SlideShare uma empresa Scribd logo

Vertically Challenged

A
Aurynn Shaw

Using database roles to in a WSGI application development stack.

Tecnologia
1 de 65
Baixar para ler offline
VERTICALLY CHALLENGED 1 Tuesday, October 20, 2009
Strong Application Permissions, using PostgreSQL Aurynn Shaw, Command Prompt, Inc. PostgreSQL Conference West, 2009 2 Tuesday, October 20, 2009
APPLICATION ARCHITECTURE Wherein Basic Architecture Limitations Points of Authority Why use DB permissions? Implementation 3 Tuesday, October 20, 2009
Basic Architecture Web Server Application Standard tiered design Database 4 Tuesday, October 20, 2009
Basic Architecture Web Server Standard tiered design Application Standard ingress, logic, egress cycle. Database 5 Tuesday, October 20, 2009
Layered Communications Web Server Limitations in Application communication Database 6 Tuesday, October 20, 2009
Layered Communications Web Server Limitations in communication Application Influences on application design Database 7 Tuesday, October 20, 2009
Application Authority Web Server The Application becomes Application permissions arbiter Database 8 Tuesday, October 20, 2009
Application Authority Web Server The Application becomes Application permissions arbiter Loss of Portability Database 9 Tuesday, October 20, 2009
Application Authority Web Server The Application becomes permissions arbiter Application Loss of Portability Increased work for other consumers Database 10 Tuesday, October 20, 2009
Using DB Permissions Why ? 11 Tuesday, October 20, 2009
Using DB Permissions Why ? It’s better than what you have now 12 Tuesday, October 20, 2009
Using DB Permissions Why ? It’s better than what you have now Easy Integration 13 Tuesday, October 20, 2009
Using DB Permissions Why ? It’s better than what you have now Easy Integration Once it’s set up, it’s easier to use 14 Tuesday, October 20, 2009
Basic Mechanica Entirely DB users Why this is hard to implement 15 Tuesday, October 20, 2009
Basic Mechanica Entirely DB users Why this is hard to implement DB users, with an external auth store Still hard Why it’s Worthwhile 16 Tuesday, October 20, 2009
Basic Mechanica Entirely DB users Why this is hard to implement DB users, with an external auth store Still hard Why it’s Worthwhile The Hybrid approach - use The Hybrid approach DB roles + rows in the database, instead of DB users. 17 Tuesday, October 20, 2009
DATABASE IMPLEMENTATION Wherein Basic Componentry Roles Stored Procedures 18 Tuesday, October 20, 2009
Componentry Postgres Implementation SET ROLE GRANT / NOINHERIT Grant / noinherit - How this works together to NOLOGIN provide VC. 19 Tuesday, October 20, 2009
Componentry Postgres Implementation SET ROLE GRANT / NOINHERIT NOLOGIN Great for PCI sudo for the Database compliance 20 Tuesday, October 20, 2009
Setup vc=# CREATE ROLE vc NOINHERIT; CREATE ROLE vc=# CREATE ROLE auth_level NOLOGIN; CREATE ROLE vc=# GRANT auth_level TO vc; GRANT ROLE vc=# 21 Tuesday, October 20, 2009
Setup vc=> CREATE TABLE auth_only(); CREATE vc=> REVOKE SELECT ON auth_only FROM PUBLIC, vc; REVOKE vc=> SET ROLE TO vc; SET vc=> 22 Tuesday, October 20, 2009
sudo for Databases vc=> SELECT * FROM auth_only; ERROR: permission denied for relation auth_only vc=> SET ROLE auth_level; SET vc=> SELECT * FROM auth_only; -- (0 rows) 23 Tuesday, October 20, 2009
It’s How We Role Basic roles 24 Tuesday, October 20, 2009
It’s How We Role Basic roles Defines your permissions tree 25 Tuesday, October 20, 2009
It’s How We Role Basic Roles Defines your permissions tree Privileged Roles The over-arching Container roles User, Moderator, Admin, etc. 26 Tuesday, October 20, 2009
It’s How We Role Basic Roles Defines your permissions tree Privileged Roles The over-arching permissions definitions User, Moderator, Admin, etc. Entry point has LOGIN granted. Entry Point 27 Tuesday, October 20, 2009
Your users.can do *this* users.can 28 Tuesday, October 20, 2009
A Quick Check IF users.can(user_id, ‘type.read’) THEN RETURN QUERY SELECT * FROM type; ELSE exceptable.permission_denied(‘User lacks type.read permissions’);* END IF; * Exceptable function 29 Tuesday, October 20, 2009
Wait.. I don’t know you. users.can users.validate 30 Tuesday, October 20, 2009
User Legitimacy CREATE OR REPLACE FUNCTION users.validate ( in_username text, in_password text ) RETURNS int SELECT users.validate(‘vc’,‘password’); 31 Tuesday, October 20, 2009
The Forge of Users users.can users.validate users.create 32 Tuesday, October 20, 2009
Creating Users CREATE OR REPLACE FUNCTION users.create ( in_username text, in_role text, in_password text ) RETURNS int SELECT users.create(‘user’,‘auth’,md5 (‘password’)); 33 Tuesday, October 20, 2009
Basic User Get users.can users.validate users.create users.get 34 Tuesday, October 20, 2009
Collecting Users CREATE OR REPLACE FUNCTION users.get ( in_user_id int ) RETURNS users.user CREATE TYPE users.user AS ( id int, username text, roles text[] -- Used for app checks ); 35 Tuesday, October 20, 2009
