Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Leases #55

Merged
merged 38 commits into from
Oct 3, 2022
Merged

Leases #55

merged 38 commits into from
Oct 3, 2022

Conversation

jeffa5
Copy link
Collaborator

@jeffa5 jeffa5 commented Sep 27, 2022
edited
Loading

Fixes #21

Except #68

jeffa5
jeffa5 commented Sep 28, 2022
View reviewed changes
src/app/app.cpp Show resolved Hide resolved
@jeffa5 jeffa5 marked this pull request as ready for review September 28, 2022 16:31
@jeffa5 jeffa5 mentioned this pull request Sep 28, 2022
Open
21 tasks
jumaffre
jumaffre reviewed Sep 29, 2022
View reviewed changes
src/app/kvstore.h Outdated Show resolved Hide resolved
@jeffa5 jeffa5 force-pushed the leases branch 2 times, most recently from bc77998 to 1abdda1 Compare September 29, 2022 08:29
@jeffa5
Add lease message types
41a8ae3
@jeffa5
Add revoke
850c774
@jeffa5
Format proto
0d6a4c6
@jeffa5
Build leases.cpp
10be4ab
@jeffa5
Randomly generate ids
0fd2d7e
@jeffa5
Move logic to store
3b460f1
@jeffa5
Add start time to lease
a5314be
@jeffa5
Add keep alive structure
1e39662 
Doesn't currently work due to streams missing.
@jeffa5
Implement adding keys with leases
e8f0f2e
@jeffa5
Add handling of lease expiration into put and range
a900f76
@jeffa5
Remove keys when revoking a lease
7e8d9eb
@jeffa5
Format
180b7f4
@jeffa5
Add license notices
ff8d39e
@jeffa5
Add lease list api
56f7473
@jeffa5
Use user-provided ttl
11f9930
@jeffa5
Return an expired lease when it is missing
3d05997
@jeffa5
Enable lease tests
bc96147
@jeffa5
Update patch for lease tests and to be made from etcd root
dbd0479
@jeffa5
Fix formatting
612bee3
@jeffa5
Rename to avoid value in leasestore
0c90e6d
@jeffa5
Remove lease checkpoint messages
2437d0b
@jeffa5
Fix rename
07ca3c1
@jeffa5
Format
c0f4b21
@jeffa5
Fixup rebase
6505512
jumaffre
jumaffre reviewed Sep 29, 2022
View reviewed changes
src/app/leases.cpp Outdated Show resolved Hide resolved
src/app/leases.h Outdated Show resolved Hide resolved
@jeffa5
Pass in current time to lease functions
2441a84 
This makes it more consistent and allows us to use
get_untrusted_host_time_v1. This function isn't static so we can't have
our handlers be static either.
@jeffa5
Merge branch 'main' into leases
824f80a
@jeffa5
Fix formatting
4f4bb8b
jumaffre
jumaffre reviewed Oct 3, 2022
View reviewed changes
src/app/leases.h Outdated Show resolved Hide resolved
jumaffre
jumaffre approved these changes Oct 3, 2022
View reviewed changes
Copy link
Contributor

@jumaffre jumaffre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! I think the implications of using the time of the untrusted host (there's no secure time in the enclave) should be spelled out somewhere. This effectively means that a malicious operator could revoke a lease early or extend an existing one (i.e. there's an attack vector every time the app uses get_time_s). How bad is this? Should the API be extended for the client to pass in their current local time?

@jeffa5
Copy link
Collaborator Author

jeffa5 commented Oct 3, 2022

Nice! I think the implications of using the time of the untrusted host (there's no secure time in the enclave) should be spelled out somewhere. This effectively means that a malicious operator could revoke a lease early or extend an existing one (i.e. there's an attack vector every time the app uses get_time_s). How bad is this? Should the API be extended for the client to pass in their current local time?

Yep the lack of secure timing is a bit of a nuisance. Since leases might typically be used for some sort of leader election I'd imagine that it could be a bit troublesome (constantly flipping leaders). I'm not sure if the clients that use the lease would be trusted enough to provide times either since they could maliciously give a time that invalidates other leases.

Perhaps we could compromise, expose a way of clients also providing their current time in the request, and then comparing it to the local time from the OS. If they are not too different (within a configurable limit) then we know we can trust the timing somewhat. If they are too different just error out?

Something to bear in mind and discuss going forwards. I'll make an issue.

@jeffa5 jeffa5 mentioned this pull request Oct 3, 2022
Open
@jeffa5 jeffa5 enabled auto-merge (squash) October 3, 2022 14:58
@jeffa5 jeffa5 disabled auto-merge October 3, 2022 14:58
jumaffre
jumaffre reviewed Oct 3, 2022
View reviewed changes
CMakeLists.txt Outdated Show resolved Hide resolved
@jeffa5 jeffa5 merged commit 3647663 into main Oct 3, 2022
@jeffa5 jeffa5 deleted the leases branch October 3, 2022 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jumaffre jumaffre jumaffre approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement leases
2 participants
@jeffa5 @jumaffre