the proposal and make the > >> required changes until next week, so I'll keep the document hidden until > >> all biased words are replaced. > >> Cheers. > >> > >> > >> On Sat, Jun 15, 2019 at 12:25 AM Jacob Barrett <jbarr...@pivotal.io> > >> wrote: > >> > >>>> As part of GEODE-3247 < > https://issues.apache.org/jira/browse/GEODE-3247>, > >>> several options were analysed and, after considering the wealth of > security > >>> holes and the difficulty of determining which methods deployed by the > >>> developer were intended to be available for queries and which were > not, the > >>> decision was made to tighten up the Security and, by default, disallow > any > >>> method call not explicitly whitelisted. > >>> > >>> Please avoid biased words, like whitelist, in source and proposals. > There > >>> are several other places in this document that use these terms. Can you > >>> please update the document without them. > >>> > >>> Thanks, > >>> Jake > >>> > >>> > >> > >> -- > >> Juan José Ramos Cassella > >> Senior Technical Support Engineer > >> Email: jra...@pivotal.io > >> Office#: +353 21 4238611 > >> Mobile#: +353 87 2074066 > >> After Hours Contact#: +1 877 477 2269 > >> Office Hours: Mon - Thu 08:30 - 17:00 GMT. Fri 08:30 - 16:00 GMT > >> How to upload artifacts: > >> https://support.pivotal.io/hc/en-us/articles/204369073 > >> How to escalate a ticket: > >> https://support.pivotal.io/hc/en-us/articles/203809556 > >> > >> [image: support] <https://support.pivotal.io/> [image: twitter] > >> <https://twitter.com/pivotal> [image: linkedin] > >> <https://www.linkedin.com/company/3048967> [image: facebook] > >> <https://www.facebook.com/pivotalsoftware> [image: google plus] > >> <https://plus.google.com/+Pivotal> [image: youtube] > >> < > https://www.youtube.com/playlist?list=PLAdzTan_eSPScpj2J50ErtzR9ANSzv3kl> > >> > > > > > > -- > > Juan José Ramos Cassella > > Senior Technical Support Engineer > > Email: jra...@pivotal.io > > Office#: +353 21 4238611 > > Mobile#: +353 87 2074066 > > After Hours Contact#: +1 877 477 2269 > > Office Hours: Mon - Thu 08:30 - 17:00 GMT. Fri 08:30 - 16:00 GMT > > How to upload artifacts: > > https://support.pivotal.io/hc/en-us/articles/204369073 > > How to escalate a ticket: > > https://support.pivotal.io/hc/en-us/articles/203809556 > > > > [image: support] <https://support.pivotal.io/> [image: twitter] > > <https://twitter.com/pivotal> [image: linkedin] > > <https://www.linkedin.com/company/3048967> [image: facebook] > > <https://www.facebook.com/pivotalsoftware> [image: google plus] > > <https://plus.google.com/+Pivotal> [image: youtube] > > < > https://www.youtube.com/playlist?list=PLAdzTan_eSPScpj2J50ErtzR9ANSzv3kl> >