STANDING ON PYLONS Wherein Exceptions Permissions checks Repoze.Who 36 Tuesday, October 20, 2009
Exceptions Repoze.who cares about 401s and 403s 37 Tuesday, October 20, 2009
Exceptions Repoze.who cares about 401s and 403s Trap VC errors in the Application Emit an appropriate 401 or 403 38 Tuesday, October 20, 2009
Exceptions Repoze.who cares about 401s and 403s Trap VC errors in the Application Emit an appropriate 401 or 403 Exceptions are handled ONCE 39 Tuesday, October 20, 2009
Once class BaseController(WSGIController): def __call__(self, environ, start_response): """Invoke the Controller""" # WSGIController.__call__ dispatches to the Controller method # the request is routed to. try: return WSGIController.__call__(self, environ, start_response) except PermissionsError, e: abort(403) except NoSuchUserError, e: abort(401) 40 Tuesday, October 20, 2009
I have @needs too! Easily Decorate Pylons Views - @needs(‘type.read’) 41 Tuesday, October 20, 2009
I have @needs too! Easily Decorate Pylons Views - @needs(‘type.read’) Using DB permissions in the App layer 42 Tuesday, October 20, 2009
I have @needs too! Easily Decorate Pylons Views - @needs(‘type.read’) Using DB permissions in the App layer A single DB query - Not a query per object. 43 Tuesday, October 20, 2009
I have @needs too! Easily Decorate Pylons Views - @needs(‘type.read’) Using DB permissions in the App layer A single DB query - Not a query per object. Why? Multiple tiers are good. 44 Tuesday, October 20, 2009
Pylons in Repose The Application Cycle 45 Tuesday, October 20, 2009
Pylons in Repose The Application Cycle A Basic Repoze Configuration 46 Tuesday, October 20, 2009
A Basic Configuration [plugin:form] use = repoze.who.plugins.form:make_redirecting_plugin login_form_url = /account/login login_handler_path = /account/dologin logout_handler_path = /account/logout rememberer_name = auth_tkt [plugin:auth_tkt] use = repoze.who.plugins.auth_tkt:make_plugin secret = ticket_secret [mdproviders] plugins = vc.repoze:MetadataProvider;browser 47 Tuesday, October 20, 2009
Pylons in Repose The Application Cycle A Basic Repoze Configuration The Permissions Swap 48 Tuesday, October 20, 2009
The Permissions Swap class MetadataProvider(object): def add_metadata(self, environ, identity): if userid: try: from vc.model import user u = user.user(userid) u.become(u.role) except PermissionError, e: if “model” in identity: del identity[“model”] return None identity[“model”] = u 49 Tuesday, October 20, 2009
And the Procedure CREATE FUNCTION users.become ( in_user_id int, in_role text ) RETURNS VOID AS $$ BEGIN IF users.can($1, $2) THEN SET ROLE TO quote_literal($2); ELSE except.permission_denied('User cannot become specified permission level'); END IF; END; $$ LANGUAGE PLPGSQL; 50 Tuesday, October 20, 2009
Pylons in Repose The Application Cycle A Basic Repoze Configuration The Permissions Swap Anonymous Access 51 Tuesday, October 20, 2009
Anonymous Access A Wrapping Identifier Test For an Identity 52 Tuesday, October 20, 2009
Wrap the Identifier class AnonymousWrapper(object): def identify(self, environ): i = environ['repoze.who.plugins'] ['auth_tkt'].identify(environ) if i: # Not anonymous return i else: # Is anonymous # return a really basic anonymousness. return {"repoze.who.userid": anonymous_user_id} 53 Tuesday, October 20, 2009
Anonymous Access A Wrapping Identifier Test For an Identity Return a User, or Anonymous Anonymous users are otherwise identical 54 Tuesday, October 20, 2009
ADVANTAGES, DISADVANTAGES, VULNERABILITIES Wherein Advantages Disadvantages Vulnerabilities 55 Tuesday, October 20, 2009
Advantages Same roles in your Procedures, as your Application code Great for consistency Can Implement Row-level Permissions 56 Tuesday, October 20, 2009
Row-Level Example PERFORM id FROM table WHERE id = i_id; IF FOUND THEN PERFORM owner_id FROM table WHERE owner_id = user_id AND id = i_id; IF NOT FOUND THEN exceptable.permission_denied(‘User does not own specified record.’); END IF; END IF; 57 Tuesday, October 20, 2009
Disadvantages No PG-backed row-level authorization 58 Tuesday, October 20, 2009
Disadvantages No PG-backed row-level authorization DDL permissions take work to implement 59 Tuesday, October 20, 2009
Disadvantages No direct row-level authorization DDL permissions take work to implement No ad-hoc Users 60 Tuesday, October 20, 2009
Disadvantages No direct row-level authorization DDL permissions take work to implement No ad-hoc Users Custom permissions require new entry points 61 Tuesday, October 20, 2009
Vulnerabilities Any possible PG escalation attack SET ROLE could switch to an Admin user User errors a perennial favourite 62 Tuesday, October 20, 2009
AND THUS Questions? 63 Tuesday, October 20, 2009
GET IT https://projects.commandprompt.com/ public/verticallychallenged 64 Tuesday, October 20, 2009
THANK YOU! 65 Tuesday, October 20, 2009

