Script management vs Thing management #22
Comments
|
Showcase scenario (from here):
The draft algorithm for creating a remote Thing is the following:
The draft algorithm for script management:
Possible solutions:
|
|
My proposal would look the following (might still have bugs, since I am currently very short on time):
|
It can be done either by a script deployed and executed in the remote WR that uses the Server API, or by interacting in a special way with a special Thing (using the client API). If I understand you right, you propose the latter.
|
|
Think of the runtime as a box. On one surface we cut a whole in this box; this is the interaction model (uniform interface with Properties, Actions, Events). If an interaction originates inside the box, goes through the hole, and targets something on the outside, the interaction makes use of the client role of the hole. If an interaction originates outside the box, passes through the hole, and targets something inside the box, the interaction makes use of the server role of the hole. From the outside, we cannot look inside the box. We only see Thing Descriptions that tells us how to push stuff through the hole. Inside the box we cannot reach outside, unless we use the hole; the Scripting API tells us how to get stuff though it. The hole is a single, nicely cut hole with clear rules: the narrow waist. We want to avoid randomly stabbing additional holes in the box; each would have its individual rules how to get stuff through (cf. tightly coupled, service-oriented approach). |
|
You have described the runtime model, but not the deployment model. This whole discussion is on how to relate the two. We know what a script is, what a Thing is. What we don't know (haven't agreed about) how a script gets to the target device.
IOW this is the Client API. The interaction model is underneath and works with the same concepts, but they are different. If we take the analogy of "holes", it would make it easier to picture if client and server holes were different, rather than having "roles".
IOW the TD provides structural and interaction definitions. But it's a static thing. You are not generating bindings when requests are served. You implement a functionality that takes into account the TD, but has to be deployed and run in the WR (box).
I cannot make any practical sense out of this sentence. Define "extremely nicely cut" (?), and the "clear rules" (defined by TD?). I understand that now the "narrow waist" is the other two :).
That I understand, and it's a good goal. However, we are not talking about multiple random holes. We do need one extremely nicely cut hole also for getting functionality (script, things) into the box. Either through the same hole, or a different one. Your proposal still misses that. The current assumption is that these are flashed into the box. This is not good enough in 2017. We can do much more flexible things already with OCF. |
|
My use case about installing a service on a home hub from a public web page seems relevant. I am assuming that the hub has a thing that acts as a manager, and that with the right permissions, you can remotely invoke an action on this thing to request the installation of another thing. The manager thing then downloads and installs the new thing's implementation. The manager thing is also responsible for managing updates. The detailed requirements then follow from a consideration of security, privacy, and so forth. |
|
I see a certain disconnect in the discussion and assume its mostly because we take too many steps at the same time and have two concepts that consist of more than one assumption/statement. If we can collect the points/statements we see in common, maybe it helps to identify the ones we disagree on. Do we agree:
Point currently discussed, but approaching consent:
If we can agree that this is the base, then we can proceed to the points that are unclear and in heavy discussion:
Please comment and correct. |
Yes, I want to help clarifying the Servient architecture, as it is not clearly understood yet. You describe Client API, Server API, interaction model, and Things as if they were independent concepts. Please try to see why statements like "Server API now replaced by one or more special Things with special interactions" just do not compute. There is a strict relationship between the Thing concepts:
What we are currently defining is the generic, long-lived core API for Properties, Actions, and Events (this is the scope of the WoT Scripting API deliverable). What you are describing is a higher-level API that eases using, but must rely on the core API to fulfill management tasks. While I fully understand that you need something to instantiate Things in a runtime remotely, I am against standardizing something in the wrong place that bypasses the overall WoT architecture. You can achieve the same functionality by following the WoT architecture and provide Properties, Actions, and Events for your needs. We can ensure interoperability, meaning that a remote runtime will do what you expect, by defining the vocabulary of the Properties, Actions, and Events for management. The important aspect of security is how to secure and control the access from outside. This is the same as for all interaction, management or launching a missile. There is nothing special about your use case. While you might dislike the fact that your single function call for remote instantiation becomes a series of statements for the Client API, simply put it in a library. It will also be able to run in other runtimes because it is programmed against the core API and it will be able to manage any remote runtime because it is programmed against the management vocabulary. You can share this library, so not everyone has to rewrite it to get started. |
|
@h0ru5 I agree with the first part of your statements. I am not sure, however, if everyone agrees on "Point currently discussed, but approaching consent": Zoltan's proposal (judged more by the given function declarations than the used terms, which are prone to misunderstanding) shows the characteristics of a scriptable shell that has access to all connected runtimes. Independent from where the script is executed, it can instantiate and modify Things everywhere in the network using API calls. @zolkis , can you recognize your proposal in this statement? While this is a feasible solution that carries quite some merit, it is at a different level than the WoT architecture and building blocks that we are currently standardizing. It might well be implemented as an overlay, but it must not be rooted in the core of WoT. Furthermore, I disagree with
If it is remote, you need to use a client API (applies in general, independent from this issue).
We cannot expect this to be a fundamental part of the WoT runtime. It must be optional if standardized at all. On the Web, it is good practice to implement decorators and convenience libraries as third-party packages (e.g., jQuery). A user writing the script that deploys Things in different runtimes can easily choose the decorator; there is no need to make it standard. These scripts will still be portable. (This opens the questions how to import libraries/modules in WoT scripts; more important question than the management stuff. Security enforcement is not the argument here, since it cannot even be uniformly enforced, since different runtimes might have different purposes; if we standardize this, we need to provide for any possible use case; it's like standardizing how people have to implement their Web server -- we don't want that.)
