Difference between revisions of "Platform Team/Server Kit/sugar-server"
(→backup) |
|||
| Line 68: | Line 68: | ||
* {{Code|jabber-url}}, if {{Code|registered}} is {{Code|True}}, Jabber server url; | * {{Code|jabber-url}}, if {{Code|registered}} is {{Code|True}}, Jabber server url; | ||
* {{Code|backup-url}}, if {{Code|registered}} is {{Code|True}}, Rsync url to backup Journal to, needs to be used as-is. | * {{Code|backup-url}}, if {{Code|registered}} is {{Code|True}}, Rsync url to backup Journal to, needs to be used as-is. | ||
| + | * {{Code|pending-restore}}, is there pending restore, i.e., if {{Code|True}}, during the registration on a server, there was an existing backup; any further, after registration, backup or restore will clean up {{Code|pending-restore}} flag. | ||
Requested uid might be not registered in cases like: | Requested uid might be not registered in cases like: | ||
Revision as of 15:02, 18 November 2011
Summary
The core Sugar Server Kit component.
The singular program requires only Python, and obvious dependencies like coreutils, to allow all its services to function properly. It provides basic sugar related services, and uses one CLI tool to manage all its functionality.
Functionality
Registry
During the sugar-server work, all its components have access to a registry, an analog of database to keep information about registered users or activated machines. The registry is file based, i.e., every item is being kept in one file (in JSON notation) in registry-dir directory.
There are two subdirectories, i.e., "tables":
users, for registered users, andmachines, for machines that requested activation leases on bootstrap.
Registry items might contains the following keys:
uid, user's identity got after registration on a server;machine_sn, serial number of hardware Sugar user is running on, e.g., serial number of a XO laptop;machine_uuid, UUID value of hardware Sugar user is running on, e.g., UUID of a XO laptop;pubkey, SSH public key, this is the exact line that needs to be placed as-is to~/.ssh/authorized_keysfile; note that OLPC XS operates with striped version of public keys.
Services
The list of services that sugar-server provides. Each service has a described interface to understand how it interact with clients. The counterpart for these interfaces is the sugar-client with a Client API it provides for clients, e.g., Sugar Shell.
If particular service supports RESTfull interface, the HTTP server is started on host with httpd-port port. The content of requests and replies is being transfered using dictionaries in JSON notation.
The resulting dictionary on success, will contain predefined keys:
success: OK;
The resulting dictionary on fails, will contain:
success: ERR;error, error message.
registry
Provide Sugar users registration on a school server. After being registered, Sugar on users side will setup interaction with a school server. See sugar-client project for details from client point of view.
Interface:
POST /client/register
Process registration on a server.
The input dictionary, contains (see identity models section for additional details):
nickname, user's Sugar nick name;machine_sn, machine's serial number, makes special sense only for XO anti-thief support and hardware based identity model,machine_uuid, machine's UUID value, makes special sense only for XO anti-thief support,pubkey, SSH public key passed as-is.
The resulting dictionary, contains:
uid, unique identity that needs to be used for further interaction with the server.
GET /client/status?uid=UID
Get information about client's status on a server.
The resulting dictionary, contains:
registered, ifFalse, client needs to process registration;jabber-url, ifregisteredisTrue, Jabber server url;backup-url, ifregisteredisTrue, Rsync url to backup Journal to, needs to be used as-is.pending-restore, is there pending restore, i.e., ifTrue, during the registration on a server, there was an existing backup; any further, after registration, backup or restore will clean uppending-restoreflag.
Requested uid might be not registered in cases like:
- registration was removed from the server,
- request was sent to the server not the same where uid was created,
- someone registered the same serial number.
Requirements:
- Current Sugar Shell code calls only XML-RPC method suing hard coded
http://schoolserver:8080/url. This restriction can be avoided using sugar-client.
Backward compatibility:
dict register(str machine_sn, str nickname, str machine_uuid, str pubkey)
To support OLPC's XS clients, RPC function to serve registration requests. The XML-RPM service will be listening 8080 port on the --host host.
backup
Process backup and restore for students' Journals. The service is accepting requests that clients send before starting backup process. If server accepts requests, clients start Rsync'ing Journal data via SSH. The Rsync url needs to be gotten from /client/status request and be used without any modification on the client side, i.e., the process is fully server driven.
Interface:
GET /client/backup?uid=UID
Check if client can start transfering Journal files using.
The resulting dictionary, contains:
accepted, ifTrue, clients can start backup process.
Requirements:
- The
rootconfiguration option should point to the home directory of system user that starts sugar-server process. That needs because clients will SSH to this user to do Rsync backups.
Backward compatibility:
Note, this backup functionality does not compatible with client tools that work with OLPC XS. The problem is that these tools construct backup url on a client side (using only server host name from backup url given after registration on a server) with relying that every client has its own system user on a server side. That doesn't work with new backup functionality where there is only one system user on a server side and authorisation happens on SSH level (using command option in ~/.ssh/authorized_keys file).
activation
This service is intended to process anti-thief requests XO laptops send to the server during the boot process.
Interface:
GET /client/lease?machine_sn=MACHINE_SN
Get OLPC anti-thief lease for specified XO's serial number.
The resulting dictionary, contains:
lease, lease content
Requirements:
- Current XO's bootstrap code uses TCP interface with having the following numbers hard coded:
hostneeds to be172.18.0.1,activation-portneeds to be191,- XOs use
172.18.96.1as a gateway while connecting to172.18.0.1.
Backward compatibility:
Service is also listening --activation-port port on the --host host to process TCP requests used by XO's bootstrapping code. If sent data starts from serial number, the service will reply with:
STOLENtext if serial number is stated as stolen;- lease content found for serial number;
UNKNOWNfor errors.
keyring
Keyring service is needed to work with activation one. It signs delegated leases for activation requests if pre-existed leases weren't found.
Interface:
There is no public interface, the service is being used internally by sugar-server.
User identity models
How sugar-server will identify users while registration.
Hardware based model
The usecase assumes:
- the hardware is intended to run only Sugar,
- it serves only one user,
- there is existing practice within XO deployments with workflows that need to be preserved.
To process registration, users need to provide:
- valid SSH public key,
- valid machine serial number, i.e., serial number that school server is aware about, e.g., there is an activation lease.
After re-flashing a XO (with loosing private key), it is possible to re-register user with uploading new public key. See below for related vulnerability issues.
The following TODO needs to be implemented:
- Properly handle backups after hardware switching for the particular user.
- More reliable identity scheme that will let to avoid compromising users.
SSH key based model
This is a low level model, since the major purpose is uploading SSH public key to the server. This model might be useful in cases like:
- the hardware is intended to run not only Sugar (thus, might be not affected by "re-flashing" issue),
- it might serve multiple users.
To process registration, users need to provide:
- valid SSH public key.
To have all-time access to already uploaded to the server data, people need to take care about keeping SSH key. This key can be found in ~/.sugar/<profile>/owner.key file.
Vulnerabilities
How current implementations are bad.
Compromised users
Current implementation of hardware based identity model has a security issue that might be described with the following usecase:
- a XO registered on a school server;
- processed several Journal backups there;
- got re-flashed with not keeping client side identities, like Sugar profile private key;
- the XO wants to re-register to restore Journal content from previous backup. But from school server point of view, this request is a regular registration request from new XO (that provides the same serial number that existing registration uses).
Sugar-server will process these registrations assuming that the request was sent from a XO that has exactly the same serial number that was provided with the request.
Compromised servers
Both identity models might process registration on fake servers. The only thing clients need to start a registration, is properly resolved schoolserver host name.
Possible solutions:
Configuration
By default, configuration occurs based on several sources (sorted by applied order):
/etc/sugar-server.confsystem-wide configuration file,~/.config/sugar-server/configuser-wide configuration file,sugar-server's command-line arguments.
Configuration files contain option names equal to command-line arguments. To get the current configuration, call:
sugar-server config
See sugar-server-templates sources for an example.