[ckan-discuss] Is CKAN Secure?
Claire Bozic
CBozic at cmap.illinois.gov
Thu Jul 11 20:35:17 BST 2013
My agency has had some security issues over the last year that were traced to an API. We are currently working on installing CKAN 2.0. I am not a programmer or a system security expert, so I wonder how secure is CKAN? I see some specific information about setting permissions on DataStore to eliminate?/Reduce? security issues, but not much else in the documentation that specifically references the topic.
When I read this, it sounds good but it also sounds like it could potentially be a problem - is this available to outside users only if specifically provided, or is this available to anyone by default?
"Programming with CKAN: meet version 3 of the API
CKAN's powerful application programming interface (API) makes it possible for other machines and programs to automatically read, search and update datasets. CKAN's API was previously designed according to REST<http://www.infoq.com/articles/rest-introduction> principles. RESTful APIs are deservedly popular as a way to expose a clean interface to certain views on a collection of data. However, for CKAN we felt it would be better to give applications full access to CKAN's own internal machinery.
A new version of the API - version 3 - trialled in beta in CKAN 1.8, replaced the REST design with remote procedure calls, enabling applications or programmers to call the same procedures as CKAN's own code uses to implement its user interface. Anything that is possible via the user interface, and a good deal more, is therefore possible through the API. This proved popular and stable, and so, with minor tweaks, it is now the recommended API. Old versions of the API will continue to be provided for backward compatibility.
- See more at: http://ckan.org/2013/05/13/announcing-ckan-2-0/#sthash.sCxWHmon.dpuf"
What about this? Should this make me nervous?
From: ckan-discuss-bounces at lists.okfn.org [mailto:ckan-discuss-bounces at lists.okfn.org] On Behalf Of Pearce, Matthew
Sent: Wednesday, July 10, 2013 4:39 AM
To: 'ckan-discuss at lists.okfn.org'
Subject: [ckan-discuss] datahub.io suggestion - spam entries
Hello
I was having a look for some material on datahub.io<http://datahub.io/> and noticed a number of entries that are likely spam (e.g.1<http://datahub.io/dataset/acquiring_mba_program_exactly_what_is_really_gmat_and_so_why_do_anyone_will_need_the_high_status> e.g.2<http://datahub.io/dataset/totally_free_grant_money_for_college_scholarship>). This is just a piece of feedback from an infrequent user perspective. I would be more than happy to click a simple 'flag for moderator'/'report spam' button to reduce maintenance effort for the admins (a la stackexchange). However, I'm not clear what the best route is currently.
It appears there are two types of login which open up options: comments (DISQUS) and a site login.
* I noticed the DISQUS login option for comments. This has a 'submit feedback' option on the gear in the lower right (when logged in). But this feels more like a usability survey than a reporting channel.
* The site account seems to open up editing options. However I don't see a 'flag for moderator' option (or a delete button, which could be harsh).
Hope this is somewhat useful
Matthew Pearce
Standards Manager (Analyst)
The National Archives, Kew, Surrey, TW9 4DU
T: 0208 876 3444 ex: 2360
Please don't print this e-mail unless you really need to.
---------------------------------------------------------------------------------
National Archives Disclaimer
This email and any files transmitted with it are intended solely for the use of the individual(s) to whom they are addressed. If you are not the intended recipient and have received this email in error, please notify the sender and delete the email.
Opinions, conclusions and other information in this message and attachments that do not relate to the official business of The National Archives are neither given nor endorsed by it.
------------------------------------------------------------------------------------
The information contained in this communication is confidential and may be legally privileged. It is intended solely for the use of the individual or entity to whom it is addressed and to others authorized to receive it. If you are not the intended recipient, you are hereby (a) notified that any disclosure, copying, distribution, or taking any action, with respect to the content of this information is strictly prohibited and may be unlawful, and are (b) kindly requested to inform the sender immediately and to destroy any copies. The Chicago Metropolitan Agency for Planning is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.
This message has been scanned for viruses and other harmful content upon transmission.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-discuss/attachments/20130711/cdfcf0c4/attachment.htm>
More information about the ckan-discuss
mailing list