The last one even appears to contradict the first statement I cited. |
|
Additional question: how would you deploy client functionality? |
Intended. I wanted to capture an overview of the points and arguments currently on the table and sort out what is consent-able and - (in last bunch of statements) where the divergence is. |
As mechanism, yes. As policy, usually no: it's not independent from where the script is executed! That's a world of difference. The script would run in a WR that is identified, authenticated and has to have appropriate access rights in the WoT network (analogous to Provisioning Tool in OCF). Only if security checks are passed the calls would succeed.
Client API is a set of mechanisms that are implemented in the WR. They get installed there together with the WR. Similarly, the server API is a set of mechanisms and gets deployed the same way. My problem with the current architecture is that it's too rigid for theoretic reasons and misses the practical deployment scenarios that are absolutely critical in IoT. I don't mind if you impose constraints on these mechanisms/APIs, as long as the use cases can be implemented securely without blowing up complexity or going out of charter scope. I am waiting for a more elaborate proposal on special Thing(s) and their interactions. BTW where do we standardize these? They would become a dependency for Scripting. I guess Scripting work should be shelved until this is clarified. |
I think this is a good use case. I try to map it to my current terms. So far the only difference to my proposal is that I consider this special Thing part of the WR, and I have sinfully mapped the invocation of the manager Thing install action as a separate API on the WoT object - think of it as a convenience function. I also stress that there are just 2 of these needed! While IMHO this is mostly a syntactic thing, it was deemed to want to open a new hole in the box. No, it doesn't - it all depends on implementation. That being said, I am fine with this, as long as it's standardized, including security provisioning of these special Things. We need an owner for this. |
The architecture gives you everything you would need. In @draggett 's use case description I can see the same approach I am proposing.¹ Are there reasons for you not using it or are there aspects you are missing? I didn't see you trying to follow an approach that is in line with the WoT architecture. Maybe the concepts we have refined over the past two years are not clear yet?
The question was about client logic (behavior and initiative of a Thing to interact with other Things), the complement to server logic (which is the sum of all Action and Event handlers). Not sure how you imagine "deploying an API", which again does not compute for me. ¹ one discussible detail is that Dave chose to trigger download of Thing logic (i.e., script / handler implementations / ...), while I was thinking of passing this logic as inputData of an Action directly to the manager Thing. |
|
Comment on security policy:
You want attach the security principal to the runtime. If you assume a Servient on a hub or cloud service would have multiple runtimes to allow for multi-tenancy, then we are on the same page and only have to get terminology straight: I was expecting only one runtime instance that is able to sandbox each script. Should be equivalent. Furthermore, I assume the runtime and its sandboxes as the fixed commodity that runs somewhere. It does not have any security principals yet, because those have to be attached to the application or business logic pieces (the WoT IG has been calling them App Scripts) that stakeholders deploy there. Stakeholder A deploys an app script alongside its security credentials etc.; so does stakeholder B with his app script and the credentials corresponding to it. The operator of the runtime would probably have provisioned security credentials to the management Thing that can be used by stakeholders to deploy their app scripts. How this management Thing is implemented in detail is up to the operator, his business model, payment methods, etc. It only needs to provide the management Interactions that are standardized through the managment vocabulary. Earlier I mentioned "additional management Interactions"; these could be the chosen payment Interactions or gold user management functions, which both are defined by one or two additional vocabularies. The tool that stakeholder a uses must have a security principal as well. It must have the credentials, so that the management Thing authorizes the tool to deploy his app script. The tool acts as client for the Interactions of the management Thing. It must follow the auth* mechanisms that are defined in the TD of the management Thing. All of this is not management-specific. This is how WoT works for all Interactions. Coming back to the app scripts. At first I simply thought, it would be a good convention to only put the implementation of one Thing into one script. Since this must be paired with a security principal, it seems more a MUST. However, I could imagine some kind of grouping, where one script creates two Things; yet they will then have the same principal and run in the same sandbox. Appears to be useful. Anyhow, I see the security principal (= can be identified, authenticated, ...) attached to the app script, not the runtime. The runtime enforces the policy (= makes sure credentials are safe, scripts are sandboxed, no spill); just like the browser with different Web pages in multiple tabs... If you think deploying a complete script is bad to manage from a security perspective, we can add a number of management Interactions that allow to programmatically deploy a Thing similar to creating one in the local runtime/sandbox. The Action handlers will probably still have to be set up by deploying code snippets. So in the end you still deploy JavaScript code. Thus, I don't really see the problem with deploying a complete script that then creates the Thing locally in the remote runtime/sandbox. We will still need multiple steps to deploy logic (=script code) and the principal (=credentials). Not sure if it is worth designing a container for that; is then more a question of protecting the IP in commercial script code maybe... |
Regarding the management capability of application and the security, it can be dealt in Scripting API work because both are mentioned in the WG charter as “Thing lifecycles” that implies management and “cross-platform security frameworks” in 2.2 Scripting API. The “thing lifecycles” also deals “enabling applications” in the description. Delaying of the standardization should be avoided. |
|
The security model is under work, but these developer scenarios and preferred solutions are good inputs to it. Next course of development: new iteration on security model, then public review, scoping and model development, then update WoT Runtime model, then update Scripting API. I will modify #21 on the two criticized functions. |
|
We have checked the proposed special Thing solution from security point of view, and it looks feasible. With that, from my part we have an agreement and we could close this issue, but the special Thing must be standardized (e.g. have actions on install, uninstall, start, stop scripts, clear all scripts, etc). I propose that would be done in a separate normative document, potentially together with other special Things (or actions within the same special Thing) that the WG might consider pursuing, for instance:
|
|
Defining TD for a script manager Thing is discussed in #23. |
Moving the discussion from the WoT WG mailing list to this issue.
History:
Proposal: allow Thing creation and TD modifications not only from local, but also remote WoT Runtimes.
Advantages:
Disadvantages:
The text was updated successfully, but these errors were encountered: