[GeoNetwork-devel] Enhancements to DB access

hello developers,

I thought of two small enhancements that would make it more easy to work with GeoNetwork’s database:

  • include the H2 admin servlet, ideally only if H2 is actually the DB in use; this provides a web-page that allows viewing and editing H2 data, much like the pgAdmin program for Postgres

  • create a form in the Admin console to allow Administrator users to execute arbitrary SQL queries (this could be helpful for any DB, not just H2)

What do you think ?

Kind regards
Heikki Doeleman

hey list,

anyone have some opinion on this ?

Kind regards
Heikki Doeleman

On Mon, Jun 3, 2013 at 8:23 PM, heikki <tropicano@anonymised.com> wrote:

hello developers,

I thought of two small enhancements that would make it more easy to work with GeoNetwork’s database:

  • include the H2 admin servlet, ideally only if H2 is actually the DB in use; this provides a web-page that allows viewing and editing H2 data, much like the pgAdmin program for Postgres

  • create a form in the Admin console to allow Administrator users to execute arbitrary SQL queries (this could be helpful for any DB, not just H2)

What do you think ?

Kind regards
Heikki Doeleman

Hi,

On Mon, Jun 3, 2013 at 8:23 PM, heikki <tropicano@anonymised.com> wrote:

hello developers,

I thought of two small enhancements that would make it more easy to work
with GeoNetwork's database:

include the H2 admin servlet, ideally only if H2 is actually the DB in use;
this provides a web-page that allows viewing and editing H2 data, much like
the pgAdmin program for Postgres

create a form in the Admin console to allow Administrator users to execute
arbitrary SQL queries (this could be helpful for any DB, not just H2)

I think it is a very good idea, as long as we take care not to open a
security bug. I mean, maybe just for SELECT queries?

I think this is better than the H2 admin servlet, as it is generic.

What do you think ?

Kind regards
Heikki Doeleman

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork

Hi,

Well, you’re right about potential security issues but… is there really much interest in a console where you can only perform SELECT requests ?
Cheers,

Jean Pommier

2013/6/14 María Arias de Reyna <delawen@anonymised.com>

Hi,

On Mon, Jun 3, 2013 at 8:23 PM, heikki <tropicano@anonymised.com> wrote:

hello developers,

I thought of two small enhancements that would make it more easy to work
with GeoNetwork’s database:

include the H2 admin servlet, ideally only if H2 is actually the DB in use;
this provides a web-page that allows viewing and editing H2 data, much like
the pgAdmin program for Postgres

create a form in the Admin console to allow Administrator users to execute
arbitrary SQL queries (this could be helpful for any DB, not just H2)

I think it is a very good idea, as long as we take care not to open a
security bug. I mean, maybe just for SELECT queries?

I think this is better than the H2 admin servlet, as it is generic.

What do you think ?

Kind regards
Heikki Doeleman


How ServiceNow helps IT people transform IT departments:

  1. A cloud service to automate IT design, transition and operations
  2. Dashboards that offer high-level views of enterprise services
  3. A single system of record for all IT processes
    http://p.sf.net/sfu/servicenow-d2d-j

GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork


This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev


GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork

Are the security risks any greater than we otherwise already have ? You would need Administrator privileges to access it. If you have that now, or can gain it, you also can totally f*** up the catalog. So I don’t see there is any more security risk than we otherwise already have. (like, we do not force https; and even then).

As for the H2 servlet, sure it might be a bit superfluous if having an SQL interface, but it’s something easy that we could just effortlessly put there, with a sort-of nice interface etc., all the more so seeing that H2 is our default DB and it it not possible to use pgAdmin-like tools with it otherwise. I think it does no harm and does makes things easier.

