[Nfd-dev] Intended scope of client.conf

Alex Afanasyev alexander.afanasyev at ucla.edu
Tue Aug 19 10:20:58 PDT 2014 

On Aug 19, 2014, at 11:44 AM, Burke, Jeff <jburke at remap.ucla.edu> wrote:

> 
> Hi Yingdi,
> Thanks for the reply – comments below.
> Jeff
> 
> From: Yingdi Yu <yingdi at cs.ucla.edu>
> Date: Tue, 19 Aug 2014 11:25:42 -0500
> To: Jeff Burke <jburke at remap.ucla.edu>
> Cc: Alexander Afanasyev <alexander.afanasyev at ucla.edu>, Steve DiBenedetto <dibenede at cs.colostate.edu>, "nfd-dev at lists.cs.ucla.edu" <nfd-dev at lists.cs.ucla.edu>
> Subject: Re: [Nfd-dev] Intended scope of client.conf
> 
>> 
>> Hi Jeff,
>> 
>> On Aug 18, 2014, at 4:35 PM, Burke, Jeff <jburke at remap.ucla.edu> wrote:
>> 
>>> So, the idea is that client.conf provides per-user configuration for NDN applications that gives the default keystore and mechanism for connecting to the local daemon.   For now, the default keystore specified in this configuration must be used if an application wants to interact with the identities/keys manipulated by the ndnsec tools.  
>>> Is that the right way to state it? 
>> 
>> This client.conf is the configuration file of ndn-cxx, so all apps (including ndnsec) compiled against ndn-cxx will use the keystore info in this file as the default configuration. If an app wants to access the identities/keys created through ndn-cxx, the paths in the conf file should be the right place to go.
> 
> 
> Alex's Issue #1850 suggests a stronger idea - that client.conf is for all libraries / applications interacting locally with NFD/NRD.  Is that correct?   

It is for "all" libraries (applications).

>> 
>>> - NFD and NRD use their own system-wide configuration file, not client.conf.    The unix socket they use is defined in their nfd.conf file.  But where is the keystore for the keys used by NFD and NRD, and how is it configured?  I couldn't find this in the developers guide. 
>> 
>> NFD and NRD are built against ndn-cxx, so they use the keystore info in the client.conf. We will clarify that in the dev guide.
> 
> 
> I'm still not sure that I understand why NFD/NRD should use a user's ~/.ndn/client.conf for their identity, if they are system-wide services.  This means that NFD and NRD will have different identities/signing keys on the same host if they are started by different users?  Shouldn't the daemon's identities be stable per-host unless changed by the owner/operator? 

I think the fact that NFD and NRD are using ~/.ndn/client.conf is just an artifact of your installation.  They are not suppose to be running as normal user.  One is running as root, the other should be some special user (ndn user if using Ubuntu PPA or macports).  In either case, ~/.ndn/client.conf should refer to different locations and there is "system-wide" /etc/ndn/client.conf  (or /usr/local/etc/ndn/client.conf, depending on your installation) which kicks in when ~/.ndn/client.conf doesn't exist.

One more thing.  Both ubuntu and macports are using trick with updating HOME variable before starting nfd, nrd, and all other daemons.  This ensures that deamons/apps don't share client.conf and security credentials.


>> 
>>> - It is assumed that there is only one installation of NFD/NRD per host.  So, shouldn't the socket configuration and protocol be per-host rather than per user?  I understand that for convenience they may be in client.conf, but want to confirm...
>> 
>> We may have per-host config for socket, but for keystore info, it might be better to keep per-user configuration.
> 
> 
> If NFD/NRD are system-wide services, what is the motivation for this?   (If they always ran under their own user, and the keystore was that of the NFD "user" this would make sense to me.  But, this is not the default behavior yet.)

System-wide services do not (not suposed to) use user's client.conf.