Recomendados

Web Frameworks
Web FrameworksWeb Frameworks
Web FrameworksCapgemini TS Grenoble
 
Cloud Computing Best Practices
Cloud Computing Best PracticesCloud Computing Best Practices
Cloud Computing Best PracticesArmor
 
Html5
Html5Html5
Html5uutttlan
 
Google html5 Tutorial
Google html5 TutorialGoogle html5 Tutorial
Google html5 Tutorialjobfan
 
Performance Implications of Mobile Design (Perf Audience Edition)
Performance Implications of Mobile Design (Perf Audience Edition)Performance Implications of Mobile Design (Perf Audience Edition)
Performance Implications of Mobile Design (Perf Audience Edition)Guy Podjarny
 
Step by Step Mobile Optimization
Step by Step Mobile OptimizationStep by Step Mobile Optimization
Step by Step Mobile OptimizationGuy Podjarny
 
Don Schwarz App Engine Talk
Don Schwarz App Engine TalkDon Schwarz App Engine Talk
Don Schwarz App Engine TalkTech in the Middle
 
Jimwebber soa
Jimwebber soaJimwebber soa
Jimwebber soad0nn9n
 

Recomendados

Web Frameworks
Web FrameworksWeb Frameworks
Web FrameworksCapgemini TS Grenoble
 
Cloud Computing Best Practices
Cloud Computing Best PracticesCloud Computing Best Practices
Cloud Computing Best PracticesArmor
 
Html5
Html5Html5
Html5uutttlan
 
Google html5 Tutorial
Google html5 TutorialGoogle html5 Tutorial
Google html5 Tutorialjobfan
 
Performance Implications of Mobile Design (Perf Audience Edition)
Performance Implications of Mobile Design (Perf Audience Edition)Performance Implications of Mobile Design (Perf Audience Edition)
Performance Implications of Mobile Design (Perf Audience Edition)Guy Podjarny
 
Step by Step Mobile Optimization
Step by Step Mobile OptimizationStep by Step Mobile Optimization
Step by Step Mobile OptimizationGuy Podjarny
 
Don Schwarz App Engine Talk
Don Schwarz App Engine TalkDon Schwarz App Engine Talk
Don Schwarz App Engine TalkTech in the Middle
 
Jimwebber soa
Jimwebber soaJimwebber soa
Jimwebber soad0nn9n
 
Jim Webber R E S Tful Services
Jim Webber R E S Tful ServicesJim Webber R E S Tful Services
Jim Webber R E S Tful ServicesSOA Symposium
 
WebSphere User Group UK: Larger Applications with Worklight
WebSphere User Group UK: Larger Applications with WorklightWebSphere User Group UK: Larger Applications with Worklight
WebSphere User Group UK: Larger Applications with WorklightAndrew Ferrier
 
Jim Webber Martin Fowler Does My Bus Look Big In This
Jim Webber Martin Fowler Does My Bus Look Big In ThisJim Webber Martin Fowler Does My Bus Look Big In This
Jim Webber Martin Fowler Does My Bus Look Big In Thisdeimos
 
Comment exploiter les solutions d'intégration entre applications Cloud et "on...
Comment exploiter les solutions d'intégration entre applications Cloud et "on...Comment exploiter les solutions d'intégration entre applications Cloud et "on...
Comment exploiter les solutions d'intégration entre applications Cloud et "on...Marc Jouve
 
Show104 buried treasure
Show104 buried treasureShow104 buried treasure
Show104 buried treasureMark Myers
 
SHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes Data
SHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes DataSHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes Data
SHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes Datapanagenda
 
Automating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and botoAutomating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and botomjbommar
 
The View - Deploying domino applications to BlackBerry MDS Studio
The View - Deploying domino applications to BlackBerry MDS StudioThe View - Deploying domino applications to BlackBerry MDS Studio
The View - Deploying domino applications to BlackBerry MDS StudioBill Buchan
 
IBM Cloud Burst postavená na platforme IBM System x
IBM Cloud Burst postavená na platforme IBM System xIBM Cloud Burst postavená na platforme IBM System x
IBM Cloud Burst postavená na platforme IBM System xASBIS SK
 
Orange is v cloud 3
Orange is v cloud 3Orange is v cloud 3
Orange is v cloud 3tracepointmarketing
 
Adobe Salon Linux
Adobe Salon LinuxAdobe Salon Linux
Adobe Salon LinuxMichael Chaize
 
Orange is v cloud 3
Orange is v cloud 3Orange is v cloud 3
Orange is v cloud 3tracepointmarketing
 
Howdah
HowdahHowdah
HowdahAurynn Shaw
 
Howdah - An Application using Pylons, PostgreSQL, Simpycity and Exceptable
Howdah - An Application using Pylons, PostgreSQL, Simpycity and ExceptableHowdah - An Application using Pylons, PostgreSQL, Simpycity and Exceptable
Howdah - An Application using Pylons, PostgreSQL, Simpycity and ExceptableCommand Prompt., Inc
 
Vertically Challenged
Vertically ChallengedVertically Challenged
Vertically ChallengedCommand Prompt., Inc
 
Exceptable
ExceptableExceptable
ExceptableAurynn Shaw
 
Vagrant at LA Ruby
Vagrant at LA RubyVagrant at LA Ruby
Vagrant at LA RubyMitchell Hashimoto
 
HTML5 and Google Chrome - DevFest09
HTML5 and Google Chrome - DevFest09HTML5 and Google Chrome - DevFest09
HTML5 and Google Chrome - DevFest09mihaiionescu
 
The Cloud: A game changer to test, at scale and in production, SOA based web...
The Cloud: A game changer to test, at scale and in production, SOA based web...The Cloud: A game changer to test, at scale and in production, SOA based web...
The Cloud: A game changer to test, at scale and in production, SOA based web...Fred Beringer
 
Aloha on-rails-2009
Aloha on-rails-2009Aloha on-rails-2009
Aloha on-rails-2009John Woodell
 
Internet Programming With Python Presentation
Internet Programming With Python PresentationInternet Programming With Python Presentation
Internet Programming With Python PresentationAkramWaseem
 
Effective EC2
Effective EC2Effective EC2
Effective EC2PyCon Italia
 

Mais conteúdo relacionado

Mais procurados

Jim Webber R E S Tful Services
Jim Webber R E S Tful ServicesJim Webber R E S Tful Services
Jim Webber R E S Tful ServicesSOA Symposium
 
WebSphere User Group UK: Larger Applications with Worklight
WebSphere User Group UK: Larger Applications with WorklightWebSphere User Group UK: Larger Applications with Worklight
WebSphere User Group UK: Larger Applications with WorklightAndrew Ferrier
 
Jim Webber Martin Fowler Does My Bus Look Big In This
Jim Webber Martin Fowler Does My Bus Look Big In ThisJim Webber Martin Fowler Does My Bus Look Big In This
Jim Webber Martin Fowler Does My Bus Look Big In Thisdeimos
 
Comment exploiter les solutions d'intégration entre applications Cloud et "on...
Comment exploiter les solutions d'intégration entre applications Cloud et "on...Comment exploiter les solutions d'intégration entre applications Cloud et "on...
Comment exploiter les solutions d'intégration entre applications Cloud et "on...Marc Jouve
 
Show104 buried treasure
Show104 buried treasureShow104 buried treasure
Show104 buried treasureMark Myers
 
SHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes Data
SHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes DataSHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes Data
SHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes Datapanagenda
 
Automating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and botoAutomating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and botomjbommar
 
The View - Deploying domino applications to BlackBerry MDS Studio
The View - Deploying domino applications to BlackBerry MDS StudioThe View - Deploying domino applications to BlackBerry MDS Studio
The View - Deploying domino applications to BlackBerry MDS StudioBill Buchan
 
IBM Cloud Burst postavená na platforme IBM System x
IBM Cloud Burst postavená na platforme IBM System xIBM Cloud Burst postavená na platforme IBM System x
IBM Cloud Burst postavená na platforme IBM System xASBIS SK
 

Mais procurados (12)

Jim Webber R E S Tful Services
Jim Webber R E S Tful ServicesJim Webber R E S Tful Services
Jim Webber R E S Tful Services
 
