Hi Nina, Martin,

Martin Guetlein wrote on 01/31/2011 09:20 AM:
> On Mon, Jan 31, 2011 at 9:18 AM, Martin Guetlein
> <martin.guetlein at googlemail.com>  wrote:
>> On Mon, Jan 31, 2011 at 8:30 AM, Nina Jeliazkova
>> <jeliazkova.nina at gmail.com>  wrote:
>>> Dear Andreas, All,
>>>
>>>
>>> On 31 January 2011 09:02, Andreas Maunz<andreas at maunz.de>  wrote:
>>>
>>>> Dear all,
>>>>
>>>> I see many of you using A&A facilities for test-driving their local
>>>> installations.
>>>> This is apparent through the use of host names without a top-level domain
>>>> (no fully qualified domain names (FQDN), such as 'localhost').
>>>> A problem is that people many times seem to throw away their testbeds and
>>>> forget to clean up the policies they created.
>>>> This results in a mass of policies taking resources unnecessarily.
>>>> Thus, I propose a scheduled garbage collection on the policy service that
>>>> cleans up policies without an FQDN every Sunday (let's say).
>>>>
>>>> What do you think about it?
>>>
>>> Fully agree.
>>>
>>> IMHO,  "localhost" URIs should not be used anywhere in OpenTox services
>>> (including AA), as this defeats the purpose of OpenTox URIs being
>>> dereferencable.  Using "localhost" should be considered a bug.
>>>
>>> We are also seeing lot of "localhost" URIs in Ambit services and could
>>> consider similar "garbage collecting".
>>>
>>> Best regards,
>>> Nina
>>
>> Agree as well. I would propose to not allow the host "localhost" (on
>> the SSO servers part, if possible), as this only leads to problems.

Right, host names are evil. "localhost" was also just an example- people 
use other hostnames and have their local name resolution mechanism 
resolve them (aliases for 127.0.0.1).
Thus, the criterion should indeed be "dereferencability", i.e. DNS 
resolution.
For IP adresses in URIs, I propose to use a regex that excludes 
127.0.0.1 and known private IPv4 subnets.
Obviously, for the upcoming IPv6 we will need an elaborate solution.

>> Is there a common test-user that everybody can use? The policies of
>> this user can be deleted from time to time. I started to use 'test'
>> and/or 'anonymous' for test runs with Ambit/Ntua/Tum, and I cannot
>> promise to keep track of all created policies.

A common test user would be great. Indeed, people use "guest", But since 
that name coincides with the public login for human end users, we should 
think about a different solution.

In summary, as a first step I propose to clean up policies based on DNS 
resolution and IP address filtering as described above, starting with an 
extraordinary run tomorrow and then with a weekly schedule on Sundays.

Regards
Andreas