Comments (7)
Glad you had success with the guide!
There is no limitation currently via authentication, all existing installations have made do with TLS distributed credentials via certs.
I've definitely wanted to stay out of a password retention/authentication scheme internal to buildfarm.
If you have a particular client that supports a third party authentication mechanism, I'd be happy to take a look at supporting it.
from bazel-buildfarm.
As far as I can tell, the existing TLS config doesn't solve this. It only lets you set a certificate for the server. I don't see an option to configure the server to check the client's certificate. So, it still allows anyone to connect. Is that correct?
My client is just Bazel. Bazel appears to implement a number of options here:
--remote_header
permits passing an arbitrary header value. This could be used to passAuthorization: Bearer <secret-token>
. The server could be configured to require this header matches one of the values on some authorized list.- Apparently, Bazel will use username/password found in
.netrc
(which I assume also results in anAuthorization
header being sent, using HTTP Basic Auth). - Bazel supports mTLS, that is, giving the client a private key and certificate. The server would presumably need to check that the client's certificate is signed by a particular CA cert.
Personally, of these, I would prefer the first option: Just check for a simple secret token in the header. It is the easiest to configure, and it lets people avoid the overhead of encryption if they trust their network (but don't trust all the devices on it). That said, I'd guess mTLS is the preferred approach for big installations.
Alternatively, if buildfarm merely supported the ability to bind sockets to localhost
only, not to a port on the physical network, then it would be straightforward for me to use SSH port forwarding or some type of proxy of my own in front of buildfarm.
(FWIW, in my use case, I'm just trying to delegate builds from my laptop to a more-powerful server machine on my home network. But I don't necessarily trust every device connecting to my network...)
from bazel-buildfarm.
If the server is configured with a specific cert, and the clients do not have a corresponding cert to interact with it, I expect that it would result in an inability to access the transport stream. I have, for instance, seen nginx managed TLS that required keyed certs, representing a partition in the client communication capacity. Or maybe I'm deluding myself, I don't purport to be an expert in this.
If you're not concerned about replay subversion or key persistence, we can probably add the first mechanism succinctly.
I'm not sure if anything happens for gRPC (HTTP/2) communication with .netrc from bazel. I would have to experiment.
My eyes glaze over when mTLS is mentioned, but I believe this is what I was suggesting in terms of pairing a TLS endpoint that may or may not be buildfarm server itself, or some intervening proxy like nginx.
The bind option is interesting. I can pursue adding that config immediately.
from bazel-buildfarm.
If the server is configured with a specific cert, and the clients do not have a corresponding cert to interact with it, I expect that it would result in an inability to access the transport stream.
I don't think that's how TLS works (and I do have a fair amount of experience with it). The server will happily tell its certificate to any client that connects, it's not a secret. The reason you have to configure the client with the certificate is to tell the client that it should only trust a server with a matching certificate. But this only authenticates the server to the client; it doesn't authenticate the client to the server. The client could just as easily be configured to accept any certificate, and the server would allow it.
In order for the server to authenticate the client, the client must have its own private key and corresponding client certificate, which the server is configured to verify. This is known as mTLS (mutual TLS). It doesn't appear that buildfarm's current config provides any way for me to specify how to verify client certs, so I assume this is not implemented.
If you're not concerned about replay subversion or key persistence, we can probably add the first mechanism succinctly.
For my purposes I'd be totally fine with the secret token just being plaintext in the config file. I understand this doesn't protect against MITM and that configs are easy to leak.
The bind option is interesting. I can pursue adding that config immediately.
Yeah, in theory this should be easy to implement although I noticed that gRPC's ServerBuilder
class in Java doesn't seem to have an obvious place to pass a bind address, which I find surprising. But I'm not familiar with this APIs, hopefully I'm missing something.
from bazel-buildfarm.
bindAddress
in server config is now on main, please give it a shot. Example in examples/config.yml
from bazel-buildfarm.
Thanks. Should workers support the same? Otherwise I guess workers, too, will accept requests from anyone on the network?
(I could probably make a PR for that following your example, if it makes sense.)
Separately, it looks like GitHub auto-closed this issue but I suppose it should stay open to track the more general problem?
from bazel-buildfarm.
They certainly can support the same, would look forward to your PR. I've reopened the issue, and will leave it that way until we rule one way or another on access - adding code that is required to facilitate security is something I've wanted to avoid.
from bazel-buildfarm.
Related Issues (20)
- if redisUri is empty, java.lang.NullPointerException error occurred HOT 1
- [Bazel CI] Build Error: No repository for `@com_google_protobuf_javalite` in module `grpc-java` without bazel_dep or use_repo HOT 6
- Do deployments via Helm work as RBE ? HOT 5
- make execution-policy=as-nobody the default on Linux
- [ZstdCompression] Read request with offset incorrectly fails with not_found error and removes blob
- [Bazel CI] apt-get and integration tests are failing with Bazel@HEAD HOT 1
- Tips on learning buildfarm? HOT 2
- Remote builds stuck on Buildfarm that is deployed with Helm. HOT 6
- Implement Fetch 'Push' Service
- Support http_header: prefix in Fetch Qualifiers
- bazel.canonical_id unsupported in Asset Fetch API HOT 1
- ERROR: error running 'git fetch origin refs/heads/*:refs/remotes/origin/* refs/tags/*:refs/tags/*' while working with @build_buildfarm~: HOT 2
- Updated from java17 to java21 to use the new server and worker causes JVM to shutdown
- Fetch service does not properly handle missing content-length HOT 1
- Support Multiple Hashing Function
- Remote execution service executing processes locally HOT 4
- ERROR: Failed to query remote execution capabilities: UNAVAILABLE: io exception HOT 3
- Feasibility Analysis of Using Buildfarm for Large-Scale Development HOT 2
- Verbose Logging for Servers and Workers through Helm Chart
- Check logs during remote execution
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bazel-buildfarm.