WebSphere User Group UK: Larger Applications with Worklight
WebSphere User Group UK: Larger Applications with WorklightWebSphere User Group UK: Larger Applications with Worklight
WebSphere User Group UK: Larger Applications with Worklight
 
Jim Webber Martin Fowler Does My Bus Look Big In This
Jim Webber Martin Fowler Does My Bus Look Big In ThisJim Webber Martin Fowler Does My Bus Look Big In This
Jim Webber Martin Fowler Does My Bus Look Big In This
 
Comment exploiter les solutions d'intégration entre applications Cloud et "on...
Comment exploiter les solutions d'intégration entre applications Cloud et "on...Comment exploiter les solutions d'intégration entre applications Cloud et "on...
Comment exploiter les solutions d'intégration entre applications Cloud et "on...
 
Show104 buried treasure
Show104 buried treasureShow104 buried treasure
Show104 buried treasure
 
SHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes Data
SHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes DataSHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes Data
SHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes Data
 
Automating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and botoAutomating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and boto
 
The View - Deploying domino applications to BlackBerry MDS Studio
The View - Deploying domino applications to BlackBerry MDS StudioThe View - Deploying domino applications to BlackBerry MDS Studio
The View - Deploying domino applications to BlackBerry MDS Studio
 
IBM Cloud Burst postavená na platforme IBM System x
IBM Cloud Burst postavená na platforme IBM System xIBM Cloud Burst postavená na platforme IBM System x
IBM Cloud Burst postavená na platforme IBM System x
 
Orange is v cloud 3
Orange is v cloud 3Orange is v cloud 3
Orange is v cloud 3
 
Adobe Salon Linux
Adobe Salon LinuxAdobe Salon Linux
Adobe Salon Linux
 
Orange is v cloud 3
Orange is v cloud 3Orange is v cloud 3
Orange is v cloud 3
 

Semelhante a Vertically Challenged

Howdah - An Application using Pylons, PostgreSQL, Simpycity and Exceptable
Howdah - An Application using Pylons, PostgreSQL, Simpycity and ExceptableHowdah - An Application using Pylons, PostgreSQL, Simpycity and Exceptable
Howdah - An Application using Pylons, PostgreSQL, Simpycity and ExceptableCommand Prompt., Inc
 
HTML5 and Google Chrome - DevFest09
HTML5 and Google Chrome - DevFest09HTML5 and Google Chrome - DevFest09
HTML5 and Google Chrome - DevFest09mihaiionescu
 
The Cloud: A game changer to test, at scale and in production, SOA based web...
The Cloud: A game changer to test, at scale and in production, SOA based web...The Cloud: A game changer to test, at scale and in production, SOA based web...
The Cloud: A game changer to test, at scale and in production, SOA based web...Fred Beringer
 
Aloha on-rails-2009
Aloha on-rails-2009Aloha on-rails-2009
Aloha on-rails-2009John Woodell
 
Internet Programming With Python Presentation
Internet Programming With Python PresentationInternet Programming With Python Presentation
Internet Programming With Python PresentationAkramWaseem
 
C fowler intro-azure
C fowler intro-azureC fowler intro-azure
C fowler intro-azuresdeconf
 
Attacking Blackberry For Phun and Profit
Attacking Blackberry For Phun and ProfitAttacking Blackberry For Phun and Profit
Attacking Blackberry For Phun and ProfitAmmar WK
 
BMC BladeLogic Database Automation: Get more from your database infrastructure
BMC BladeLogic Database Automation: Get more from your database infrastructureBMC BladeLogic Database Automation: Get more from your database infrastructure
BMC BladeLogic Database Automation: Get more from your database infrastructureVyom Labs
 
VMware vFabric - CIO Webinar - Al Sargent
VMware vFabric - CIO Webinar - Al SargentVMware vFabric - CIO Webinar - Al Sargent
VMware vFabric - CIO Webinar - Al SargentVMware vFabric
 
Amazon 101 - building composite responsive apps - small
Amazon 101 - building composite responsive apps - smallAmazon 101 - building composite responsive apps - small
Amazon 101 - building composite responsive apps - smallIgor Moochnick
 
Cognos Technical Super Session 2012
Cognos Technical Super Session 2012Cognos Technical Super Session 2012
Cognos Technical Super Session 2012barnaby1502
 
The Hybrid Windows Azure Application
The Hybrid Windows Azure ApplicationThe Hybrid Windows Azure Application
The Hybrid Windows Azure ApplicationMichael Collier
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworksukdpe
 

Semelhante a Vertically Challenged (20)

Howdah
HowdahHowdah
Howdah
 
Howdah - An Application using Pylons, PostgreSQL, Simpycity and Exceptable
Howdah - An Application using Pylons, PostgreSQL, Simpycity and ExceptableHowdah - An Application using Pylons, PostgreSQL, Simpycity and Exceptable
Howdah - An Application using Pylons, PostgreSQL, Simpycity and Exceptable
 
Vertically Challenged
Vertically ChallengedVertically Challenged
Vertically Challenged
 
Exceptable
ExceptableExceptable
Exceptable
 
Vagrant at LA Ruby
Vagrant at LA RubyVagrant at LA Ruby
Vagrant at LA Ruby
 
HTML5 and Google Chrome - DevFest09
HTML5 and Google Chrome - DevFest09HTML5 and Google Chrome - DevFest09
HTML5 and Google Chrome - DevFest09
 
The Cloud: A game changer to test, at scale and in production, SOA based web...
The Cloud: A game changer to test, at scale and in production, SOA based web...The Cloud: A game changer to test, at scale and in production, SOA based web...
The Cloud: A game changer to test, at scale and in production, SOA based web...
 
Aloha on-rails-2009
Aloha on-rails-2009Aloha on-rails-2009
Aloha on-rails-2009
 
Internet Programming With Python Presentation
Internet Programming With Python PresentationInternet Programming With Python Presentation
Internet Programming With Python Presentation
 
Effective EC2
Effective EC2Effective EC2
Effective EC2
 
C fowler intro-azure
C fowler intro-azureC fowler intro-azure
C fowler intro-azure
 
Attacking Blackberry For Phun and Profit
Attacking Blackberry For Phun and ProfitAttacking Blackberry For Phun and Profit
Attacking Blackberry For Phun and Profit
 
BaaS Afdel
BaaS AfdelBaaS Afdel
BaaS Afdel
 
RubyConf 2009
RubyConf 2009RubyConf 2009
RubyConf 2009
 
BMC BladeLogic Database Automation: Get more from your database infrastructure
BMC BladeLogic Database Automation: Get more from your database infrastructureBMC BladeLogic Database Automation: Get more from your database infrastructure
BMC BladeLogic Database Automation: Get more from your database infrastructure
 
VMware vFabric - CIO Webinar - Al Sargent
VMware vFabric - CIO Webinar - Al SargentVMware vFabric - CIO Webinar - Al Sargent
VMware vFabric - CIO Webinar - Al Sargent
 
Amazon 101 - building composite responsive apps - small
Amazon 101 - building composite responsive apps - smallAmazon 101 - building composite responsive apps - small
Amazon 101 - building composite responsive apps - small
 
Cognos Technical Super Session 2012
Cognos Technical Super Session 2012Cognos Technical Super Session 2012
Cognos Technical Super Session 2012
 
The Hybrid Windows Azure Application
The Hybrid Windows Azure ApplicationThe Hybrid Windows Azure Application
The Hybrid Windows Azure Application
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 

Último (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

Vertically Challenged

  • 1. VERTICALLY CHALLENGED 1 Tuesday, October 20, 2009
  • 2. Strong Application Permissions, using PostgreSQL Aurynn Shaw, Command Prompt, Inc. PostgreSQL Conference West, 2009 2 Tuesday, October 20, 2009
  • 3. APPLICATION ARCHITECTURE Wherein Basic Architecture Limitations Points of Authority Why use DB permissions? Implementation 3 Tuesday, October 20, 2009
  • 4. Basic Architecture Web Server Application Standard tiered design Database 4 Tuesday, October 20, 2009
  • 5. Basic Architecture Web Server Standard tiered design Application Standard ingress, logic, egress cycle. Database 5 Tuesday, October 20, 2009
  • 6. Layered Communications Web Server Limitations in Application communication Database 6 Tuesday, October 20, 2009
  • 7. Layered Communications Web Server Limitations in communication Application Influences on application design Database 7 Tuesday, October 20, 2009
  • 8. Application Authority Web Server The Application becomes Application permissions arbiter Database 8 Tuesday, October 20, 2009
  • 9. Application Authority Web Server The Application becomes Application permissions arbiter Loss of Portability Database 9 Tuesday, October 20, 2009
  • 10. Application Authority Web Server The Application becomes permissions arbiter Application Loss of Portability Increased work for other consumers Database 10 Tuesday, October 20, 2009
  • 11. Using DB Permissions Why ? 11 Tuesday, October 20, 2009
  • 12. Using DB Permissions Why ? It’s better than what you have now 12 Tuesday, October 20, 2009
  • 13. Using DB Permissions Why ? It’s better than what you have now Easy Integration 13 Tuesday, October 20, 2009
  • 14. Using DB Permissions Why ? It’s better than what you have now Easy Integration Once it’s set up, it’s easier to use 14 Tuesday, October 20, 2009
  • 15. Basic Mechanica Entirely DB users Why this is hard to implement 15 Tuesday, October 20, 2009
  • 16. Basic Mechanica Entirely DB users Why this is hard to implement DB users, with an external auth store Still hard Why it’s Worthwhile 16 Tuesday, October 20, 2009
  • 17. Basic Mechanica Entirely DB users Why this is hard to implement DB users, with an external auth store Still hard Why it’s Worthwhile The Hybrid approach - use The Hybrid approach DB roles + rows in the database, instead of DB users. 17 Tuesday, October 20, 2009
  • 18. DATABASE IMPLEMENTATION Wherein Basic Componentry Roles Stored Procedures 18 Tuesday, October 20, 2009
  • 19. Componentry Postgres Implementation SET ROLE GRANT / NOINHERIT Grant / noinherit - How this works together to NOLOGIN provide VC. 19 Tuesday, October 20, 2009
  • 20. Componentry Postgres Implementation SET ROLE GRANT / NOINHERIT NOLOGIN Great for PCI sudo for the Database compliance 20 Tuesday, October 20, 2009
  • 21. Setup vc=# CREATE ROLE vc NOINHERIT; CREATE ROLE vc=# CREATE ROLE auth_level NOLOGIN; CREATE ROLE vc=# GRANT auth_level TO vc; GRANT ROLE vc=# 21 Tuesday, October 20, 2009
  • 22. Setup vc=> CREATE TABLE auth_only(); CREATE vc=> REVOKE SELECT ON auth_only FROM PUBLIC, vc; REVOKE vc=> SET ROLE TO vc; SET vc=> 22 Tuesday, October 20, 2009
  • 23. sudo for Databases vc=> SELECT * FROM auth_only; ERROR: permission denied for relation auth_only vc=> SET ROLE auth_level; SET vc=> SELECT * FROM auth_only; -- (0 rows) 23 Tuesday, October 20, 2009
  • 24. It’s How We Role Basic roles 24 Tuesday, October 20, 2009
  • 25. It’s How We Role Basic roles Defines your permissions tree 25 Tuesday, October 20, 2009
  • 26. It’s How We Role Basic Roles Defines your permissions tree Privileged Roles The over-arching Container roles User, Moderator, Admin, etc. 26 Tuesday, October 20, 2009
  • 27. It’s How We Role Basic Roles Defines your permissions tree Privileged Roles The over-arching permissions definitions User, Moderator, Admin, etc. Entry point has LOGIN granted. Entry Point 27 Tuesday, October 20, 2009
  • 28. Your users.can do *this* users.can 28 Tuesday, October 20, 2009
  • 29. A Quick Check IF users.can(user_id, ‘type.read’) THEN RETURN QUERY SELECT * FROM type; ELSE exceptable.permission_denied(‘User lacks type.read permissions’);* END IF; * Exceptable function 29 Tuesday, October 20, 2009
  • 30. Wait.. I don’t know you. users.can users.validate 30 Tuesday, October 20, 2009
  • 31. User Legitimacy CREATE OR REPLACE FUNCTION users.validate ( in_username text, in_password text ) RETURNS int SELECT users.validate(‘vc’,‘password’); 31 Tuesday, October 20, 2009
  • 32. The Forge of Users users.can users.validate users.create 32 Tuesday, October 20, 2009
  • 33. Creating Users CREATE OR REPLACE FUNCTION users.create ( in_username text, in_role text, in_password text ) RETURNS int SELECT users.create(‘user’,‘auth’,md5 (‘password’)); 33 Tuesday, October 20, 2009
  • 34. Basic User Get users.can users.validate users.create users.get 34 Tuesday, October 20, 2009
  • 35. Collecting Users CREATE OR REPLACE FUNCTION users.get ( in_user_id int ) RETURNS users.user CREATE TYPE users.user AS ( id int, username text, roles text[] -- Used for app checks ); 35 Tuesday, October 20, 2009