On Fri, Jun 14, 2013 at 11:12 PM, Jean Pommier (IGE) <jean.pommier@anonymised.com> wrote:

Hi,

Well, you’re right about potential security issues but… is there really much interest in a console where you can only perform SELECT requests ?
Cheers,

Jean Pommier

2013/6/14 María Arias de Reyna <delawen@anonymised.com>

Hi,

On Mon, Jun 3, 2013 at 8:23 PM, heikki <tropicano@anonymised.com> wrote:

hello developers,

I thought of two small enhancements that would make it more easy to work
with GeoNetwork’s database:

include the H2 admin servlet, ideally only if H2 is actually the DB in use;
this provides a web-page that allows viewing and editing H2 data, much like
the pgAdmin program for Postgres

create a form in the Admin console to allow Administrator users to execute
arbitrary SQL queries (this could be helpful for any DB, not just H2)

I think it is a very good idea, as long as we take care not to open a
security bug. I mean, maybe just for SELECT queries?

I think this is better than the H2 admin servlet, as it is generic.

What do you think ?

Kind regards
Heikki Doeleman


How ServiceNow helps IT people transform IT departments:

  1. A cloud service to automate IT design, transition and operations
  2. Dashboards that offer high-level views of enterprise services
  3. A single system of record for all IT processes
    http://p.sf.net/sfu/servicenow-d2d-j

GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork


This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev


GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork

I think that if we allow it for admin then it should certainly be https only. I think that can be enforced in the config-security-mappings file or in the URL rewrites file.

Jesse

···

On Sat, Jun 15, 2013 at 12:36 AM, heikki <tropicano@anonymised.com> wrote:

Are the security risks any greater than we otherwise already have ? You would need Administrator privileges to access it. If you have that now, or can gain it, you also can totally f*** up the catalog. So I don’t see there is any more security risk than we otherwise already have. (like, we do not force https; and even then).

As for the H2 servlet, sure it might be a bit superfluous if having an SQL interface, but it’s something easy that we could just effortlessly put there, with a sort-of nice interface etc., all the more so seeing that H2 is our default DB and it it not possible to use pgAdmin-like tools with it otherwise. I think it does no harm and does makes things easier.

On Fri, Jun 14, 2013 at 11:12 PM, Jean Pommier (IGE) <jean.pommier@anonymised.com> wrote:

Hi,

Well, you’re right about potential security issues but… is there really much interest in a console where you can only perform SELECT requests ?
Cheers,

Jean Pommier

2013/6/14 María Arias de Reyna <delawen@anonymised.com>

Hi,

On Mon, Jun 3, 2013 at 8:23 PM, heikki <tropicano@anonymised.com> wrote:

hello developers,

I thought of two small enhancements that would make it more easy to work
with GeoNetwork’s database:

include the H2 admin servlet, ideally only if H2 is actually the DB in use;
this provides a web-page that allows viewing and editing H2 data, much like
the pgAdmin program for Postgres

create a form in the Admin console to allow Administrator users to execute
arbitrary SQL queries (this could be helpful for any DB, not just H2)

I think it is a very good idea, as long as we take care not to open a
security bug. I mean, maybe just for SELECT queries?

I think this is better than the H2 admin servlet, as it is generic.

What do you think ?

Kind regards
Heikki Doeleman


How ServiceNow helps IT people transform IT departments:

  1. A cloud service to automate IT design, transition and operations
  2. Dashboards that offer high-level views of enterprise services
  3. A single system of record for all IT processes
    http://p.sf.net/sfu/servicenow-d2d-j

GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork


This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev


GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork


This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev


GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork

Hi all,
Since this would specifically be for developers, I suggest it would be a module you can include in the build while developing. But it should by default be disabled or even excluded from our releases.
Jeroen

GeoCat Bridge for ArcGIS allows instant publishing of data and metadata on GeoServer, MapServer, PostGIS and GeoNetwork. Visit http://geocat.net for details.
_________________________Jeroen Ticheler
GeoCat bv
Veenderweg 13
6721 WD Bennekom
Tel: +31 (0)6 81286572
http://geocat.net

···

On Sat, Jun 15, 2013 at 12:36 AM, heikki <tropicano@anonymised.com> wrote:

Are the security risks any greater than we otherwise already have ? You would need Administrator privileges to access it. If you have that now, or can gain it, you also can totally f*** up the catalog. So I don’t see there is any more security risk than we otherwise already have. (like, we do not force https; and even then).

