[Twisted-Python] Forwarded questions about PB

Glyph Lefkowitz glyph at twistedmatrix.com
Tue Oct 16 17:39:26 EDT 2001


On Tuesday, October 16, 2001, at 04:45  AM, Itamar Shtull-Trauring wrote:

> 	BTW, I read that you want to use RPC over unix domain sockets
> 	- the Twisted project has a generic secure remote object
> 	publishing system called PB. It runs over sockets, SSL, unix
> 	domain sockets, etc.. The main idea was to help people
> 	implement programs without having to design a protocol from
> 	scratch each time. The Twisted framwork is in general a
> 	wonderful platform for server developement:
> 	http://www.twistedmatrix.com. And that way maybe someday it
> 	can work with other stuff as well (e.g. Java).
>
> I'll take a look at it but I don't think it's the right thing for the
> crypto library, at least without some kind of user authentication that
> I currently haven't implemented.  Even with authentication I'd be
> uncomfortable exposing the server directly to an IP network.  My idea
> is to connect the server to the application host over a point to point
> connection like a serial port.

If the serial port can be represented as a byte stream (even better, as 
a file descriptor), then PB could easily be hooked up to it.

> Does PB have some advantage over running a standard non-encrypted RPC
> protocol over SSL?

Well, depends what you mean by "standard":

  CORBA: You can evolve PB interfaces without rebuilding/restarting both 
sides of the application each time.

  XML-RPC: You have a lot more expressiveness, and it consumes a lot less 
bandwidth.

  SOAP: Not as complex, not as expensive.  Object-to-object communication 
model instead of application-to-application.

  Sun RPC: Um... are you serious?

  RMI: It runs in more languages than just Java.  It's implemented in a 
non-blocking fashion.

If there were a good, standard, multi-language non-encrypted RPC 
protocol that could run over a serial port, then I suppose this question 
would be easier to answer, but I don't know what sort of protocol you're 
talking about.

> 	And philosophically I think you'd like it. For example, the
> 	way it implements home directories for users in a web
> 	server. Each user runs their own webserver, and then the main
> 	one that listens on port 80 forwards request to ~itamar/ to my
> 	personal web server (using PB). So each user has their CGIs,
> 	server scripts and so on, run using their own permissions and
> 	limits.
>
> Why not just use an apache proxy server on port 80, proxying requests
> to user servers?

Some information is lost that way; for example, what host the request 
originated from, and what the original URL was.  Also, apache tends to 
like to run lots of processes, which if every user is running can be 
rather resource-consumptive (not to mention that it likes to run as 
root...)

Also, apache proxying for user servers is hardly the default ;-).  
mod_rewrite would probably be able to handle such a thing in the right 
configuration, but with Twisted it works out-of-the-box.

> 	And I'm a developer on it (though I wasn't at all involved with these
> 	parts of the code), so I'm sure my bias shows :)
>
> I did look at twistedmatrix a few days ago and it looked kind of
> interesting.  I didn't notice any of the security/crypto stuff at the
> time.

We don't have any really radical security ideas -- the hope is that SSL 
will provide "good enough" crypto for any protocol that we design, and 
PB's security model is directly modeled after capability security 
(http://www.erights.org)

There is an integrated authentication and security model in PB and 
internet.passport though.

--
______      you are in a maze of twisted little applications, all
|   |_\     remarkably consistent.
|     |          -- glyph lefkowitz, glyph @ twisted matrix . com
|_____|             http://www.twistedmatrix.com/





More information about the Twisted-Python mailing list