  • 36. STANDING ON PYLONS Wherein Exceptions Permissions checks Repoze.Who 36 Tuesday, October 20, 2009
  • 37. Exceptions Repoze.who cares about 401s and 403s 37 Tuesday, October 20, 2009
  • 38. Exceptions Repoze.who cares about 401s and 403s Trap VC errors in the Application Emit an appropriate 401 or 403 38 Tuesday, October 20, 2009
  • 39. Exceptions Repoze.who cares about 401s and 403s Trap VC errors in the Application Emit an appropriate 401 or 403 Exceptions are handled ONCE 39 Tuesday, October 20, 2009
  • 40. Once class BaseController(WSGIController): def __call__(self, environ, start_response): """Invoke the Controller""" # WSGIController.__call__ dispatches to the Controller method # the request is routed to. try: return WSGIController.__call__(self, environ, start_response) except PermissionsError, e: abort(403) except NoSuchUserError, e: abort(401) 40 Tuesday, October 20, 2009
  • 41. I have @needs too! Easily Decorate Pylons Views - @needs(‘type.read’) 41 Tuesday, October 20, 2009
  • 42. I have @needs too! Easily Decorate Pylons Views - @needs(‘type.read’) Using DB permissions in the App layer 42 Tuesday, October 20, 2009
  • 43. I have @needs too! Easily Decorate Pylons Views - @needs(‘type.read’) Using DB permissions in the App layer A single DB query - Not a query per object. 43 Tuesday, October 20, 2009
  • 44. I have @needs too! Easily Decorate Pylons Views - @needs(‘type.read’) Using DB permissions in the App layer A single DB query - Not a query per object. Why? Multiple tiers are good. 44 Tuesday, October 20, 2009
  • 45. Pylons in Repose The Application Cycle 45 Tuesday, October 20, 2009
  • 46. Pylons in Repose The Application Cycle A Basic Repoze Configuration 46 Tuesday, October 20, 2009
  • 47. A Basic Configuration [plugin:form] use = repoze.who.plugins.form:make_redirecting_plugin login_form_url = /account/login login_handler_path = /account/dologin logout_handler_path = /account/logout rememberer_name = auth_tkt [plugin:auth_tkt] use = repoze.who.plugins.auth_tkt:make_plugin secret = ticket_secret [mdproviders] plugins = vc.repoze:MetadataProvider;browser 47 Tuesday, October 20, 2009
  • 48. Pylons in Repose The Application Cycle A Basic Repoze Configuration The Permissions Swap 48 Tuesday, October 20, 2009
  • 49. The Permissions Swap class MetadataProvider(object): def add_metadata(self, environ, identity): if userid: try: from vc.model import user u = user.user(userid) u.become(u.role) except PermissionError, e: if “model” in identity: del identity[“model”] return None identity[“model”] = u 49 Tuesday, October 20, 2009
  • 50. And the Procedure CREATE FUNCTION users.become ( in_user_id int, in_role text ) RETURNS VOID AS $$ BEGIN IF users.can($1, $2) THEN SET ROLE TO quote_literal($2); ELSE except.permission_denied('User cannot become specified permission level'); END IF; END; $$ LANGUAGE PLPGSQL; 50 Tuesday, October 20, 2009
  • 51. Pylons in Repose The Application Cycle A Basic Repoze Configuration The Permissions Swap Anonymous Access 51 Tuesday, October 20, 2009
  • 52. Anonymous Access A Wrapping Identifier Test For an Identity 52 Tuesday, October 20, 2009
  • 53. Wrap the Identifier class AnonymousWrapper(object): def identify(self, environ): i = environ['repoze.who.plugins'] ['auth_tkt'].identify(environ) if i: # Not anonymous return i else: # Is anonymous # return a really basic anonymousness. return {"repoze.who.userid": anonymous_user_id} 53 Tuesday, October 20, 2009
  • 54. Anonymous Access A Wrapping Identifier Test For an Identity Return a User, or Anonymous Anonymous users are otherwise identical 54 Tuesday, October 20, 2009
  • 55. ADVANTAGES, DISADVANTAGES, VULNERABILITIES Wherein Advantages Disadvantages Vulnerabilities 55 Tuesday, October 20, 2009
  • 56. Advantages Same roles in your Procedures, as your Application code Great for consistency Can Implement Row-level Permissions 56 Tuesday, October 20, 2009
  • 57. Row-Level Example PERFORM id FROM table WHERE id = i_id; IF FOUND THEN PERFORM owner_id FROM table WHERE owner_id = user_id AND id = i_id; IF NOT FOUND THEN exceptable.permission_denied(‘User does not own specified record.’); END IF; END IF; 57 Tuesday, October 20, 2009
  • 58. Disadvantages No PG-backed row-level authorization 58 Tuesday, October 20, 2009
  • 59. Disadvantages No PG-backed row-level authorization DDL permissions take work to implement 59 Tuesday, October 20, 2009
  • 60. Disadvantages No direct row-level authorization DDL permissions take work to implement No ad-hoc Users 60 Tuesday, October 20, 2009
  • 61. Disadvantages No direct row-level authorization DDL permissions take work to implement No ad-hoc Users Custom permissions require new entry points 61 Tuesday, October 20, 2009
  • 62. Vulnerabilities Any possible PG escalation attack SET ROLE could switch to an Admin user User errors a perennial favourite 62 Tuesday, October 20, 2009
  • 63. AND THUS Questions? 63 Tuesday, October 20, 2009
  • 64. GET IT https://projects.commandprompt.com/ public/verticallychallenged 64 Tuesday, October 20, 2009
  • 65. THANK YOU! 65 Tuesday, October 20, 2009