[Setup] ZEO cluster filestorage and blobstorage security when zeoserver effective-user = zeo and when client1 shared-blob = on

Graham Perrin G.J.Perrin at bton.ac.uk
Tue Oct 7 23:23:33 UTC 2008


I'm not sure whether this message is better suited to
plone-developers at lists.sourceforge.net or setup at lists.plone.org but here
goes...

Experimenting with Plone-3.1.5.1-ex-r2-UnifiedInstaller from launchpad

Re
<http://dev.plone.org/plone/browser/Installers/UnifiedInstaller/trunk/HISTORY.txt?rev=22529>:

> - Set up root-install cluster to run ZEO and clients under
> separate user ids. Don't allow clients access to filestorage.

and <http://dev.plone.org/plone/changeset/22467>:

> Tighten cluster security by using a different user for ZEO;
> restructure var/ so that clients don't need to write to anything
> but their own subdirectories. 

If we plone.app.blob to the mix, and 
if (I guess) ZEO clients should similarly be denied access to blobstorage, 
then focusing on
<http://dev.plone.org/plone/browser/Installers/UnifiedInstaller/trunk/buildout_templates/cluster.cfg?rev=22688#L318>
lines 318 and 319 one *might*:

-    chown -R ${zeoserver:effective-user}
${buildout:directory}/var/filestorage
-    chmod 700 ${buildout:directory}/var/filestorage
+    chown -R ${zeoserver:effective-user}
${buildout:directory}/var/????storage
+    chmod 700 ${buildout:directory}/var/????storage

(I imagine that security for blobstorage is highly desirable --
amongst other things, minimise the (operator error) risk of blobs
straying from filestorage references thereto.)

However: when I secure blobstorage in that way, client1 fails as follows: 

{{{
2008-10-07 23:59:06 INFO ZEO.ClientStorage (47732) ClientStorage (pid=47732)
created RW/normal for storage: '1'
Traceback (most recent call last):
  File
"/Applications/Plone/zeocluster/parts/zope2/lib/python/Zope2/Startup/run.py",
line 56, in ?
    run()
  File
"/Applications/Plone/zeocluster/parts/zope2/lib/python/Zope2/Startup/run.py",
line 21, in run
    starter.prepare()
  File
"/Applications/Plone/zeocluster/parts/zope2/lib/python/Zope2/Startup/__init__.py",
line 102, in prepare
    self.startZope()
  File
"/Applications/Plone/zeocluster/parts/zope2/lib/python/Zope2/Startup/__init__.py",
line 278, in startZope
    Zope2.startup()
  File
"/Applications/Plone/zeocluster/parts/zope2/lib/python/Zope2/__init__.py",
line 47, in startup
    _startup()
  File
"/Applications/Plone/zeocluster/parts/zope2/lib/python/Zope2/App/startup.py",
line 59, in startup
    DB = dbtab.getDatabase('/', is_root=1)
  File
"/Applications/Plone/zeocluster/parts/zope2/lib/python/Zope2/Startup/datatypes.py",
line 280, in getDatabase
    db = factory.open(name, self.databases)
  File
"/Applications/Plone/zeocluster/parts/zope2/lib/python/Zope2/Startup/datatypes.py",
line 178, in open
    DB = self.createDB(database_name, databases)
  File
"/Applications/Plone/zeocluster/parts/zope2/lib/python/Zope2/Startup/datatypes.py",
line 175, in createDB
    return ZODBDatabase.open(self, databases)
  File
"/Applications/Plone/buildout-cache/eggs/ZODB3-3.8.1b9-py2.4-macosx-10.3-i386.egg/ZODB/config.py",
line 97, in open
    storage = section.storage.open()
  File
"/Applications/Plone/buildout-cache/eggs/ZODB3-3.8.1b9-py2.4-macosx-10.3-i386.egg/ZODB/config.py",
line 168, in open
    realm=self.config.realm)
  File
"/Applications/Plone/buildout-cache/eggs/ZODB3-3.8.1b9-py2.4-macosx-10.3-i386.egg/ZEO/ClientStorage.py",
line 328, in __init__
    self.fshelper = ZODB.blob.FilesystemHelper(blob_dir)
  File
"/Applications/Plone/buildout-cache/eggs/ZODB3-3.8.1b9-py2.4-macosx-10.3-i386.egg/ZODB/blob.py",
line 308, in __init__
    layout_name = auto_layout_select(base_dir)
  File
"/Applications/Plone/buildout-cache/eggs/ZODB3-3.8.1b9-py2.4-macosx-10.3-i386.egg/ZODB/blob.py",
line 469, in auto_layout_select
    elif len(os.listdir(path)) == 0:
OSError: [Errno 13] Permission denied:
'/Applications/Plone/zeocluster/var/blobstorage'
}}}

----

<http://plone.org/products/plone.app.blob> includes within its example, 

    shared-blob = on

On my OS, following use of Plone-3.1.5.1-ex-r2-UnifiedInstaller:

	user plone is uid 50
	user   zeo is uid 57

If it's absolutely necessary for both clients and zeoserver to 
share access to blobstorage (in this respect I'm uneducated) 
then for security maybe ...  

create a group 'zeocluster' comprising only those two users and 

chown -R root:zeocluster ${buildout:directory}/var/blobstorage

chmod -R 570 ${buildout:directory}/var/blobstorage

(the -R in that second command is to _seriously_ discourage any user
with root privileges to mess with what's within blobstorage).

Do I have the right end of the stick with all of this?

Regards
Graham
-- 
View this message in context: http://n2.nabble.com/ZEO-cluster-filestorage-and-blobstorage-security-when-zeoserver-effective-user-%3D-zeo-and-when-client1-shared-blob-%3D-on-tp1305155p1305155.html
Sent from the Installation, Setup, Upgrades mailing list archive at Nabble.com.




More information about the Setup mailing list