Add a way to pass secrets to processes in a controlled fashion

[kostko]

DEPLOYMENT CONSIDERATIONS:

• Secrets are encrypted using SECRET_KEY, keep it secure and backed up as it should already be ;-)
• Setting FLOW_DOCKER_MAPPINGS has been removed in favor of new FLOW_DOCKER_VOLUME_EXTRA_OPTIONS and FLOW_DOCKER_EXTRA_VOLUMES.

[jberci]

LGTM

[codecov-io]

Codecov Report

Merging #406 into master will decrease coverage by 0.54%.
The diff coverage is 46.08%.

@@            Coverage Diff             @@
##           master     #406      +/-   ##
==========================================
- Coverage   80.09%   79.55%   -0.55%     
==========================================
  Files         181      186       +5     
  Lines        9899    10065     +166     
  Branches     1059     1069      +10     
==========================================
+ Hits         7929     8007      +78     
- Misses       1789     1875      +86     
- Partials      181      183       +2

Impacted Files	Coverage Δ
resolwe/test_helpers/test_runner.py	43.83% <ø> (-0.55%)	⬇️
resolwe/flow/execution_engines/bash/__init__.py	90.32% <ø> (ø)	⬆️
resolwe/test/testcases/setting_overrides.py	100% <ø> (ø)	⬆️
resolwe/flow/executors/run.py	0% <0%> (ø)	⬆️
resolwe/flow/executors/docker/run.py	0% <0%> (ø)	⬆️
resolwe/flow/migrations/0010_add_secret.py	100% <100%> (ø)
resolwe/flow/routing.py	100% <100%> (ø)	⬆️
resolwe/flow/models/__init__.py	100% <100%> (ø)	⬆️
resolwe/flow/tests/test_secrets.py	100% <100%> (ø)
resolwe/flow/managers/__init__.py	54.16% <100%> (ø)	⬆️
... and 16 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 07f46c1...5c35716. Read the comment docs.

[dblenkus]

Enforce the secret format, i.e. "pattern": "^[0-9a-fA-F]{24}$". Otherwise some users may try to save secret directly in to the field.

[kostko]

Done.

[dblenkus]

Prefetch process.

[kostko]

As we are getting just a single object this doesn't make any difference in performance or the number of queries as even prefetching requires an additional query. We could use select_related here instead of prefetch to combine everything into a single join.

[dblenkus]

It is not ok to set SELinux mode on the systems that don't support it. We had such problems mounting data dir from Amazon EBS. Runtime dir will be often on shared storage, so you have to take care of that.

[kostko]

Hm, but we are using this also above for mounting passwd/group?

[dblenkus]

Yes, those files are normally on local disk so it is ok. The difference here is that runtime dir can be on shared storage.

[kostko]

Ok, I will move this into configuration as we have for data/upload dirs.

[dblenkus]

But this means that you have to support different mounting points in the container.

What if we add a setting to enable/disable SELinux config, e.g. FLOW_ENABLE_SELINUX_CONF, and the you can construct mount here?

cc @tjanez

[kostko]

But then we must change this everywhere as this is very strange to have some modes in settings and others are derived from this?

[kostko]

But this means that you have to support different mounting points in the container.

I don't think we should support this even with existing data/upload etc. endpoints. They should be fixed.

[kostko]

I've pushed a version which moves this into settings (I don't like this though). We can move it back if this makes sense.

[dblenkus]

But then we must change this everywhere

Yes.

Actually we support this for data/upload dir:

resolwe/resolwe/flow/executors/docker/run.py

Line 158 in ada2c06

script = script.replace(map_['src'], map_['dest'])

[kostko]

I know, but this (doing search and replace in arbitrary scripts) is a very ugly hack that should be removed.

[dblenkus]

+1

[dblenkus]

I don't like name extra as it doesn't apply that it contains sensitive data. Maybe secrets or protected_files?

[jberci]

On the other hand, the docstring for extend_settings specifies this plainly as a field for general raw files (as opposed to JSON serializations in the files parameter). Secrets are just one kind of opaque blob, so usage agrees with the docstring's specification.

[dblenkus]

But we also prevent listing of such dirs and restrict masks of files. So it may have unwanted consequences if you put such file directly into executor dir.
I would prefer to narrow use of this, make it secure (it already is) and clearly state that.

[dblenkus]

Or does not exist.

[dblenkus]

I think we will need an extra to describe where the secret comes from. E.g. if you get user's API token first time, you don't have to ask for it in following requests.

[kostko]

We can add an arbitrary JSON metadata column for that?

[kostko]

Done.

[dblenkus]

It would be useful to add Jinja filter for this, i.e. {{ token | get_secret }}

[kostko]

For which part? The whole command is specific for bash. Or did you mean just the {{token.handle}}?

[dblenkus]

I mean that you write {{ token | get_secret }} in the process and it is replaced with $(cat /secrets/{{token.handle}}) by Jinja filter.

That would make it much more user friendly.

[dblenkus]

Is there a use-case where contributor is not defined? If not i would prefer to make it mandatory.

