Admin interface for node operators

[synzhu]

closes https://github.com/dapperlabs/flow-go/issues/5818

TODO

• Write tests
• Document the protobuf file
• Provide a rest interface using grpc Gateway

[codecov-commenter]

Codecov Report

Merging #1222 (4998a6a) into master (a783037) will increase coverage by 0.10%.
The diff coverage is 76.51%.

@@            Coverage Diff             @@
##           master    #1222      +/-   ##
==========================================
+ Coverage   54.70%   54.81%   +0.10%     
==========================================
  Files         502      504       +2     
  Lines       31769    31918     +149     
==========================================
+ Hits        17380    17496     +116     
- Misses      12026    12048      +22     
- Partials     2363     2374      +11     

Flag	Coverage Δ
unittests	54.81% <76.51%> (+0.10%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
admin/server.go	50.00% <50.00%> (ø)
admin/command_runner.go	79.69% <79.69%> (ø)
engine/collection/synchronization/engine.go	62.90% <0.00%> (ø)
...ngine/common/synchronization/finalized_snapshot.go	72.91% <0.00%> (+4.16%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a783037...4998a6a. Read the comment docs.

[huitseeker]

Thanks for getting started on the admin interface! Besides the points I made inline:

1. Authentication:
   I would note we already have tools in utils/grpcutils/grpc.go for server-side uthentication: creating a gRPC server with a self-signed TLS certificate and a client that checks against the corresponding (pre-shared) PubKey. It would only require minor changes for the server to check the client against a certificate that the gRPC server would have been started with. Not that this is enough - I'd expect this to eventually require token auth - but since it's there ...

2. Security:
   In order to augment the predictability of this interface - incidentally limitiing opportunities for mischief: would it be possible to have RegisterHandler|RegisterValidator be part of the API of a CommandRunnerBootstrapper, rather than part of the runtime?

[huitseeker]

what about adminAddr at NotSet but with a specified adminHttpAddr?

[synzhu]

In this case we would just ignore the adminHttpAddr. I can add validation for this although I don't think it's really that necessary?

The adminHttpAddr only makes sense if adminAddr is set. We cannot have an http server if the underlying gRPC service doesn not even exist.

[huitseeker]

First, I think you can serve GRPC over a Unix domain socket rather than a TCP socket (and in this context, this might actually not even be such a bad idea).

But more to my original point, you can interpret the presence of an adminHttpAddr alone as an authorization to bind to a random port for the GRPC endpoint, especially if you document that it is the contract.

[synzhu]

Sure, I guess we can do that.

[synzhu]

Actually on second thought, we cannot just choose a random port because we also need to know which interface to bind to.

As I mentioned in the previous comment, I'm not really a fan of limiting the interface to localhost only.

[huitseeker]

I think we can have a safe default, and that an address parameter that specifies, e.g. just a port, can be interpreted as a default binding to localhost.
With that said, we distribute this through Docker, which won't expose an unexported port, so at this stage it's a nit.

[huitseeker]

How about making these booleans, binding only to localhost? This way we're less vulnerable to inadvertent firewall openings.

[synzhu]

But we need some way to specify the port?

[huitseeker]

That's fine, let's specify just the port then.

[synzhu]

I feel like there are very valid reasons why one might want to bind to an interface other than localhost (for example, if they want the admin service to be accessible remotely).

[synzhu]

Thanks for getting started on the admin interface! Besides the points I made inline:

1. Authentication:
   I would note we already have tools in utils/grpcutils/grpc.go for server-side uthentication: creating a gRPC server with a self-signed TLS certificate and a client that checks against the corresponding (pre-shared) PubKey. It would only require minor changes for the server to check the client against a certificate that the gRPC server would have been started with. Not that this is enough - I'd expect this to eventually require token auth - but since it's there ...
2. Security:
   In order to augment the predictability of this interface - incidentally limitiing opportunities for mischief: would it be possible to have RegisterHandler|RegisterValidator be part of the API of a CommandRunnerBootstrapper, rather than part of the runtime?

@huitseeker

1. In my mind, I don't think we really need authentication at the gRPC server level. I think that securing the admin interface should be something that is left up to the node operator. In particular, they should be responsible for ensuring that the address the admin service is configured to run on (via command line arguments) has proper firewall rules setup to restrict incoming traffic on the specified interface / port. For example, one could setup firewall rule to only allow incoming connections to the admin service from a specified bastion host. Then, one could setup SSH rules on the bastion host so that only certain users can access it.
2. Not entirely sure what you mean here, can you add more details?

[huitseeker]

In my mind, I don't think we really need authentication at the gRPC server level. I think that securing the admin interface should be something that is left up to the node operator.

In theory, I agree with you. In practice, assuming our app is always deployed in a context where a vigilant and wise sysadmin has the time to do that securization well is a non-starter, unfortunately. Moreover, the code necessary to perform this "give credential at bootup, check it later when receiving commands", is, as I mentioned, quite close by.

I mean that in the current approach of the admin interface API it would be easy for a distant code component to dynamically add -or worse remove- a handler / validator to the admin interface, possibly under certain conditions. That makes it more complex to reason about whether the admin interface is exploitable, because it opens the possibility that an adversary would try to manipulate those conditions to activate or deactivate the handlers / validators it wishes. On the other hand, if handlers and validators can only be mutated at the start of the node, and not later, that reasoning is much more simple (hence the builder pattern).
Moreover, if we end up really needing dynamic handlers / validators, nothing will prevent us rom re-adding them at that point.

[synzhu]

In my mind, I don't think we really need authentication at the gRPC server level. I think that securing the admin interface should be something that is left up to the node operator.

In theory, I agree with you. In practice, assuming our app is always deployed in a context where a vigilant and wise sysadmin has the time to do that securization well is a non-starter, unfortunately. Moreover, the code necessary to perform this "give credential at bootup, check it later when receiving commands", is, as I mentioned, quite close by.

I mean that in the current approach of the admin interface API it would be easy for a distant code component to dynamically add -or worse remove- a handler / validator to the admin interface, possibly under certain conditions. That makes it more complex to reason about whether the admin interface is exploitable, because it opens the possibility that an adversary would try to manipulate those conditions to activate or deactivate the handlers / validators it wishes. On the other hand, if handlers and validators can only be mutated at the start of the node, and not later, that reasoning is much more simple (hence the builder pattern).
Moreover, if we end up really needing dynamic handlers / validators, nothing will prevent us rom re-adding them at that point.

@huitseeker Okay, I agree with 2 and will make that change.

I'll look into 1. I will have to enable mutual authentication right?

(Reference for self: grpc/grpc-go#403)

[huitseeker]

I'll look into 1. I will have to enable mutual authentication right?

Essentially, yes. @vishalchangrani is quite familiar with the feature and can probably help.

[huitseeker]

Very nice work! Thanks a lot!

[huitseeker]

That's an excellent idea, which is probably worth tracking in an issue, and has links with #1275 (or at least the context-derived variant thereof I suggest in #1308 ).

[synzhu]

#1314

[huitseeker]

We can probably open an issue for the convenience of auto-generating this certificate pair (the generation would happen at boot, for a later use).
Auto-generation may fit the needs of e.g. a partner running a single node, whereas we'd be more interested in passing our own cert, to manage a group of nodes with the same creds.

[huitseeker]

I think we can have a safe default, and that an address parameter that specifies, e.g. just a port, can be interpreted as a default binding to localhost.
With that said, we distribute this through Docker, which won't expose an unexported port, so at this stage it's a nit.

[vishalchangrani]

lgtm

[peterargue]

LGTM. great work

[synzhu]

bors merge

[bors]

Build failed:

• Lint

[synzhu]

bors merge

[bors]

Build failed:

• Unit Tests (1.16)

[synzhu]

bors retry

[bors]

Build succeeded:

• Integration Tests (1.15)
• Integration Tests (1.16)
• Lint
• Unit Tests (1.15)
• Unit Tests (1.16)