- LastChangedDate
$LastChangedDate$ - LastChangedRevision
$LastChangedRevision$ - LastChangedBy
$LastChangedBy$
This chapter focuses on how to use PB to pass complex types (specifically class instances) to and from a remote process. The first section is on simply copying the contents of an object to a remote process (twisted.spread.pb.Copyable <pb.Copyable>
). The second covers how to copy those contents once, then update them later when they change (twisted.spread.pb.Cacheable <Cacheable>
).
From the previous chapter <pb-usage>
, you've seen how to pass basic types to a remote process, by using them in the arguments or return values of a twisted.spread.pb.RemoteReference.callRemote <callRemote>
function. However, if you've experimented with it, you may have discovered problems when trying to pass anything more complicated than a primitive int/list/dict/string type, or another twisted.spread.pb.Referenceable <pb.Referenceable>
object. At some point you want to pass entire objects between processes, instead of having to reduce them down to dictionaries on one end and then re-instantiating them on the other.
The most obvious and straightforward way to send an object to a remote process is with something like the following code. It also happens that this code doesn't work, as will be explained below.
class LilyPond:
def __init__(self, frogs):
self.frogs = frogs
pond = LilyPond(12)
ref.callRemote("sendPond", pond)
If you try to run this, you might hope that a suitable remote end which implements the remote_sendPond
method would see that method get invoked with an instance from the LilyPond
class. But instead, you'll encounter the dreaded twisted.spread.jelly.InsecureJelly <InsecureJelly>
exception. This is Twisted's way of telling you that you've violated a security restriction, and that the receiving end refuses to accept your object.
What's the big deal? What's wrong with just copying a class into another process' namespace?
Reversing the question might make it easier to see the issue: what is the problem with accepting a stranger's request to create an arbitrary object in your local namespace? The real question is how much power you are granting them: what actions can they convince you to take on the basis of the bytes they are sending you over that remote connection.
Objects generally represent more power than basic types like strings and dictionaries because they also contain (or reference) code, which can modify other data structures when executed. Once previously-trusted data is subverted, the rest of the program is compromised.
The built-in Python "batteries included" classes are relatively tame, but you still wouldn't want to let a foreign program use them to create arbitrary objects in your namespace or on your computer. Imagine a protocol that involved sending a file-like object with a read()
method that was supposed to used later to retrieve a document. Then imagine what if that object were created with os.fdopen("~/.gnupg/secring.gpg")
. Or an instance of telnetlib.Telnet("localhost", "chargen")
.
Classes you've written for your own program are likely to have far more power. They may run code during __init__
, or even have special meaning simply because of their existence. A program might have User
objects to represent user accounts, and have a rule that says all User
objects in the system are referenced when authorizing a login session. (In this system, User.__init__
would probably add the object to a global list of known users). The simple act of creating an object would give access to somebody. If you could be tricked into creating a bad object, an unauthorized user would get access.
So object creation needs to be part of a system's security design. The dotted line between "trusted inside" and "untrusted outside" needs to describe what may be done in response to outside events. One of those events is the receipt of an object through a PB remote procedure call, which is a request to create an object in your "inside" namespace. The question is what to do in response to it. For this reason, you must explicitly specify what remote classes will be accepted, and how their local representatives are to be created.
Another basic question to answer before we can do anything useful with an incoming serialized object is: what class should we create? The simplistic answer is to create the "same kind" that was serialized on the sender's end of the wire, but this is not as easy or as straightforward as you might think. Remember that the request is coming from a different program, using a potentially different set of class libraries. In fact, since PB has also been implemented in Java, Emacs-Lisp, and other languages, there's no guarantee that the sender is even running Python! All we know on the receiving end is a list of two things which describe the instance they are trying to send us: the name of the class, and a representation of the contents of the object.
PB lets you specify the mapping from remote class names to local classes with the twisted.spread.jelly.setUnjellyableForClass <setUnjellyableForClass>
function1 .
This function takes a remote/sender class reference (either the fully-qualified name as used by the sending end, or a class object from which the name can be extracted), and a local/recipient class (used to create the local representation for incoming serialized objects). Whenever the remote end sends an object, the class name that they transmit is looked up in the table controlled by this function. If a matching class is found, it is used to create the local object. If not, you get the InsecureJelly
exception.
In general you expect both ends to share the same codebase: either you control the program that is running on both ends of the wire, or both programs share some kind of common language that is implemented in code which exists on both ends. You wouldn't expect them to send you an object of the MyFooziWhatZit class unless you also had a definition for that class. So it is reasonable for the Jelly layer to reject all incoming classes except the ones that you have explicitly marked with setUnjellyableForClass
. But keep in mind that the sender's idea of a User
object might differ from the recipient's, either through namespace collisions between unrelated packages, version skew between nodes that haven't been updated at the same rate, or a malicious intruder trying to cause your code to fail in some interesting or potentially vulnerable way.
Ok, enough of this theory. How do you send a fully-fledged object from one side to the other?
copy_sender.py <listings/pb/copy_sender.py>
listings/pb/copy_sender.py
copy_receiver.tac <listings/pb/copy_receiver.tac>
listings/pb/copy_receiver.tac
The sending side has a class called LilyPond
. To make this eligible for transport through callRemote
(either as an argument, a return value, or something referenced by either of those [like a dictionary value]), it must inherit from one of the four twisted.spread.pb.Serializable <Serializable>
classes. In this section, we focus on twisted.spread.pb.Copyable <Copyable>
. The copyable subclass of LilyPond
is called CopyPond
. We create an instance of it and send it through callRemote
as an argument to the receiver's remote_takePond
method. The Jelly layer will serialize ("jelly" ) that object as an instance with a class name of"copy_sender.CopyPond" and some chunk of data that represents the object's state. pond.__class__.__module__
and pond.__class__.__name__
are used to derive the class name string. The object's twisted.spread.flavors.Copyable.getStateToCopy <getStateToCopy>
method is used to get the state: this is provided by twisted.spread.pb.Copyable <pb.Copyable>
, and the default just retrieves self.__dict__
. This works just like the optional __getstate__
method used by pickle
. The pair of name and state are sent over the wire to the receiver.
The receiving end defines a local class named ReceiverPond
to represent incoming LilyPond
instances. This class derives from the sender's LilyPond
class (with a fully-qualified name of copy_sender.LilyPond
), which specifies how we expect it to behave. We trust that this is the same LilyPond
class as the sender used. (At the very least, we hope ours will be able to accept a state created by theirs). It also inherits from twisted.spread.pb.RemoteCopy <pb.RemoteCopy>
, which is a requirement for all classes that act in this local-representative role (those which are given to the second argument of setUnjellyableForClass
). RemoteCopy
provides the methods that tell the Jelly layer how to create the local object from the incoming serialized state.
Then setUnjellyableForClass
is used to register the two classes. This has two effects: instances of the remote class (the first argument) will be allowed in through the security layer, and instances of the local class (the second argument) will be used to contain the state that is transmitted when the sender serializes the remote object.
When the receiver unserializes ("unjellies" ) the object, it will create an instance of the local ReceiverPond
class, and hand the transmitted state (usually in the form of a dictionary) to that object's twisted.spread.flavors.RemoteCopy.setCopyableState <setCopyableState>
method. This acts just like the __setstate__
method that pickle
uses when unserializing an object. getStateToCopy
/setCopyableState
are distinct from __getstate__
/__setstate__
to allow objects to be persisted (across time) differently than they are transmitted (across [memory]space).
When this is run, it produces the following output:
[-] twisted.spread.pb.PBServerFactory starting on 8800
[-] Starting factory <twisted.spread.pb.PBServerFactory instance at
0x406159cc>
[Broker,0,127.0.0.1] got pond: <__builtin__.ReceiverPond instance at
0x406ec5ec>
[Broker,0,127.0.0.1] 7 frogs
$ ./copy_sender.py
7 frogs
copy_sender.CopyPond
pond arrived safe and sound
Main loop terminated.
$
By overriding getStateToCopy
and setCopyableState
, you can control how the object is transmitted over the wire. For example, you might want perform some data-reduction: pre-compute some results instead of sending all the raw data over the wire. Or you could replace references to a local object on the sender's side with markers before sending, then upon receipt replace those markers with references to a receiver-side proxy that could perform the same operations against a local cache of data.
Another good use for getStateToCopy
is to implement "local-only" attributes: data that is only accessible by the local process, not to any remote users. For example, a .password
attribute could be removed from the object state before sending to a remote system. Combined with the fact that Copyable
objects return unchanged from a round trip, this could be used to build a challenge-response system (in fact PB does this with pb.Referenceable
objects to implement authorization as described here <pb-cred>
).
Whatever getStateToCopy
returns from the sending object will be serialized and sent over the wire; setCopyableState
gets whatever comes over the wire and is responsible for setting up the state of the object it lives in.
copy2_classes.py <listings/pb/copy2_classes.py>
listings/pb/copy2_classes.py
copy2_sender.py <listings/pb/copy2_sender.py>
listings/pb/copy2_sender.py
copy2_receiver.py <listings/pb/copy2_receiver.py>
listings/pb/copy2_receiver.py
In this example, the classes are defined in a separate source file, which also sets up the binding between them. The SenderPond
and ReceiverPond
are unrelated save for this binding: they happen to implement the same methods, but use different internal instance variables to accomplish them.
The recipient of the object doesn't even have to import the class definition into their namespace. It is sufficient that they import the class definition (and thus execute the setUnjellyableForClass
statement). The Jelly layer remembers the class definition until a matching object is received. The sender of the object needs the definition, of course, to create the object in the first place.
When run, the copy2
example emits the following:
$ twistd -n -y copy2_receiver.py
[-] twisted.spread.pb.PBServerFactory starting on 8800
[-] Starting factory <twisted.spread.pb.PBServerFactory instance at
0x40604b4c>
[Broker,0,127.0.0.1] got pond: <copy2_classes.ReceiverPond instance at
0x406eb2ac>
[Broker,0,127.0.0.1] count 7
$ ./copy2_sender.py
count 7
pond arrived safe and sound
Main loop terminated.
- The first argument to
setUnjellyableForClass
must refer to the class as known by the sender . The sender has no way of knowing about how your localimport
statements are set up, and Python's flexible namespace semantics allow you to access the same class through a variety of different names. You must match whatever the sender does. Having both ends import the class from a separate file, using a canonical module name (no "sibling imports" ), is a good way to get this right, especially when both the sending and the receiving classes are defined together, with thesetUnjellyableForClass
immediately following them. - The class that is sent must inherit from
twisted.spread.pb.Copyable <pb.Copyable>
. The class that is registered to receive it must inherit fromtwisted.spread.pb.RemoteCopy <pb.RemoteCopy>
2 . - The same class can be used to send and receive. Just have it inherit from both
pb.Copyable
andpb.RemoteCopy
. This will also make it possible to send the same class symmetrically back and forth over the wire. But don't get confused about when it is coming (and usingsetCopyableState
) versus when it is going (usinggetStateToCopy
). twisted.spread.jelly.InsecureJelly <InsecureJelly>
exceptions are raised by the receiving end. They will be delivered asynchronously to anerrback
handler. If you do not add one to theDeferred
returned bycallRemote
, then you will never receive notification of the problem.- The class that is derived from
twisted.spread.pb.RemoteCopy <pb.RemoteCopy>
will be created using a constructor__init__
method that takes no arguments. All setup must be performed in thesetCopyableState
method. As the docstring ontwisted.spread.pb.RemoteCopy <RemoteCopy>
says, don't implement a constructor that requires arguments in a subclass ofRemoteCopy
.
pb.Copyable
is mostly implemented intwisted.spread.flavors
, and the docstrings there are the best source of additional information.Copyable
is also used intwisted.web.distrib <twisted.web.distrib>
to deliver HTTP requests to other programs for rendering, allowing subtrees of URL space to be delegated to multiple programs (on multiple machines).
Sometimes the object you want to send to the remote process is big and slow. "big" means it takes a lot of data (storage, network bandwidth, processing) to represent its state. "slow" means that state doesn't change very frequently. It may be more efficient to send the full state only once, the first time it is needed, then afterwards only send the differences or changes in state whenever it is modified. The twisted.spread.pb.Cacheable <pb.Cacheable>
class provides a framework to implement this.
twisted.spread.pb.Cacheable <pb.Cacheable>
is derived from twisted.spread.pb.Copyable <pb.Copyable>
, so it is based upon the idea of an object's state being captured on the sending side, and then turned into a new object on the receiving side. This is extended to have an object "publishing" on the sending side (derived from twisted.spread.pb.Cacheable <pb.Cacheable>
), matched with one"observing" on the receiving side (derived from twisted.spread.pb.RemoteCache <pb.RemoteCache>
).
To effectively use pb.Cacheable
, you need to isolate changes to your object into accessor functions (specifically "setter" functions). Your object needs to get control every single time some attribute is changed3 .
You derive your sender-side class from pb.Cacheable
, and you add two methods: twisted.spread.flavors.Cacheable.getStateToCacheAndObserveFor <getStateToCacheAndObserveFor>
and twisted.spread.flavors.Cacheable.stoppedObserving <stoppedObserving>
. The first is called when a remote caching reference is first created, and retrieves the data with which the cache is first filled. It also provides an object called the "observer"4 that points at that receiver-side cache. Every time the state of the object is changed, you give a message to the observer, informing them of the change. The other method, stoppedObserving
, is called when the remote cache goes away, so that you can stop sending updates.
On the receiver end, you make your cache class inherit from twisted.spread.pb.RemoteCache <pb.RemoteCache>
, and implement the setCopyableState
as you would for a pb.RemoteCopy
object. In addition, you must implement methods to receive the updates sent to the observer by the pb.Cacheable
: these methods should have names that start with observe_
, and match the callRemote
invocations from the sender side just as the usual remote_*
and perspective_*
methods match normal callRemote
calls.
The first time a reference to the pb.Cacheable
object is sent to any particular recipient, a sender-side Observer will be created for it, and the getStateToCacheAndObserveFor
method will be called to get the current state and register the Observer. The state which that returns is sent to the remote end and turned into a local representation using setCopyableState
just like pb.RemoteCopy
, described above (in fact it inherits from that class).
After that, your "setter" functions on the sender side should call callRemote
on the Observer, which causes observe_*
methods to run on the receiver, which are then supposed to update the receiver-local (cached) state.
When the receiver stops following the cached object and the last reference goes away, the pb.RemoteCache
object can be freed. Just before it dies, it tells the sender side it no longer cares about the original object. When that reference count goes to zero, the Observer goes away and the pb.Cacheable
object can stop announcing every change that takes place. The twisted.spread.flavors.Cacheable.stoppedObserving <stoppedObserving>
method is used to tell the pb.Cacheable
that the Observer has gone away.
With the pb.Cacheable
and pb.RemoteCache
classes in place, bound together by a call to pb.setUnjellyableForClass
, all that remains is to pass a reference to your pb.Cacheable
over the wire to the remote end. The corresponding pb.RemoteCache
object will automatically be created, and the matching methods will be used to keep the receiver-side slave object in sync with the sender-side master object.
Here is a complete example, in which the MasterDuckPond
is controlled by the sending side, and the SlaveDuckPond
is a cache that tracks changes to the master:
cache_classes.py <listings/pb/cache_classes.py>
listings/pb/cache_classes.py
cache_sender.py <listings/pb/cache_sender.py>
listings/pb/cache_sender.py
cache_receiver.py <listings/pb/cache_receiver.py>
listings/pb/cache_receiver.py
When run, this example emits the following:
$ twistd -n -y cache_receiver.py
[-] twisted.spread.pb.PBServerFactory starting on 8800
[-] Starting factory <twisted.spread.pb.PBServerFactory instance at
0x40615acc>
[Broker,0,127.0.0.1] cache - sitting, er, setting ducks
[Broker,0,127.0.0.1] got pond: <cache_classes.SlaveDuckPond instance at
0x406eb5ec>
[Broker,0,127.0.0.1] [2] ducks: ['one duck', 'two duck']
[Broker,0,127.0.0.1] cache - addDuck
[Broker,0,127.0.0.1] [3] ducks: ['one duck', 'two duck', 'ugly duckling']
[Broker,0,127.0.0.1] cache - removeDuck
[Broker,0,127.0.0.1] [2] ducks: ['two duck', 'ugly duckling']
[Broker,0,127.0.0.1] dropping pond
$ ./cache_sender.py
I have [2] ducks
I have [3] ducks
I have [2] ducks
Main loop terminated.
Points to notice:
- There is one
Observer
for each remote program that holds an active reference. Multiple references inside the same program don't matter: the serialization layer notices the duplicates and does the appropriate reference counting5 . - Multiple Observers need to be kept in a list, and all of them need to be updated when something changes. By sending the initial state at the same time as you add the observer to the list, in a single atomic action that cannot be interrupted by a state change, you insure that you can send the same status update to all the observers.
The
observer.callRemote
calls can still fail. If the remote side has disconnected very recently andstoppedObserving
has not yet been called, you may get aDeadReferenceError
. It is a good idea to add an errback to thosecallRemote
s to throw away such an error. This is a useful idiom:observer.callRemote('foo', arg).addErrback(lambda f: None)
getStateToCacheAndObserverFor
must return some object that represents the current state of the object. This may simply be the object's__dict__
attribute. It is a good idea to remove thepb.Cacheable
-specific members of it before sending it to the remote end. The list of Observers, in particular, should be left out, to avoid dizzying recursive Cacheable references. The mind boggles as to the potential consequences of leaving in such an item.- A
perspective
argument is available togetStateToCacheAndObserveFor
, as well asstoppedObserving
. I think the purpose of this is to allow viewer-specific changes to the way the cache is updated. If all remote viewers are supposed to see the same data, it can be ignored.
- The best source for information comes from the docstrings in
twisted.spread.flavors <twisted.spread.flavors>
, wherepb.Cacheable
is implemented. - The
twisted.spread.publish <spread.publish>
module also usesCacheable
, and might be a source of further information.
Footnotes
Note that, in this context, "unjelly" is a verb with the opposite meaning of "jelly" . The verb "to jelly" means to serialize an object or data structure into a sequence of bytes (or other primitive transmittable/storable representation), while "to unjelly" means to unserialize the bytestream into a live object in the receiver's memory space. "Unjellyable" is a noun, (not an adjective), referring to the class that serves as a destination or recipient of the unjellying process. "A is unjellyable into B" means that a serialized representation A (of some remote object) can be unserialized into a local object of type B. It is these objects "B" that are the "Unjellyable" second argument of the
setUnjellyableForClass
function. In particular, "unjellyable" does not mean "cannot be jellied" .twisted.spread.jelly.Unpersistable <Unpersistable>
means "not persistable" , but "unjelly" , "unserialize" , and "unpickle" mean to reverse the operations of "jellying" , "serializing" , and "pickling" .↩twisted.spread.pb.RemoteCopy <pb.RemoteCopy>
is actually defined intwisted.spread.flavors <twisted.spread.flavors>
, butpb.RemoteCopy
is the preferred way to access it↩Of course you could be clever and add a hook to
__setattr__
, along with magical change-announcing subclasses of the usual builtin types, to detect changes that result from normal "=" set operations. The semi-magical "property attributes" that were introduced in Python 2.2 could be useful too. The result might be hard to maintain or extend, though.↩This is actually a
twisted.spread.pb.RemoteCacheObserver <RemoteCacheObserver>
, but it isn't very useful to subclass or modify, so simply treat it as a little demon that sits in yourpb.Cacheable
class and helps you distribute change notifications. The only useful thing to do with it is to run itscallRemote
method, which acts just like a normalpb.Referenceable
's method of the same name.↩This applies to multiple references through the same
twisted.spread.pb.Broker <Broker>
. If you've managed to make multiple TCP connections to the same program, you deserve whatever you get.↩