AnsweredAssumed Answered

Security: Virtualization server CIFS file system mount point

Question asked by sacco on Aug 20, 2007
The AVM repository (and the main one) can be mounted on the
Alfresco server as a CIFS file system, in order to enable
standard tools to operate on the repository and to allow
getRealPath(), etc. to work properly.

However, using CIFS, it is difficult to expose a repository with
appropriate security restrictions.

As far as access for normal OS tools is concerned, this can be
finessed when working in UNIX systems by making each user
who requires access mount its own copy of the repository
using suitable (its own) Alfresco credentials (although obviously
a single mount with Alfresco users mapped to appropriate system
accounts as necessary would be preferable). 
Under Windows life is rather more difficult, as Windows clients and
servers typically disallow multiple connections to a server or shared
resource using more than one user name from the same client
(although I'm told that different users on the same client can make
simultaneous connections with some combinations, but in practice this
has never helped me resolve a problem).


The security problem:

The file system interface exposed to the Virtualisation server must
be mounted as a specific user, typically an admin level user.

This means that, even when this issue here:
http://forums.alfresco.com/viewtopic.php?t=8216
has been resolved and Virtualisation server users are accessing the
repository with their own credentials, access to the AVM repository
through a Virtualization server CIFS file system mount point would
still take place as an admin level user, and would additionally need
to grant the maximum access privilege required to all sessions.

Is there any way to avoid this?  The only thing I can think of so far
is (once the mount has been automated within the Virtualisation
server), to open a new CIFS session for each client set of credentials
(but this hardly seems efficient):is this possible?  Or have you something better planned?

Alternatively, would it be better to expose the remote AVM repository
through NFS and map the user identities?

Outcomes