[kostko]

👍

[kostko]

Now also pushed removal of FLOW_DOCKER_MAPPINGS.

[dblenkus]

Can we mount everything on the same path as it is outside?

[kostko]

I don't think this is the correct way to go as it is much cleaner to have fixed volumes inside the container, regardless of what is outside. In this way you can always rely on specific paths when you run inside Docker.

It would be much better to always defer path translation to the executor (actually to the prepare part of the executor) as it is executor specific (e.g., the local executor does nothing, the Docker executor uses fixed volumes, etc.). Not just blindly using *_DIR from settings.

[kostko]

This hack has been removed in the latest commit.

[hadalin]

Maybe state which units are used for expires?

[hadalin]

Also maybe state it defaults to None.

[kostko]

👍

[kostko]

@jberci please review my last commit, which fixes some issues with incorrect singleton use in Channels workers, which got exposed when removing hacky path translation.

[jberci]

LGTM so far. The global manager instance patching is still a bit hacky on the whole, but the Channel handler proxy will probably take care of that, since the manager will then be constructed once, as it was pre-channelization.

[kostko]

@jberci I've now pushed an updated version of the "Remove hacky path translation in Docker executor" commit, which separates the Channels consumer from the manager and uses the global manager instance instead.

[hadalin]

Should this method always be used when creating secrets? If yes, then update docs and maybe also raise error when using the usual .create(. In this case it would also be nicer to return handle, secret to remove the need to query the secret by its handle if you intend to use the secret directly.

Alternatively if .create is allowed, then override it and call it in create_secret.

[hadalin]

Both ways are ok I guess, but prevent confusion.

[hadalin]

Since this is arbitrary data, should a naming convention be followed to prevent conflicts?

[dblenkus]

Is this still needed now when only the singleton manager is used?

[kostko]

This has already been changed (discover_engines is now called instead), but yes we need re-discovery as the executor may change with each message.

[dblenkus]

A quick question: are process_* fields extended when updated or are they overwritten? @jberci?

[tjanez]

@jberci, ping

[dblenkus]

Add description of arguments.

[kostko]

This is an internal helper, but ok, if you think that it should be added ;-)

[dblenkus]

You can add just a quick description of arguments. There are just a lot of them, so it takes some time to understand them :)

[dblenkus]

It would be nice to make these options configurable.

[dblenkus]

self.volumes? Or move self.volumes = volumes.copy() to the end of the function.

[kostko]

self.volumes is no longer needed now that we got rid of hacky path translation, I forgot to remove it.

[dblenkus]

This SELinux label will also be a problem on a shared storage.

[kostko]

I left this as it was before? So this was already a problem before?

[dblenkus]

Yes, it was already a problem before, I just pointed it out as the part for determining modes is being refactored.

[kostko]

Good point, I'll add another extra option for tools and one for passwd/group.

[dblenkus]

Nice :)

[dblenkus]

Maybe add dedicated function for this instead of passing .. as filename?

[dblenkus]

@kostko make the filename argument optional and return root data dir if it is not defined.

EDIT: Actually both parameters should be optional in this case.

[kostko]

Done.

[dblenkus]

This should go into a separate commit.

[kostko]

Done.

[dblenkus]

Nice work!

[tjanez]

@kostko, very nice job!

Thanks for improving so many things in Resolwe.

Most of the comments are style improvements, so they should be easy to fix.

[tjanez]

@jberci, ping

[tjanez]

Hmm... I don't understand this comment.

I know it's not yours but since you touched it, can you make it more elaborate?
Also, make it a sentence.

[kostko]

I found it confusing as well. It seems to be talking about the Redis list used for communication, which is deleted when all elements are popped? @jberci can you confirm this is the case?

[jberci]

It is the case, the comment is about Redis deleting the list once all items have been popped. This behaviour was not obvious to me when I was doing this. If memory serves, the code was also structured so that one would expect explicit key deletion at the end, so I put that comment there. Feel free to get rid of it.

[tjanez]

Thanks for the explanation. I like @kostko's rewording and I think we can leave it in.

[tjanez]

Could you wrap this line at 100 characters?

[tjanez]

To me, mode=0o300 is actually more readable than mode=stat.S_IWUSR | stat.S_IXUSR.

If you agree, change it.

[tjanez]

Please, convert this to a sentence since you touched it 🙂 .

[kostko]

It should have been a sentence in the first place. I'll fix it.

[tjanez]

Nice!

[tjanez]

Please, wrap the docstring at 72 characters.

[kostko]

Should we have linters for these things? I never look at where I wrap things :-)

[tjanez]

It's not yet implemented in pycodestyle, but the PR @ PyCQA/pycodestyle#674 seems on right track and that it will got approval from pycodestyle's maintainer.

[tjanez]

Please, wrap the docstring at 72 characters.

[tjanez]

Please, wrap the docstring at 72 characters.

[tjanez]

Please, wrap the docstring at 72 characters.

[dblenkus]

@kostko Will this work if options is empty? Or do you have to omit the colon?

[kostko]

Yes, it works if the options are empty (no need to omit the colon).

[tjanez]

Looks good!