[prev in list] [next in list] [prev in thread] [next in thread]
List: grass-dev
Subject: Re: [GRASS-dev] Implement a REST API for GRASS
From: Sören_Gebbert <soerengebbert () googlemail ! com>
Date: 2017-05-26 7:17:19
Message-ID: CAPHDReLGxLbVTt0C3X--NSPJb+mNPihed5KjHz30eGoenjo1LA () mail ! gmail ! com
[Download RAW message or body]
2017-05-26 8:27 GMT+02:00 Maris Nartiss <maris.gis@gmail.com>:
> It is no about implementation but the concept itself. As soon as there
> will be an easy way how to provide GRASS GIS processing as a service,
> somebody will run it without understanding all security ramifications
> of allowing any input into GRASS. Securing GRASS code would be nice,
> but so far we are short on high level developers who could do it.
> I'm not voting against anyone making easy to run GRASS via WPS or
> REST, I just want to be sure that lack security against various remote
> threats is kept in mind.
This is true for all REST API's or WPS
that expose a legacy software functionality as internet service.
To reduce security risks you have to be in control of
the input (parameter, files, database) to the legacy software
and provide access only to trusted people via authentication.
Best regards
Sören
>
> Māris.
>
>
> 2017-05-25 11:24 GMT+03:00 Blumentrath, Stefan <Stefan.Blumentrath@nina.no>:
>> Seen this: https://bitbucket.org/huhabla/open-graas?
>> Cheers
>> Stefan
>> ________________________________________
>> Von: grass-dev [grass-dev-bounces@lists.osgeo.org] im Auftrag von Maris Nartiss [maris.gis@gmail.com]
>> Gesendet: Donnerstag, 25. Mai 2017 09:42
>> An: Pietro
>> Cc: GRASS developers list
>> Betreff: Re: [GRASS-dev] Implement a REST API for GRASS
>>
>> I assume that both are equally dangerous. My opinion is that GRASS GIS
>> should not be exposed to any non trustable users, as various smaller
>> and larger bugs are too common. Unless, of course, it runs inside a
>> throw-away VM.
>>
>> 2017-05-25 10:33 GMT+03:00 Pietro <peter.zamb@gmail.com>:
>>> Dear Māris,
>>>
>>> On Wed, May 24, 2017 at 8:52 PM, Maris Nartiss <maris.gis@gmail.com> wrote:
>>>>
>>>> GRASS GIS code has never been developed with security in mind. I would
>>>> not suggest to run it in a non-trustable environment.
>>>
>>>
>>> Do you think that expose some GRASS modules through a REST API can be more
>>> dangerous than exposing the same modules through a WPS service? Why?
>>>
>>> Pietro
>> _______________________________________________
>> grass-dev mailing list
>> grass-dev@lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/grass-dev
> _______________________________________________
> grass-dev mailing list
> grass-dev@lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/grass-dev
_______________________________________________
grass-dev mailing list
grass-dev@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/grass-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic