-
Notifications
You must be signed in to change notification settings - Fork 58
Conversation
…rp and %west as intended.
…nly passed into the desk core initially.
This also makes live-updating to this new clay easier.
Changing the |
For some reason it/hood's not getting compiled against the latest zuse?
Set permissions for that during boot and clay update.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks structurally sound, and I think it'll work. Some stylistic comments and a few questions before I'll sign off on it.
sys/vane/clay.hoon
Outdated
@@ -367,6 +375,7 @@ | |||
:: | |||
:: -- current time `now` | |||
:: -- current duct `hen` | |||
:: -- foreign requester `for`, if any |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see this in the state anywhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lingering trace of experimentation. Will delete.
sys/vane/clay.hoon
Outdated
@@ -421,6 +430,8 @@ | |||
dom=*dome | |||
dok=~ | |||
mer=~ | |||
per=[[/ %black ~] ~ ~] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we not want to default everything to private, i.e. a whitelist with no elements?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are the defaults for local copies of foreign desks. Those are not accessible by outsiders over the network. In a previous iteration of the PR setting these to be readable was required.
That said, the current version always says "no permission checks" for all internal requests, so there's no need to set permissions here explicitly anymore.
@@ -2193,7 +2238,7 @@ | |||
:: Gets a map of the data at the given path and all children of it. | |||
:: | |||
++ lobes-at-path | |||
|= {yon/aeon pax/path} | |||
|= {for/(unit ship) yon/aeon pax/path} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like an unused argument.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should be used, since this is how %many
requests get their data. Going to add a permission check here.
=+ yak=(tako-to-yaki u.tak) | ||
=+ len=(lent pax) | ||
=- (levy ~(tap in -) |=(p/path (allowed-by who p per.red))) | ||
%+ roll ~(tap in (~(del in ~(key by q.yak)) pax)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems likely to be a duplicate of the usual %y / %z logic. If so it might be good to make a little helper function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not an exact match. %y
wants just the path, %z
wants lobes too, and they both want only the path tails, where the permission check just wants the full paths.
The logic it still fairly transferable though, the data structures here are easy enough to work with. Having one function for "get child nodes with tail paths" seems to give a net gain to simplicity.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, I'm having trouble finding a helper function here that isn't in some way terrible to use for two out of three cases. Problem is that if we do a dir listing for /one
with the following data stored, then we still want to see ./two
show up, but we can't provide a lobe
alongside that, unlike for ./three
/one/two/x
/one/two/y
/one/three
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, no need to force it if it doesn't feel right.
sys/vane/clay.hoon
Outdated
|= {w/whom h/?} | ||
?: h & | ||
?: ?=($& -.w) =(w &+who) | ||
(~(has in (fall (~(get by cez) p.w) ~)) who) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could (~(get by cez) p.w)
ever fail? I feel like that should be a ~(got by ...)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It totally can. Either I added a group which I haven't defined yet, or I deleted a group and there's still references to it lingering.
sys/vane/clay.hoon
Outdated
::. | ||
$cred | ||
=. cez.ruf | ||
?~ cew.q.hic (~(del by cez.ruf) nom.q.hic) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
q.hic
could really use an alias. Comparing p.q.hic
and p.q.q.hic
a little later in this function is cruel and unusual punishment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right, even just aliasing q.hic
to req
makes a world of difference.
