On 08/02/2011 09:19 AM, John R. Dunning wrote:
From: "Hugh Brock" hbrock@redhat.com Date: Tue, 2 Aug 2011 09:10:58 -0400
[...]
I have no issues with this. We will need to decide if, in the case where factory + warehouse operate independently from Conductor, they still need to be part of the shared identity infrastructure with Katello and Conductor. If that turns out to be the case then the Warehouse is going to need to grow some kind of authentication and authorization capability. But I don't believe we need to decide that or worry about that now, do you?
Nope, not a lot. Like I said, just advocating that we keep in mind that there will likely be other use cases, so that it's less likely that we'll something in the code which will cause us to later say "D'oh!" and have to rip it out. _______________________________________________ aeolus-devel mailing list aeolus-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/aeolus-devel
We are fine as long as we say that there are no use cases in which end user is directly interacting with either of components i.e. IF or IWHD. If we say that the user CLI exists and can be launched then we need to either build auth and authz or create a way to prevent this access in the integrated solution. For example we can say that there are always 2 ports that these components expose - back door and front door. Back door is for the "I can do all unauthenticated type of connection" and the front door is for CLI/UI from the user where auth and authz are implemented. Then different doors can be opened in different configurations. In the independent case the front door would be required in the integrated the back door. It is not required to build the auth/authz for the front door now - this can be deferred but the separation of doors then has to be taken care now. I mean make it configurable which doors are available i.e. which ports/protocols the component is going to listen on.
There might be other approaches to solve the problem. This is just first that came to mind.