CLI improvements #3991
CLI improvements #3991
Conversation
bin/varnishd/mgt/mgt_cli.c
Outdated
| for (i = 0; i < ncmds; i++) { | ||
| if (strcmp(av[1], cmds[i]->request)) | ||
| continue; | ||
| if (cmds[i]->flags & CLI_F_INTERNAL) { |
There was a problem hiding this comment.
should we be so secretive about internal commands to not even expose the fact that they are (put aside the potential for a timing side channel)? I would think that saying "this is an internal command" should be fine?
There was a problem hiding this comment.
I think we shouldn't expose more than necessary. We are changing the CLI commands table in this very patch series, and I would personally prefer to keep the ability to change the table as we see fit without being concerned about API stability for end-users (especially in the context of back-ports to older branches).
For third-party utilities, I would refer to help -j, like varnishadm does since 38506b3.
There was a problem hiding this comment.
What is the point of exposing commands that can/should not be used anyway ? Internal commands are meant to be only issued by the MGT process, so in my opinion, nothing else should be aware of it.
There was a problem hiding this comment.
My point is that we should not make it harder than it already is to hunt down errors.
| break; | ||
| cmd = mgt_cmd_lookup(av[1]); | ||
| if (cmd != NULL && cmd->flags & CLI_F_INTERNAL) { | ||
| VCLI_Out(cli, "Unknown request.\nType 'help' for more info.\n"); |
There was a problem hiding this comment.
similar to a previous comment: Would it be reasonable to expose that the command is internal?
There was a problem hiding this comment.
Since we are reaching out to the mgt CLI server, I would again refrain from mentioning implementation details from the cache CLI server.
| @@ -12,7 +12,6 @@ nobase_pkginclude_HEADERS = \ | |||
| tbl/beresp_flags.h \ | |||
| tbl/boc_state.h \ | |||
| tbl/body_status.h \ | |||
| tbl/cli_cmds.h \ | |||
There was a problem hiding this comment.
would it not make sense to keep the commands available to tools?
There was a problem hiding this comment.
See previous comment referring to 38506b3.
walid-git
force-pushed
the
cli_sensitive_internal_cmd
branch
from
a2b09e5
to
5ac900a
Compare
|
Some cli commands have flags (h,i,*) that are never parsed in the code, they can safely be removed.
Flags are much more convenient to handle when represented as bits rather than a list of characters. In addition, they better fit in the struct cli_cmd_desc than the struct cli_proto
Internal commands are commands that are only intended to be used for internal communication between MGT process and the child process. Thus, they should not be exposed to the user in cli help/man page.
Hiding internal commands in help is not sufficient, we must ensure they are not executed by the user through cli and handle them as unknown commands in that case.
Since we only have two authentication levels and that we now have proper flags, we can use them to distinguish commands that need an authenticated cli to be used, and get rid of the auth attribute in struct cli_proto. MCF_AUTH and MCF_NOAUTH aren't useful anymore and can be safely removed.
Make the cli function lookup an independent function, and call it prior to the "before" callback method. This will allow to conditionnally execute instructions in the callback method depending on the cli function we are currently handling.
walid-git
force-pushed
the
cli_sensitive_internal_cmd
branch
from
5ac900a
to
f780ada
Compare
Sensitive commands are commands that accept/return sensitive data as argument/output (ex: private keys). This commit prevents commands with the CLI_F_SENSITIVE flag and their responses from being logged to syslog/vsl. Sensitive commands can provide a custom logging function to define how the command and argument should be logged. If a sensitive command does not provide an implementation, then only the command name followed by "(hidden)" will be logged. For the command response, the status will be logged followed by the string "(hidden)".
When setting +cli_show_sensitive to the debug parameter, all commands will be logged to syslog (if syslog_cli_traffic is enabled) and vsl regardless if they are sensitive or not.
Cli help command does not show commands that we don't have the required auth level to execute. However, when the child process is running and the mgt receives a help command, it asks the child to execute it and return the response to the client. The child sees the command as comming from mgt, which has the highest auth level, and thus displays all the commands. This commit prevents this from happening by not forwarding the help command to child when the cli is not authentified.
This lock was used to guard the child VCLS, however we only interract with it through the cli_thread, which makes the locking pointless.
Make sure that we only interract with a VCLS through the thread that created it.
Since mgt is aware of all known cli commands, unknown commands should be blocked by mgt and not forwarded to the child process to prevent any malicious command smuggling (using quotes for example).
walid-git
force-pushed
the
cli_sensitive_internal_cmd
branch
from
f780ada
to
a8866de
Compare
|
Moved the command logging callback to |
|
I have looked over this PR in relation to the VIPC work I'm doing to enable a future CERT subprocess. This PR attacks some of the issues we need to solve, but I'm not sure those are the ones we need to or should fix first, nor that they should be fixed this particular way. In the future world order, we will have multiple "entities" which offer CLI commands: MGT, WRK, CERT but also VMODs and VEXTs, and the MGT needs to know where (and when!) to send commands. (This also implies that we do not know all CLI commands at compile-time any more!) We will also be passing file-descriptors around in association with CLI commands (the "smuggling" facility). And finally we will have distinct levels of CLI authority: Being able to load a new CERT is a different authority from loading a new VCL, from adding a BAN and from mucking with a backend (for unspecified values of mucking.) I'm as of yet undecided if we will also have CLI multiplexing, for instance being able to do a "backend.list" while a new VCL is being compiled, but I'll probably default to "Since we're ripping all this apart anyway…" As for the logging, that's an entire different kettle of fish. It is not obvious to me that CLI logging belongs in the subprocesses after this reconstruction, maybe MGT needs to grow it's own logging facility (or just use syslog?) and be responsible for all logging related to CLI, including thinking about which authority logs where. So I'm inclined to call this PR a very valuable prototype, and throw it away (as Brooks commands us.) |
No description provided.