docker能做到这种权限控制吗?
伊谢尔伦
伊谢尔伦 2017-04-24 09:12:43
0
2
548

目前项目用到了一个第三方的软件,提供了很多命令。我们做的事情就是将这些命令开放成restful服务,供各个系统使用。

有一个需求:要将一些危险的命令过滤掉,主要都是一些"写"命令,比如Export,就是导出一个数据到某个目录。"ClearAttribute"清除某个系统属性(不是写命令)。

当用户请求中包含此类的命令,直接403

我们目前的做法是 黑/白 名单,但是太麻烦了,经常要添加新命令,也有被错杀掉的。

我在想这种场景把这个服务做到容器里面,然后对整个容器做权限控制。是不是可以解决?

从来没弄过docker,不知道适不适合这么搞。


网上有人说可以用sandbox弄,搜了下sandbox和docker区别,也没弄清。

伊谢尔伦
伊谢尔伦

小伙看你根骨奇佳,潜力无限,来学PHP伐。

reply all(2)
小葫芦

In your scenario, docker is approximately equal to vm &&, which is approximately equal to a physical machine. Therefore, it is obviously unreasonable for you to add a few machines to meet some application requirements.
Docker is not a panacea.
Docker is not a panacea.
docker is not everything.

大家讲道理

As mentioned above, docker is not omnipotent.
You can write this system yourself, and then this system provides services to the outside world. This system filters permissions, and this system also calls local things, and then also packages this system. into docker.

Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template