As for the H2 servlet, sure it might be a bit superfluous if having an SQL interface, but it’s something easy that we could just effortlessly put there, with a sort-of nice interface etc., all the more so seeing that H2 is our default DB and it it not possible to use pgAdmin-like tools with it otherwise. I think it does no harm and does makes things easier.

On Fri, Jun 14, 2013 at 11:12 PM, Jean Pommier (IGE) <jean.pommier@anonymised.com> wrote:

Hi,

Well, you’re right about potential security issues but… is there really much interest in a console where you can only perform SELECT requests ?
Cheers,

Jean Pommier

2013/6/14 María Arias de Reyna <delawen@anonymised.com>

Hi,

On Mon, Jun 3, 2013 at 8:23 PM, heikki <tropicano@anonymised.com> wrote:

hello developers,

I thought of two small enhancements that would make it more easy to work
with GeoNetwork’s database:

include the H2 admin servlet, ideally only if H2 is actually the DB in use;
this provides a web-page that allows viewing and editing H2 data, much like
the pgAdmin program for Postgres

create a form in the Admin console to allow Administrator users to execute
arbitrary SQL queries (this could be helpful for any DB, not just H2)

I think it is a very good idea, as long as we take care not to open a
security bug. I mean, maybe just for SELECT queries?

I think this is better than the H2 admin servlet, as it is generic.

What do you think ?

Kind regards
Heikki Doeleman


How ServiceNow helps IT people transform IT departments:

  1. A cloud service to automate IT design, transition and operations
  2. Dashboards that offer high-level views of enterprise services
  3. A single system of record for all IT processes
    http://p.sf.net/sfu/servicenow-d2d-j

GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork


This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev


GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork


This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev


GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork

Hi,

Personally, while developing, I’ve no problem using tools like pgAdmin if needed. Such a console could be useful for some migration purposes, I think. When you need to do some kind of search and replace, or check something, while being in a production environment, where access to the DB is more complex and securised (e.g. only console available)
For development purpose, I don’t really see the use.
Don’t you think so ?

Jean

2013/6/15 Jeroen Ticheler <jeroen.ticheler@anonymised.com>

···

On Sat, Jun 15, 2013 at 12:36 AM, heikki <tropicano@anonymised.com> wrote:

Are the security risks any greater than we otherwise already have ? You would need Administrator privileges to access it. If you have that now, or can gain it, you also can totally f*** up the catalog. So I don’t see there is any more security risk than we otherwise already have. (like, we do not force https; and even then).

As for the H2 servlet, sure it might be a bit superfluous if having an SQL interface, but it’s something easy that we could just effortlessly put there, with a sort-of nice interface etc., all the more so seeing that H2 is our default DB and it it not possible to use pgAdmin-like tools with it otherwise. I think it does no harm and does makes things easier.

On Fri, Jun 14, 2013 at 11:12 PM, Jean Pommier (IGE) <jean.pommier@anonymised.com> wrote:

Hi,

Well, you’re right about potential security issues but… is there really much interest in a console where you can only perform SELECT requests ?
Cheers,

Jean Pommier

2013/6/14 María Arias de Reyna <delawen@anonymised.com>

Hi,

On Mon, Jun 3, 2013 at 8:23 PM, heikki <tropicano@anonymised.com> wrote:

hello developers,

I thought of two small enhancements that would make it more easy to work
with GeoNetwork’s database:

include the H2 admin servlet, ideally only if H2 is actually the DB in use;
this provides a web-page that allows viewing and editing H2 data, much like
the pgAdmin program for Postgres

create a form in the Admin console to allow Administrator users to execute
arbitrary SQL queries (this could be helpful for any DB, not just H2)

I think it is a very good idea, as long as we take care not to open a
security bug. I mean, maybe just for SELECT queries?

I think this is better than the H2 admin servlet, as it is generic.

What do you think ?

Kind regards
Heikki Doeleman


How ServiceNow helps IT people transform IT departments:

  1. A cloud service to automate IT design, transition and operations
  2. Dashboards that offer high-level views of enterprise services
  3. A single system of record for all IT processes
    http://p.sf.net/sfu/servicenow-d2d-j

GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork


This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev


GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork


This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev


GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork