Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow connecting to Zebrad on any hostname #115

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Allow connecting to Zebrad on any hostname #115

wants to merge 1 commit into from

Conversation

emersonian
Copy link

This patch allows for Zaino to connect to a Zebrad that is not running on localhost.

This is my first-ever Rust pull request so bear with me! I am unsure how to run the tests, am happy to fix anything that broke.

Thank you for your great work on Zaino!

@daira
Copy link

daira commented Nov 20, 2024

I am opposed to merging this. We need to establish a strong security norm and expectation that the connection between Zaino and Zebrad is within a trust boundary. That is, we must be able to make the design assumption that Zaino can trust the Zebrad it is connected to, because it necessarily is run by the same party.

@emersonian
Copy link
Author

emersonian commented Nov 20, 2024
edited
Loading

How can this be tested in a staging environment without the ability to connect to other hosts? I'm all for including warnings in the documentation with your concerns, but restricting to only allowing zebra to run on localhost is excessive and slows down integration testing across stakeholders.

Use case: Zec.rocks has around ten zebra instances synced and running around the world. I took two out of our public load balancers (one mainnet, one testnet) and am pointing Zaino at them for integration testing, all communicating within their clusters' internal networks. There is no security risk in this case, internal communications are encrypted by the Container Network Interface (CNI).

Restricting to localhost slows down the development of Docker Compose and Kubernetes configs for Zaino. Sure, add warnings, but don't force everyone to run Zebra on localhost.

@idky137
Copy link
Contributor

idky137 commented Nov 21, 2024

Could we query Zebra's enable_cookie_auth setting using the RPC server? We could then enforce cookie_auth=true when connecting to Zebra remotely? We could also add something similar for Zcashd using the user and password fields in its RPC server. Im not sure how disruptive this would be Zec.rocks though?

@idky137
Copy link
Contributor

idky137 commented Nov 21, 2024

Code looks good though!

@idky137
Copy link
Contributor

idky137 commented Nov 26, 2024

Hey sorry I haven't got back regarding this.

I want to make sure everyone is happy with the decision we make regarding how we open up Zaino for remote use before merging anything into dev.

We do have work planned for connecting to zebra remotely in Milestone 3 of our current grant (#58) but that is a few months away and will not be focusing on the RPC backend in Zaino.

I want to make sure Zaino can be used how the community wants though so think it would be good to work out a solution for the RPC backend separate to that.

@idky137 idky137 added the do not merge This issue is currently blocked from being merged into dev. Check comments. label Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
do not merge This issue is currently blocked from being merged into dev. Check comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@emersonian @daira @idky137