>> 
>>> perhaps their should be a client-default.conf in the same place as nfd.conf, and just override it from ~/.ndn/client.conf? 
>> 
>> I think a client-default.conf is possible if we set user's home directory as the default path to keystore. 
> 
> 
> Yes, makes sense.  I'm not sure it's necessary if the NRD/NFD identity issue is solved in a different way.
> 
>> 
>>> - There is an operator identity created by default at the time of installation of NFD/NRD.   This seems to be associated with the user who installed the software.   For NDN applications that run under other (non-root) users, is the idea that they can use their own client.conf settings, but the operator of the machine will need to authorize their key to sign things like prefix registration commands for the daemon? 
>> 
>> Ideally yes, but command interest validation is turned off.
> 
> 
> Yes, but hopefully not for long :) 
> 
> It seems like there is a potential bottleneck here, where on a multi-user host the operator will need to manually sign each user's key before they can register prefixes, which is a basic part of NDN communication.   Perhaps there should be an optional configuration mechanism available that automatically signs the keys of all authenticated users (who optionally are members of some group) on the host.
> 
>> 
>>> - Because it uses ndn-cxx, ndnsec manipulates the PIB/TPM for the current user, based on the settings in that user's client.conf.  Is that correct?  This may need to be clarified in the documentation.   Also, ndnsec-list does not seem to take into account the TPM setting, it just lists all of the keys in the PIB for the user.  Perhaps it could indicate which TPM they are stored in, to aid debugging?  
>> 
>> ndn-cxx internally maintains the consistency between PIB and TPM. Right now ndn-cxx assumed that there is only one TPM for one PIB, so we do not list the TPM information for each key. But I think we may need the TPM info when PIB handles multiple TPMs at the same time.
> 
> 
> Ok.  This causes some problems with NFD/NRD and probably other applications in cases where you are experimenting with two different TPMs.  See Bug #1889.  

It was never intended to use multiple TPMs in the first place.  It just a current accident that we have multiple ones and behavior is not defined if there is a mix up.

---
Alex

> 
> Thanks!
> Jeff
> 
> 
>> 
>> Yingdi
>> 
>> 
>>> 
>>> 
>>> Thanks,
>>> Jeff
>>> 
>>> 
>>> From: Alex Afanasyev <alexander.afanasyev at ucla.edu>
>>> Date: Mon, 18 Aug 2014 15:49:59 -0500
>>> To: Steve DiBenedetto <dibenede at cs.colostate.edu>
>>> Cc: Jeff Burke <jburke at remap.ucla.edu>, "nfd-dev at lists.cs.ucla.edu" <nfd-dev at lists.cs.ucla.edu>
>>> Subject: Re: [Nfd-dev] Intended scope of client.conf
>>> 
>>>> 
>>>> On Aug 18, 2014, at 3:38 PM, Steve DiBenedetto <dibenede at cs.colostate.edu> wrote:
>>>> 
>>>>> 
>>>>> On Aug 18, 2014, at 2:25 PM, Burke, Jeff <jburke at remap.UCLA.EDU> wrote:
>>>>> 
>>>>>> 
>>>>>> Hi folks,
>>>>>> 
>>>>>> Is there any specification for the purpose and scope of client.conf.  E.g., how it can be located, what can be specified there, and what code should pay attention to it?
>>>>> 
>>>>> I'm not aware of a full specification for the current client.conf. Here's the original client.conf redmine issue that covers file format, location, and some parameters: http://redmine.named-data.net/issues/1364 .
>>>> 
>>>> This is basically the spec.  A new addition that was made long time ago was part of http://redmine.named-data.net/issues/1532  and is documented in http://redmine.named-data.net/projects/ndn-cxx/wiki/KeyChainConf
>>>> 
>>>> ---
>>>> Alex
>>>> 
>>>>> 
>>>>>>   
>>>>>> 
>>>>>> We need to consider how to handle this specification in the NDN-CCL libraries, and would prefer to work from a design specification rather than existing code in ndn-cxx.   For code like ndn-js, it may not always apply, so we need to understand defaults and assumptions, too. 
>>>>>> 
>>>>>> Please see:
>>>>>> http://redmine.named-data.net/issues/1850
>>>>>> 
>>>>>> Thanks,
>>>>>> Jeff
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Nfd-dev mailing list
>>>>>> Nfd-dev at lists.cs.ucla.edu
>>>>>> http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
>>>>> 
>>>>> _______________________________________________
>>>>> Nfd-dev mailing list
>>>>> Nfd-dev at lists.cs.ucla.edu
>>>>> http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
>>>> 
>>> _______________________________________________
>>> Nfd-dev mailing list
>>> Nfd-dev at lists.cs.ucla.edu
>>> http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20140819/98d9ac71/attachment.html>

More information about the Nfd-dev mailing list