Environment variables are the means by which the Cloud Foundry runtime communicates to the application about its environment. One of the most important pieces of information it communicates are the services which are available and how to connect with them.
同上page给出了包含 MySQL 数据库的用户名密码等连接参数的环境变量示例。
VCAP_SERVICES: {
"mongodb-1.8":[{"name":"hello-mongo","label":"mongodb-1.8","plan":"free","credentials":{"hostname":"172.30.48.64","port":25003,"username":"e4f2c402-1153-4dfb-8d98-2f6efc65e441","password":"f17f81e4-9855-4b9c-a22b-e6a9e6f113c3","name":"mongodb-5751dac0-3b5e-405b-a1e1-2b384fe4026d","db":"db"}}],
"redis-2.2":[{"name":"hello-redis","label":"redis-2.2","plan":"free","credentials":{"node_id":"redis_node_4","hostname":"172.30.48.43","port":5002,"password":"e1d7acb0-2baf-42be-84bc-3365aa819586","name":"redis-96836b7c-0949-45fd-a741-c7be5951d52f"}}],
"mysql-5.1":[{"name":"hello-mysql","label":"mysql-5.1","plan":"free","credentials":{"node_id":"mysql_node_5","hostname":"172.30.48.24","port":3306,"password":"pw4EKJqL6na6f","name":"dd9b58515e3cb41958a30bf2af88126fc","user":"uLfJbOmxfSEUt"}}]
}
该页面进一步指出:
You can read this information into your application using Java's environment variable API and/or existing Spring XML features but it is easer to consume this information using the new cloud namespace (described here) which parses it out into a convenient Properties object.
阅读本文时,我想知道此设置对应用程序安全性有何影响。具体来说,开发者应该采取哪些措施来防止恶意攻击者直接控制mysql数据库等后端服务?
编辑:除了攻击者获得后端服务控制权的风险之外,我还可以想象攻击者导致应用程序连接到恶意后端的风险。
最佳答案
如果您想连接到后端(数据库)服务,则必须以某种方式向应用程序提供凭据。为了能够动态绑定(bind)到服务,环境变量是将应用程序私有(private)信息传递给应用程序的一个不错的选择。
与任何应用程序泄露一样,当应用程序遭到黑客攻击时,后端就会暴露。
连接到恶意后端的唯一方法是攻击者可以在 Cloud Foundry 基础架构上设置恶意服务,并能够破坏 Cloud Controller 以传递应用程序伪造的环境变量。
关于security - 保护 Cloud Foundry 环境变量中的服务参数,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/6576119/