-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add callback for TURN authentication success #402
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #402 +/- ##
==========================================
+ Coverage 68.15% 68.46% +0.30%
==========================================
Files 43 43
Lines 2352 2356 +4
==========================================
+ Hits 1603 1613 +10
+ Misses 582 579 -3
+ Partials 167 164 -3
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
(forced pushed to resolve the linter issue) |
There have been lots of former attempts to add callback support to the authentication handler, see #2, #324 and the unmerged PR #325. At this point my minimal requirement for merging a new callback interface would be to handle user quoatas as per point (10) in the RFC (this means we need a callback for notifying the caller both on successful allocation creation events as well as when existing allocations are being deleted), and possibly redirects. Care to update the PR to handle at least the first case (i.e., add a callback for allocation deletions) and provide a sample code for implementing user quotas on top of your callbacks? Unfortunately, there has been no progress on this front so maybe we should merge this as is. However, this PR involves a user-visible API change so we need a conformation from @Sean-Der (he needs to roll a new release |
Great call out @rg0now it would be great if full life cycle could be tracked! @rg0now since this isn't a breaking change feel free to merge/change however you see fit! I also am in support of you starting a Tell me what I can do to support you. I think you are a better advocate/understand what 'next-gen TURN' looks like. |
Dear @renandincer, would you be willing to work together towards merging this? Some issues we'd need to discuss:
p.s.: care to do a quick call sometime? interested in your use case here... |
Hey @rg0now, yes I reviewed those PRs, and wanted to keep the scope of this as small as possible due to the discussion there - keeping the ALTERNATE-DOMAIN style use cases out of it.
AuthHandler will be called regardless of authentication success. This prevents a reliable mapping between fivetuple to usernames so that's why a callback only for success is desirable.
This is the intended semantics. It keeps 1-1 mapping with AuthHandler, so it's simple and doesn't cause any breaking changes while achieving the two goals: (1) create a way to detect failed vs successful requests per srcAddr, and (2) create a way map fiveTuple to username.
I do fully agree with you. I think what you described is a superior way of doing this. Callback for AllocationCreated and AllocationDeleted along with username and fivetuple in the function signature like so:
Somewhat related, getting the
RFC does not have a explicit way of deleting a allocation or permission so timeouts are enough for keeping track of usage accurately along with this auth success callback function. I'm willing to discuss other implementations, contributing AllocationDeleted/AllocatedCreated/etc. Yep. Let's get on a call and discuss :) |
Full ack.
I see. It seems worth supporting this use case.
I think the way user quotas could be supported is through the
I'm not sure I get this. We (the user) need to be notified when an allocation goes away, otherwise we cannot keep track of user quotas.
Here is a final API I have in mind:
This is deliberately not an interface so people will not have to implement all event handlers, just the ones they are interested in. Of course we don't have to implement all this: the first two callbacks will do for now (this will already handle your use case) and then we can work together to gradually implement the full API. Wdyt? Let's chat! Wrote an email!... |
OK, now I think I get it: the goal is not admission control, it's rate limitation. That will indeed need user context in Problem is: any way to solve this seems to require a breaking change. My suggestion would be to get the lifecycle event handlers straight and once we're happy with it only then break the API. |
With the knowledge of:
you can keep track of a map between username and src ip:port tuple, which can drive user quotas. The authSuccess function is called for every:
Since one can't send or receive packets without channel bind or permission or authenticated packet, you can assume ip:port tuple to username mapping to be 10 minutes by default in this situation. Obviously this is a unintuitive way of implementing this. |
I think example is a good idea in general whatever we implement. :)
I like this API, but I would like to sleep on it a little. I am not sure if ChannelCreated/ChannelRemoved callbacks are very useful. Do you think there is a good use for them? |
One option could be to provide an API to get a pointer to the net.Conn given username (or something from the allocation) |
One use case that I have in mind is making eBPF acceleration less intrusive (see #360). The current PR hooks directly into |
To close the loop here for those watching, we had a very good call. I agree that a interface similar to what @rg0now suggested is the way forward. This way, in the future, extra information from the allocation can be exported with relative ease without having to make breaking changes to the API. I will close this PR and follow up with a implementation in coming months unless somebody else takes on before then :) |
Hi @renandincer any progress on this? I plan to take a stride at an implementation but I don't want to do duplicate work... |
Description
Creates a new callback for users to be notified by successful TURN authentication. Together with the authHandler function, this can help determine the ratio of successful vs unsuccessful authentication attemps per username. This information then can be used to implement methods to prevent attacks to guess credentials similar to fail2ban.
There's been some discussion around implementing various usage quotas and limits within this package. An auth success callback can be used to implement some of these given that a succesful source IP address can be reliably linked to usernames. Together with maximum allocation time limit and permission timeouts per RFC, allocation refesh requests (requires auth) and configurable channel bind timeouts, fivetuple -> username usage can be reliably tracked outside of this package.