Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows: Support setting permissions on Unix domain sockets #11354

Closed
sunjayBhatia opened this issue May 28, 2020 · 10 comments
Closed

Windows: Support setting permissions on Unix domain sockets #11354

sunjayBhatia opened this issue May 28, 2020 · 10 comments
Labels
area/windows stale stalebot believes this issue/PR has not been touched recently

Comments

@sunjayBhatia
Copy link
Member

In the Envoy API for Pipe addresses, we explicitly support setting the file mode on Unix domain socket files, see:

envoy/api/envoy/config/core/v3/address.proto

Line 30 in ece1b6a

uint32 mode = 2 [(validate.rules).uint32 = {lte: 511}];

This file mode pattern does not translate well to Windows, to get similar granular permission control we would need to leverage Windows ACLs.

This issue is for discussion around this topic and to consider different options, some that come to mind immediately:
@sunjayBhatia
Copy link
Member Author

cc @wrowe @davinci26 @nigriMSFT

@sunjayBhatia
Copy link
Member Author

The test that demonstrates this most succinctly is //test/common/network:address_impl_test -> PipeInstanceTest.BasicPermission

We have an underlying issue that we are not able to even stat the socket file, once that is solved, the file mode itself is the bigger question

@sunjayBhatia
Copy link
Member Author

We are considering disabling that individual test for now on Windows before this issue is resolved

@sunjayBhatia
Copy link
Member Author

related general issue: #9571

@davinci26
Copy link
Member

Is setting granular file permissions are requirement for a high priority scenario or is it a good to have? Is there a way to see what the customer demand for this is?

What I am thinking is that we could have this API in Windows with the current limitation. Basically only setting the socket read-only or write and write. And then offer an additional module just for win32 ACL. This is similar to the approach Python is taking.

Is there a way we could add win32 ACL support as plugin?

@sunjayBhatia
Copy link
Member Author

further discussion: https://envoyproxy.slack.com/archives/CNAK09BSB/p1590785118071500

We are seeing differences in behavior about stat() on a unix domain socket

@sunjayBhatia
Copy link
Member Author

as per @wrowe catching this: golang/go#33357 (comment)

@sunjayBhatia sunjayBhatia mentioned this issue Jun 3, 2020
Merged
mattklein123 pushed a commit that referenced this issue Jun 5, 2020
@sunjayBhatia @wrowe
Windows: Fixing straightforward issues with //test/common/network/... (
f0464a4 
…#11423)

    Do not use SO_REUSEADDR on Windows as it does not behave the same as Linux and other BSD socket stacks
    Disable pipe mode test on Windows, see #11354
    socket_option_factory_test no longer hard codes socket option value as struct linger consists of ushorts not ints on Windows
    allocate callback handles on heap instead of stack to work around MSVC
    enable address_impl_speed_test_benchmark_test
    additionally, tag new failing tests on Windows


Signed-off-by: Sunjay Bhatia <[email protected]>
Co-authored-by: Sunjay Bhatia <[email protected]>
Signed-off-by: William A Rowe Jr <[email protected]>
Co-authored-by: William A Rowe Jr <[email protected]>
@stale
Copy link

stale bot commented Jun 28, 2020

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

@stale stale bot added the stale stalebot believes this issue/PR has not been touched recently label Jun 28, 2020
@stale
Copy link

stale bot commented Jul 6, 2020

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions.

@stale stale bot closed this as completed Jul 6, 2020
@wrowe
Copy link
Contributor

wrowe commented Jul 6, 2020

I'd suggest this issue remains unresolved and relevant

yashwant121 pushed a commit to yashwant121/envoy that referenced this issue Jul 24, 2020
@sunjayBhatia @wrowe @yashwant121
Windows: Fixing straightforward issues with //test/common/network/... (
f4c3136 
…envoyproxy#11423)

    Do not use SO_REUSEADDR on Windows as it does not behave the same as Linux and other BSD socket stacks
    Disable pipe mode test on Windows, see envoyproxy#11354
    socket_option_factory_test no longer hard codes socket option value as struct linger consists of ushorts not ints on Windows
    allocate callback handles on heap instead of stack to work around MSVC
    enable address_impl_speed_test_benchmark_test
    additionally, tag new failing tests on Windows


Signed-off-by: Sunjay Bhatia <[email protected]>
Co-authored-by: Sunjay Bhatia <[email protected]>
Signed-off-by: William A Rowe Jr <[email protected]>
Co-authored-by: William A Rowe Jr <[email protected]>
Signed-off-by: yashwant121 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/windows stale stalebot believes this issue/PR has not been touched recently
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wrowe @lizan @sunjayBhatia @davinci26