Giter VIP home page Giter VIP logo

Comments (3)

dguendisch avatar dguendisch commented on August 25, 2024 1

Hi Gregor,

the repository key has quite some historics and originates from SAP (HANA) Cloud Platform days when it was THE authentication mechanism for apps on their repositories.
Nowadays the main authentication on a document service repository is a dedicated client certificate being present on every app/VM. It is used when establishing the ssl connection to the document service.
A repository created in account A can only be accessed by apps running in account A (but not by apps running in account B) and this isolation is secured by the aformentioned certificate.
Some more details on this can be found here: https://help.sap.com/viewer/b0cc1109d03c4dc299c215871eed8c42/Cloud/en-US/f639d68ff43347e6ac0453541b5daada.html

As account authentication and isolation is enforced by the client cert now, the repository key has "lost" its importance. Theoretically it can be used to e.g. only allow app X in account A to access a repository R and at the same time ensure that app Y in account A cannot access this repository R, but that's a more rare usecase given the fact that typically people who are allowed to deploy app X or App Y can reset repository keys as well or simply redeploy app X or Y again to extract the repository key.

Given that, it's not a security issue to store the repository key in plain text, but I agree that the reference app could be improved by showing the usage of the CP password storage which people might need for other scenarios anyway.

Regards,
Dieter

from cloud-espm-v2.

skrishnakumar avatar skrishnakumar commented on August 25, 2024

Thanks Dieter for the detailed information.

The password store usecase is something that we showcased in the Authorization Management API scenario with ESPM. So, i think it would be best when enhancing the app, we can try out the client certificate for espm use case.

from cloud-espm-v2.

dguendisch avatar dguendisch commented on August 25, 2024

Just to be clear: you are already using the client certificate, otherwise you wouldn't be able to access your repository (it's happening automatically, the preprovisioned OpenCMIS clients already take care of the client cert authentication)

from cloud-espm-v2.

Related Issues (12)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.