Project

General

Profile

Feature #120

HONGD should be accessed using the GDP network protocol

Added by Eric Allman 6 months ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Start date:
04/09/2019
Due date:
% Done:

0%


Description

Currently applications HONGD by connecting directly to a MariaDB (or MySQL) server and running a query. This presents a huge attack surface for a relatively limited function. Ideally this would be accessed using the GDP network protocol itself. This presents some issues:

  • How does a client find the name of HONGD in the first place? It can't do so by asking HONGD.
  • How does HONGD determine whether the caller has appropriate permissions? For example, the creation service has the ability to add entries, but regular clients are read-only. This probably requires signed commands (see Issue #119).

Related issues

Related to GDP - Feature #119: GDP commands and responses should (potentially) be signed New 04/09/2019

History

#1 Updated by Eric Allman 6 months ago

  • Related to Feature #117: All GDP objects should have keypairs and metadata added

#2 Updated by Eric Allman 6 months ago

  • Related to deleted (Feature #117: All GDP objects should have keypairs and metadata)

#3 Updated by Eric Allman 6 months ago

  • Related to Feature #119: GDP commands and responses should (potentially) be signed added

#4 Updated by Eric Allman 6 months ago

  • Description updated (diff)

Also available in: Atom PDF