Hi Andreas, All,

On 31 January 2011 11:00, Andreas Maunz <andreas at maunz.de> wrote:

> Hi Nina, Martin,
>
> Martin Guetlein wrote on 01/31/2011 09:20 AM:
>
>  On Mon, Jan 31, 2011 at 9:18 AM, Martin Guetlein
>> <martin.guetlein at googlemail.com>  wrote:
>>
>>> On Mon, Jan 31, 2011 at 8:30 AM, Nina Jeliazkova
>>> <jeliazkova.nina at gmail.com>  wrote:
>>>
>>>> Dear Andreas, All,
>>>>
>>>>
>>>> On 31 January 2011 09:02, Andreas Maunz<andreas at maunz.de>  wrote:
>>>>
>>>>  Dear all,
>>>>>
>>>>> I see many of you using A&A facilities for test-driving their local
>>>>> installations.
>>>>> This is apparent through the use of host names without a top-level
>>>>> domain
>>>>> (no fully qualified domain names (FQDN), such as 'localhost').
>>>>> A problem is that people many times seem to throw away their testbeds
>>>>> and
>>>>> forget to clean up the policies they created.
>>>>> This results in a mass of policies taking resources unnecessarily.
>>>>> Thus, I propose a scheduled garbage collection on the policy service
>>>>> that
>>>>> cleans up policies without an FQDN every Sunday (let's say).
>>>>>
>>>>> What do you think about it?
>>>>>
>>>>
>>>> Fully agree.
>>>>
>>>> IMHO,  "localhost" URIs should not be used anywhere in OpenTox services
>>>> (including AA), as this defeats the purpose of OpenTox URIs being
>>>> dereferencable.  Using "localhost" should be considered a bug.
>>>>
>>>> We are also seeing lot of "localhost" URIs in Ambit services and could
>>>> consider similar "garbage collecting".
>>>>
>>>> Best regards,
>>>> Nina
>>>>
>>>
>>> Agree as well. I would propose to not allow the host "localhost" (on
>>> the SSO servers part, if possible), as this only leads to problems.
>>>
>>
> Right, host names are evil. "localhost" was also just an example- people
> use other hostnames and have their local name resolution mechanism resolve
> them (aliases for 127.0.0.1).
> Thus, the criterion should indeed be "dereferencability", i.e. DNS
> resolution.
> For IP adresses in URIs, I propose to use a regex that excludes 127.0.0.1
> and known private IPv4 subnets.
>




> Obviously, for the upcoming IPv6 we will need an elaborate solution.
>
>
Would be better to avoid IP addresses all together and use FQDN only.



>
>  Is there a common test-user that everybody can use? The policies of
>>> this user can be deleted from time to time. I started to use 'test'
>>> and/or 'anonymous' for test runs with Ambit/Ntua/Tum, and I cannot
>>> promise to keep track of all created policies.
>>>
>>
> A common test user would be great. Indeed, people use "guest", But since
> that name coincides with the public login for human end users, we should
> think about a different solution.
>
>
AFAIK there is user test, created by our request some months ago, exactly
for testing purposes.

Ideally, there should be completely separate OpenSSO+policy service
installation, and not mix testing and production services.

Best regards,
Nina


> In summary, as a first step I propose to clean up policies based on DNS
> resolution and IP address filtering as described above, starting with an
> extraordinary run tomorrow and then with a weekly schedule on Sundays.
>
>
> Regards
> Andreas
> _______________________________________________
> Development mailing list
> Development at opentox.org
> http://www.opentox.org/mailman/listinfo/development
>