I also made a commit that adds actual faces to the ++task
. Not sure if that's boyscouting a bit too aggressively.
sys/vane/clay.hoon
Outdated
?: ?=($warp -.q.hic) | ||
[~ q.hic] | ||
:_ [%warp q.q.hic r.q.hic] | ||
?: =(p.q.hic p.q.q.hic) ~&([%huh-this-west-may-be-weird p.q.hic] ~) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's weird about it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nothing but the fact that I left a debug statement in it. Cleaning up.
sys/vane/clay.hoon
Outdated
:: :* %someones-warping | ||
:: rav=u.q.q.q.hic | ||
:: rav=u.q.r.q.hic |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no way I can reasonably review u.q.r.q.hic
. I realize this was already the style in this part of the code, but it's not fit for human consumption.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This particular comment can probably just get removed, but I agree that I should probably add a few =*
here.
sys/vane/clay.hoon
Outdated
=/ cul | ||
|= a/cult-2 ^- cult | ||
|= a/cult-3 ^- cult |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this would be cleaner as a |^
since it has so many internal functions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair, on it!
sys/vane/dill.hoon
Outdated
@@ -280,7 +281,7 @@ | |||
(sync %home our %base) | |||
(init-sync %home our %base) | |||
=. +> ?. ?=(?($duke $king $czar) can) +> | |||
(sync %kids our %base) | |||
(show %kids):(sync %kids our %base) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you explain why this change was necessary?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since all local desks are fully private by default, we need to make our %kids
desk public explicitly if we want people to be able to sync with it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think a comment here would be helpful.
sys/vane/clay.hoon
Outdated
|= pes/regs | ||
^+ pes | ||
=- (~(gas in *regs) -) | ||
%+ murn ~(tap by pes) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this could be a ++skim instead of a ++murn.
Looks good to me. How's the testing coming? |
Also adds a comment about the reason for making the %kids desk public.
As you might deduce from the commits, testing pointed to a few issues that needed solving. Everything now works as expected. For the record, and for the future, here are the beginnings of a clay testing lib. Should work nearly identically for other vanes. Also see this bigger one for jael. Included is a pair of generators for setting the readability of desks (or "directories" therein). Unless there's anything other than the |
Re-reviewed. Looks good to me. |
I lied about the booting btw (thanks, last-minute additions), kiln does complain about not finding one of the new clay types if you don't boot with a new-clay pill. So we'll want to make sure to push an up-to-date latest.pill when this goes onto the network. |
Does that mean this needs to be breached in? |
It doesn't need to be breached in, but I just double-checked, and the kiln changes did break the updating. Particularly, it says it can't find We could do like a partial update that doesn't include the offending kiln changes, and then push out the second half separately. (I guess ultimately this is an issue of kiln not getting recompiled alongside a zuse change...) |
As discussed internally, permissions for the filesystem.
Permissions are set for all revisions of a node. If a node doesn't have permissions set, those of the parent node are used. If no permissions are set all the way up to root, we default to fully private.
The clay interface sees some additions to support basic permissions management.
++task
:{$cred our/ship nom/@ta cew/crew}
for setting permission groups.{$crew our/ship}
for getting permission groups.{$perm our/ship des/desk pax/path rit/rite}
for setting permissions for a node.%p
++care
for reading permissions set for a node on a local desk.++gift
:{$cruz cez/(map @ta crew)}
, the response to%crew
requests.{$rule red/dict wit/dict}
, the response to%p
file requests.And a notable change that was required for making permission checks actually functional:The interface for
%warp
file request now includes aship
which has to be set to the requesting ship.When doing a
%warp
for local data, you just set it toour
, as you do for many other tasks. When doing a%west
for foreign data, the target ship automatically turns it into a%warp
with the original sender specified.Read requests from foreign ships come in as
%west
s. They now get re-sent to the local clay as%werp
s, which get dealt with as%warp
s that require permission checks. No checks are done for write requests, because those only originate locally right now.Eventually, the above will be more elegantly solved from within arvo itself, passing vanes a pair of recipients and responsible ships for each incoming event. Not to mention making a global
our
available once the new boot sequence lands. Changing this to make use of that shouldn't be difficult.Aside, having to take original requester into account when deduping requests likely completely obliterates any use that still saw. We're fine to keep it in, but at this point it might be costing more performance than it'll ever gain us.
Need to do more thorough testing and implement a state adapter, but it boots (off an updated pill at least) and seems to work as advertised so far, so I'd say that's good enough for review/discussion.