Hi,
On 29/04/15 15:30, Miro Hrončok wrote:
On 27.4.2015 11:25, Tomas Radej wrote:
> The basic idea is that the server runs in a privileged container or on
> the host system, and very thin client connects to it and exchange
> information about assistants and commands through an API (for example
> using JSON). You may think about it as "DevAssistant as a service".
Here I'm not sure what do you refer as a server and basically, what runs
where. I'll try to make some assumptions bellow, please correct me if I
get it wrong.
The "server" in client/server is everything described below that is not
"The client".
> The client
> ----------
>
> While DevAssistant uses already a sort of a client-server
> architecture, the clients are still quite thick, and not easily
> replaceable. Our intention is to put only the bare minimum into the
> client - an engine to construct a user interface from the received
> data. That means that the command line interface will construct a help
> message with assistants and commands based on what is available on the
> server side. Similarly, the WebUI will construct a form based on
> fields that the server sends to it, generated from the arguments
> specified in an assistant. The client always runs under the user that
> wishes to run an assistant.
So we'll have multiple clients: CLI and WebUI. Both running on the
system the developer is primly using to interact with DA as a process
owned by the developer, e.g. "joe".
The CLI client will run under "joe" (in Linux, Mac OS, Windows if
applicable). The WebUI runs in the browser by typing IP:Port and logging in.
The webserver runs under "devassistant" (a new user with special,
constrained set of permissions), or possibly under "joe" as well when
installed from pip. In the latter case, some fallbacks will be necessary
(see below).
> The webserver
> -------------
>
> The webserver is the front-facing part of the entire server, which
> interacts with the client. What it does is spin up a "bridge" instance
> (see below) for the user under whom the "client" is running, and pass
> messages between the two. The webserver itself doesn't touch the
> system or containers in any way, and will probably run under a unique
> user, for example 'devassistant'. I expect it will take the list of
> available users from /etc/passwd. I still don't know what webserver to
> use, but security is definitely what we should look at first.
Now, where runs this? I would expect this to be run in a "privileged
container" as mentioned above. Why do we care under what user this runs
than? I'm afraid this is a bit confusing to me.
Privileged container or bare metal (if packaged in the distro or
installed via pip). DA could then have some fallback solution that would
enable running DA from pip or source via sudo or the like, in order to
keep compatibility. I am not sure if the benefits of doing that would
outweigh the work invested, though.
Ad why we care: It's the "bare metal" case. I'd imagine having only one
instance of the webserver run for all users on the machine is beneficial
(avoids collisions, can run on a predictable default port, i. e. no need
to specify connection details when running the client).
> The bridge
> ----------
>
> This is the core part of the new system, which will contain most of
> today's DevAssistant package. This part runs under the user who
> actually wants to execute the assistants, and is spawned by the
> webserver. It loads the available assistants, runs them with
> parameters supplied through the webserver, and if necessary, delegates
> the execution of superuser tasks to the "service" with elevated
> privileges.
I'm again confused by the user thing. This is supposed to by run as
"joe" again? Spawned by the webserver that does not run under "joe",
but
under "devassistant" user. Is that even possible, if "devassistant"
user
has no root ACLs?
I think it should be possible to give the "devassistant" user limited
root access solely for spawning the "bridge" instances under different
users via sudoers, polkit policy or the like. A trivial solution that
comes to my mind is having a root-only shell script that takes a
username and spawns the 'bridge' instance.
On the other hand, if you run DA from pip, it could be possible to run
everything under the regular user ("joe"). We sort of assume the person
who runs DevAssistant has root access anyway.
Or is this also run in a container? Different one or the same one as
webserver?
It is, in the default containerised scenario. I would argue for putting
all the server bits into the same (privileged) container, if possible.
> The service
> -----------
>
> Since the bridge runs under a user that doesn't necessarily have all
> the permissions an assistant may require, there will be a service
> (DBus?) that accepts commands and executes them as the super user.
> When such a command is invoked, the service will ask an authentication
> agent if the user is authorised to perform such a command, and based
> on the agent's reply will carry it out appropriately. If an additional
> authentication is required, the bridge sends a request to the client
> for proper authentication.
How does this works on non-Linux platforms than?
DA server (i. e. webserver, bridge, service, agent) runs in a virtual
machine or in a container. It is my impression that supporting OS X is
quite hard with the current architecture, and Windows is next to impossible.
By moving DevAssistant to a more constrained, virtualised environment,
it will be much easier to support more complex use cases - e. g.
inheritable container support for *all* "create" projects. Furthermore,
the only part running on the host system will be the client. With WebUI,
supporting OS X or Windows would be dead easy, because all the changes
would be done inside the VM.
As for how would DA be distributed then, I am thinking a pre-made
virtual image of sorts with DA fully set-up. In any case, we can't help
Windows users set up virtualisation, so they'll have to do some work
anyway. If we decide to go this way, they'll only need to install a
virtualisation host, run the image, and connect to IP:Port from their
browser.
This sort of limits the usage on non-Linux platforms, but I believe that
encouraging the use of virtualised environments is something we should do.
> The agent
> ---------
>
> The last part of the system is an authentication agent. This agent,
> based on its policies, decides if a given user is permitted to carry
> out a command passed to the "service", and return a True/False reply.
> This will probably be a PolicyKit service.
The same question.
The same answer. When run on bare metal (from pip, under "joe"), DA
could fall back to running sudo from the "bridge" as it does now.
Thanks.
TR