rce icon indicating copy to clipboard operation
rce copied to clipboard

Published 20 hours ago verified publisher icon rcenvironment

Allow ra-admin to publish workflows on a different instance

Open ArneBachmann opened this issue 7 years ago • 5 comments

If I open just one RCE instance on the network for remote access, but want to publish a tool on a different RCE behind it, there is currently no option for that. I don´t want to open (and manage) a SSH port for each instance that I potentially want to publish a workflow on.

I.e. sysmon has both options already, local and remote.

ArneBachmann avatar Jan 23 '18 10:01 ArneBachmann

Hi Arne,

the Remote Access feature is going to see major improvements in RCE 9.x and 10.x (according to our current roadmap). One of these planned improvements is that published workflows are going to behave just like other published components. Once this is implemented, the standard component visibility and forwarding rules will apply to them as well. This change is currently scheduled for RCE 10.

In other words, the current Remote Access "publish workflow" concept will be redundant. Instead of publishing a workflow specifically for SSH, you publish the workflow as a common component, and then authorize this component for access in the local network and/or via SSH.

Would this cover your use case?

rmischke-dlr avatar Mar 02 '18 13:03 rmischke-dlr

Would it be possible to open an SSH port on a node facing the outside network, but have the tool or workflow published on another node connected to this SSH server? I think that is the original question.

ArneBachmann avatar Mar 04 '18 08:03 ArneBachmann

Status of related features/concepts:

The "Remote Access" feature is deprecated and is planned to be superseded by the (currently experimental) "Uplink" feature. The latter provides a much better and more extensible design. Therefore, any related ideas will be reviewed against Uplink, not RA anymore. This also includes "Workflow as Component", which is the generalized concept replacing RA's "publish workflow" feaure.

Roadmap status:

The roadmap is not finalized yet, but it might involve RA being removed completely in 11.0.0, and Uplink promoted to non-experimental status.

rmischke-dlr avatar Dec 14 '21 09:12 rmischke-dlr

Status update as of RCE 10.3.1:

  • A first version of the "workflow as component" feature was released as part of RCE 10.2.0. It is not feature complete but should cover basic use cases, and IIRC everything that was possible with the "Remote Access" workflow publishing.

  • Not directly related to this issue, but FYI, basic GUI support for workflow publishing is planned for the upcoming 10.4.0 release.

Regarding your specific setup, it seems that this should be fully covered by the combination of the "Uplink" and "Workflow as Component" features. In Uplink, the node providing the SSH access port (currently only one port supported) for internal and external access is completely independent of tool publishing -- this was conceptually different in Remote Access. So a typical setup that should address your setup would be these three example nodes:

  • Uplink relay (in organization X's or Y's DMZ): Provides the Uplink/SSH port for clients to connect to

  • Client A (inside organization X): Is connected to the Uplink relay, publishes its workflow via "Workflow as Component", and authorizes that component for an "external_" group, which allows external sharing via Uplink. (The "filter by group name" aspect is part of the experimental status.)

  • Client B (inside organization Y): Must be authorized for the selected "external_" group, and can then use the workflow as the published "Workflow as Component" tool/component.

(Of course, if you don't need SSH/Uplink to realize cross-organizational tool exchange, you can simply use "Workflow as Component" in an internal RCE network and be done. This is in case you were only using Remote Access as a preliminary way of wrapping workflows into components.)

Does this cover your use case?

rmischke-dlr avatar Jul 29 '22 09:07 rmischke-dlr

I think I understand your suggested solution. My original idea, however, was different. I have several RCE profiles running on the same node, but didn't want to open multiple SSH ports to deploy tools to them.

My idea was that the relay node is able to forward my tool to publish automatically to the target node via a command on its only open SSH port (I publish via the relay SSH to any node connected to it).

But nevermind, I don't think it's that critical and we'll find different ways of managing projects, once our server will finally be running.

ArneBachmannDLR avatar Sep 13 '22 06:09 ArneBachmannDLR