ockam icon indicating copy to clipboard operation
ockam copied to clipboard

Published 20 hours ago verified publisher icon build-trust

Creating secure channels to /api with default identity

Open mrinalwadhwa opened this issue 3 years ago • 7 comments

This currently doesn't work

» ockam node create n1 --api-address 127.0.0.1:6001
» ockam node create n2 --api-address 127.0.0.1:6002
» ockam secure-channel create --node n1 /ip4/127.0.0.1/tcp/6002/ockam/api
encountered an error in command handler code

It would be nice if all node (embedded, n1 and n2) assumed the same default identity and then authorized that identity to establish channels at the /api endpoint.

@SanjoDeundiak thoughts?

mrinalwadhwa avatar Jul 30 '22 16:07 mrinalwadhwa

Unfortunately, it should be secure-channel create connector

SanjoDeundiak avatar Jul 30 '22 16:07 SanjoDeundiak

See this issue and corresponding PR which landed yesterday evening. https://github.com/build-trust/ockam/issues/3051 https://github.com/build-trust/ockam/pull/3062

mrinalwadhwa avatar Jul 30 '22 16:07 mrinalwadhwa

This works so there is no secure-channel listener started at "api" but default.

» ockam node create n1 --api-address 127.0.0.1:6001
» ockam node create n2 --api-address 127.0.0.1:6002
» ockam secure-channel create-listener --node n2 "api"
» ockam secure-channel create --node n1 /ip4/127.0.0.1/tcp/6002/ockam/api
Secure Channel created! You can send messages to it via this address:
/ockam/d172b331870a44aaf2375be9cf6f63ed

I think we need the following things:

  1. Start a default secure channel listener at "api"
  2. Make all nodes share a default identity that is created the first time a command is run
  3. Make all secure channel listeners in all nodes at address "api" authorize the default identity.
  4. Make secure channel create assume default identity as authorized.

mrinalwadhwa avatar Jul 30 '22 17:07 mrinalwadhwa

@mrinalwadhwa oh, right. We don't start a listener by default. We can do that. I have questions about "default identity", I don't really get the logic behind it. In your example, should n1's identity become a default identity that every other node knows about? And we share only identity_id, right?

SanjoDeundiak avatar Aug 01 '22 11:08 SanjoDeundiak

I added an issue for 1. here

I have questions about "default identity", I don't really get the logic behind it. In your example, should n1's identity become a default identity that every other node knows about? And we share only identity_id, right?

I'm thinking of a setting it up so that, in the simple case ... all nodes have the same identity and authorize that same identity's identifier at the secure channel listener on /api. So the same identity is at the two ends of the secure channel.

The benefit of this simple default is that new users get a mutually authenticated and authorized channel without learning about identifiers.

This would then be a complete demo:

» ockam node create n1 --api-address 127.0.0.1:6001
» ockam node create n2 --api-address 127.0.0.1:6002
» ockam secure-channel create --node n1 /ip4/127.0.0.1/tcp/6002/ockam/api 
    | ockam message send -/ockam/uppercase "hello"
HELLO

mrinalwadhwa avatar Aug 03 '22 02:08 mrinalwadhwa

@mrinalwadhwa We want to avoid sharing Vault across different nodes

SanjoDeundiak avatar Aug 03 '22 11:08 SanjoDeundiak

In a slack thread, @SanjoDeundiak and I came up with this as the approach to sharing default identities

  1. Generate embedded node identity on first run
  2. Copy it to new node on node create
  3. Authorize it as allowed to connect with /api secure channel listener - on node create

mrinalwadhwa avatar Aug 03 '22 13:08 mrinalwadhwa