Juan Hernandez has posted comments on this change. Change subject: packaging: Move ROOT.war to the EAR ......................................................................
Patch Set 1: > Juan, I'm not sure we're allowed to run-over the root context of the machine. > This will collide with IPA as well as any other web server. This is not the root context of the machine, just the root context of the instance of the application server where ovirt-engine is running. Right now this instance is the main instance of the application server, which is to be shared with other applications. But I think it should be a private instance used only for ovirt-engine. I started a discussion about that here: http://lists.ovirt.org/pipermail/arch/2012-April/000510.html Also take into account that we are already using that root context, the only difference is that we use a ROOT.war deployment outside the .ear file. I already mentioned this somewhere long ago: the way to avoid colliding with other applications is to add a common prefix to all the URLs that we use, something like /ovirt, /ovirt/api, /ovirt/... > WRT the ca certificate and ssh key file, I actually prefer to cp it, than to > allow a web servlet into the PKI area. The PKI area should be accessed as > little as possible, only when needed. So when a new certificate is needed, it > makes sense to allow the backend some access into this area. Other than that, > it's better to put other areas in danger of sec issues and file corruption > than the PKI area. The problem with copying files is that we are putting variable content (that should go in /var/lib or /etc/pki) in the /usr/share directory, which is supposed to be constant. Not a big problem, just against the file system standards. It is true that the PKI area is a security concern, but I think that adding this servlet doesn't increase the risks: all the ovirt-engine components (backend, restapi, etc) have full access to the private keys stored there. -- To view, visit http://gerrit.ovirt.org/3782 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I1d3aa9af7b78546b5449031c8db23ff766b68496 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Juan Hernandez <juan.hernan...@redhat.com> Gerrit-Reviewer: Doron Fediuck <dfedi...@redhat.com> Gerrit-Reviewer: Juan Hernandez <juan.hernan...@redhat.com> Gerrit-Reviewer: Ofer Schreiber <oschr...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
