Version 0.2 #232
Version 0.2 #232
Conversation
nepet
force-pushed
the
main-0.2
branch
3 times, most recently
from
489969d to
173c6b3
Compare
|
Rebased |
|
Rebased |
nepet
force-pushed
the
main-0.2
branch
2 times, most recently
from
92251ee to
981db7e
Compare
nepet
force-pushed
the
main-0.2
branch
2 times, most recently
from
8b5a797 to
40c5809
Compare
|
I just pushed all crates and the python package, so we should soon be able to merge this, hopefully without breaking any users due to API changes. |
|
Rebased |
|
Rebased on top of |
nepet
force-pushed
the
main-0.2
branch
3 times, most recently
from
64fd6e1 to
6d16a7d
Compare
|
A commit I added on top of this PR that changed the version numbers from While we could also add this later, it would still be nice to have a version update commit in here that we can point the backend to. |
nepet
force-pushed
the
main-0.2
branch
4 times, most recently
from
5bc51d0 to
561574c
Compare
| @@ -88,13 +89,13 @@ def export_node(self) -> schedpb.ExportNodeResponse: | |||
| res = schedpb.ExportNodeResponse | |||
| return res.FromString(bytes(self.inner.export_node())) | |||
|
|
|||
| def node(self) -> "Node": | |||
| def node(self, creds: Credentials) -> "Node": | |||
There was a problem hiding this comment.
We probably want to have Scheduler have a copy of the Credentials, since we will eventually enforce that only an authenticated client can schedule. That would mean that the schedule() call also needs the Credentials, and we could just inherit from Scheduler to Node when creating the Node here.
There was a problem hiding this comment.
Let's talk about this during our meeting.
|
Added credentials and |
cdecker
force-pushed
the
main-0.2
branch
3 times, most recently
from
6f05c18 to
737acd9
Compare
Adds a master rune and a credentials byte array to the proto messages for `register` and `response`. Sets dummy values for this values in the scheduler. This dummy values will be replaced by something meaningful in a future commit. Signed-off-by: Peter Neuroth <[email protected]>
Clippy was complaning about: - an unnecessary `return` keyword - a self conversion. Signed-off-by: Peter Neuroth <[email protected]>
This streamlines the rust and the python api. The python api uses method called `node` to schedule and return a node from the `Scheduler` class. BREAKING CHANGES: The `schedule` method (rs) does not return a node anymore but does insted return the schedule response. A new method `node` is introduced that returns a node instead. Signed-off-by: Peter Neuroth <[email protected]>
Adds `Credentials` that store the necessary information for authentication and authorization. There are two types of credentials: unauthenticated (also known as 'nobody') and device-specific. The device-specific credentials can be encoded to be stored on the device. The encoding allows for future extensions. Credentials offer flexible ways to be created and restored. BREAKING CHANGES: - Credentials replace the TlsConfig on the `Node`, - `Scheduler`(rs and py) method `node` got a `Credentials` parameter. Signed-off-by: Peter Neuroth <[email protected]>
Signed-off-by: Peter Neuroth <[email protected]>
We need to pass a rune down to the signer for propper authorization in our e2e security schema. Signed-off-by: Peter Neuroth <[email protected]>
Introduces runes to the greenlight client. Adds a `create_rune` method to the signer and adds the rune to the registration and recovery responses. Signed-off-by: Peter Neuroth <[email protected]>
Adds the rune to the credentials. This way all the node client can extract the rune from the credentials for future use. Signed-off-by: Peter Neuroth <[email protected]>
Add the rune to the request context. The signer extracts the rune from the PendingRequest and checks the validity as well as the restrictions. Signed-off-by: Peter Neuroth <[email protected]>
Signed-off-by: Peter Neuroth <[email protected]>
Signed-off-by: Peter Neuroth <[email protected]>
Signed-off-by: Peter Neuroth <[email protected]>
Signed-off-by: Peter Neuroth <[email protected]>
| from glclient import Scheduler, Credentials, TlsConfig | ||
|
|
||
| CRED_RUNE = bytes( | ||
| '"\xec\x01q3gAOP3JVkuen3qOh2G3LMU9TbHpXQS2VXfecJmlZY89MC1nbDAmcHVia2V5PTA0OGI0ZWZhNDZkNTZmMmUxM2RmOTdjOGFmNzJiZjYzZWEwNDgzODFlMTdkMTRhOGVkMThlNDVhMzFkNDIzMmNlMzE3OWE4NjE2ZTU2ODUxOTc5MjcxOTZlMTI2YjU0YjhhMmU5NzAwNWJiNzY2YTYzM2M1ODc0M2RjMGU3ZDZhZGY=', |
There was a problem hiding this comment.
I got a bit sidetracked by those 2 leading hex-escaped bytes. Why not use base64-encoding here as well?
| // Builds the default nobody identity. | ||
| let creds = Builder::as_nobody() | ||
| .with_default() | ||
| .expect("Failed to create default Nobody credentials") |
There was a problem hiding this comment.
We can likely determine at compile-time if this call can fail or not (whether or not the nobody credentials were compiled in), so we should make with_default() infallible.
|
|
||
| // Access the tls config. | ||
| let tls_config = creds.tls_config() | ||
| .expect("Failed to create TlsConfig"); |
There was a problem hiding this comment.
Can we have a Credentials instance that does not have valid TLS certs? And shouldn't that be check during .build()? We could make this infallible here too.
| from glclient import Credentials, TlsConfig | ||
|
|
||
| # Builds the default nobody identity. | ||
| creds = Credentials.as_nobody().with_default().build(); |
There was a problem hiding this comment.
Why doesn't .as_nobody() load the default TLS certs? It sounds like that ought to be the default behavior.
There was a problem hiding this comment.
Unless Credentials.as_nobody() returns a usable Credentials instance on its own, in which case what is the with_default() for?
There was a problem hiding this comment.
Ah I see, it fails on .build() if we call just as_nobody(), gotcha.
This is the preparatory branch for the next version of the client bindings. Adding it as a PR to make it more visible here.