Samba, Quo Vadis? Experimenting with languages the Cool Kids use - - PowerPoint PPT Presentation

samba quo vadis
SMART_READER_LITE
LIVE PREVIEW

Samba, Quo Vadis? Experimenting with languages the Cool Kids use - - PowerPoint PPT Presentation

Jul 02, 2023 308 likes •780 views

Samba, Quo Vadis? Experimenting with languages the Cool Kids use Kai Blin Samba Team SambaXP 2017 2017-05-03 Intro M.Sc. in Computational Biology Ph.D. in Microbiology Samba Team member 2/45 Overview Programming

slide-1
SLIDE 1

Samba, Quo Vadis?

Experimenting with languages the Cool Kids™ use

Kai Blin Samba Team SambaXP 2017 2017-05-03

slide-2
SLIDE 2

Intro

M.Sc. in Computational Biology Ph.D. in Microbiology Samba Team member · · ·

2/45

slide-3
SLIDE 3

Overview

Programming languages ·

3/45

slide-4
SLIDE 4

Overview

Programming languages Hello, world! · ·

4/45

slide-5
SLIDE 5

Overview

Programming languages Hello, world Kerberos! · ·

5/45

slide-6
SLIDE 6

Overview

Programming languages Hello, world Kerberos! Implementing it · · ·

6/45

slide-7
SLIDE 7

Overview

Programming languages Hello, world Kerberos! Implementing it Conclusions · · · ·

7/45

slide-8
SLIDE 8

If someone claims to have the perfect programming language, he is either a fool or a salesman or both. – Bjarne Stroustrup

Programming Languages

slide-9
SLIDE 9

Why?

"The [Samba] project does need to consider the use of other, safer languages." – Jeremy Allison, last year

9/45

slide-10
SLIDE 10

Why?

No, honestly, why?

Avoid whole classes of bugs New languages, new features It's getting harder to find C programmers · · ·

10/45

slide-11
SLIDE 11

Currently

80% C, 7% Python (2) ~ 2 million lines of code ~ 15-20 regular contributors · · ·

11/45

slide-12
SLIDE 12

Languages

Cool Kids™ approved

Go Rust Python 3 · · ·

12/45

slide-13
SLIDE 13

Go

Announced 2009 C-like, compiled language Concurrency core part of the language Package management with go get <package> Programmers call themselves "Gophers" · · · · ·

13/45

slide-14
SLIDE 14

Go

Hello, World!

package main import "fmt" func main() { fmt.Println("Hello, World") }

14/45

slide-15
SLIDE 15

Rust

Announced 2010 C-like, compiled language Focus on memory safety Package management with cargo Still a bit of a moving target Programmers call themselves "Rustacians" · · · · · ·

15/45

slide-16
SLIDE 16

Rust

Hello, World!

fn main() { println!("Hello, world!"); }

16/45

slide-17
SLIDE 17

Python 3

Announced in 2008 dynamically-typed, interpreted language Focus on simplicity and readability Package management with pip install <package> Mainly for comparison Programmers call themselves "Pythonistas" · · · · · ·

17/45

slide-18
SLIDE 18

Python 3

Hello, World!

Or maybe

print("Hello, world!") def main(): print("Hello, world!") if __name__ == "__main__": main()

18/45

slide-19
SLIDE 19

Hello, Kerberos!

Introducing the example project.

slide-20
SLIDE 20

KKDCP

Kerberos Key Distribution Center Proxy Proxy Kerberos TGT and service ticket requests via HTTPS

20/45

slide-21
SLIDE 21

KKDCP

Client sends ASN.1-encoded HTTPS POST request to proxy Proxy decodes extracts Kerberos ASN.1 request Proxy sends krb request to KDC KDC responds Proxy encodes response Proxy replies to client · · · · · · ·

21/45

slide-22
SLIDE 22

Existing implementations

MS-KKDCP server kdcproxy · ·

22/45

slide-23
SLIDE 23

Plan

Write an implementation in all three languages Validate against reference Compare on both implementation ease and performance · · ·

23/45

slide-24
SLIDE 24

In theory, there is no difference between theory and practice. But, in practice, there is. – Jan L. A. van de Snepscheut

Implementing it

slide-25
SLIDE 25

Languages

Go: 1.8 Rust: 1.16.0 Python 3.5.2 · · ·

25/45

slide-26
SLIDE 26

Environment

Server: Active Directory KDC (Samba or MS) Client: MS Windows Client: MIT Kerberos (kinit) · · ·

26/45

slide-27
SLIDE 27

Challenges

How to set up KKDCP with Windows Use kdcproxy as reference Only use MIT Kerberos kinit · · ·

27/45

slide-28
SLIDE 28

Challenges

Part II

Ubuntu ships MIT krb5 1.13.2 KKDCP seems to fail on 1.13.2, reason not obvious from logs Use 1.16 pre-release instead Doesn't like HTTP, use HTTPS · · · ·

28/45

slide-29
SLIDE 29

New Reference: kdcproxy

Created by RedHat (https://github.com/latchset/kdcproxy) Written in Python (v2 compatible) WSGI app · · ·

29/45

slide-30
SLIDE 30

Set-Up

Server

WSGI app in gunicorn Use Nginx for HTTPS · ·

30/45

slide-31
SLIDE 31

Set-Up

Server

server { listen 443; include ssl_params; location /RhKdcProxy { proxy_pass http://127.0.0.1:8123/; include proxy_params; } } gunicorn -w4 kdcproxy:application -b 127.0.0.1:8123

31/45

slide-32
SLIDE 32

Set-Up

Client

[realms] DEMO.KBLIN.ORG = { http_anchors = FILE:/etc/ssl/certs/kdcproxy.pem kdc = https://kdcproxy.demo.kblin.org/RhKdcProxy admin_server = kdc.demo.kblin.org }

32/45

slide-33
SLIDE 33

Demo Time!

# as root ./switch.sh rh # as user ./run_demo.sh

33/45

slide-34
SLIDE 34

Python 3

Uses asyncio/aiohttp Uses new async/await keywords Uses type hints Not compatible with Python 2.x pyasn1 for ASN.1 handling See full code at https://github.com/kblin/py3-kkdcp · · · · · ·

34/45

slide-35
SLIDE 35

Python 3

async def handle_kkdcp(request): data = await request.read() proxy_request = codec.decode(data) loop = asyncio.get_event_loop() krb5_response = await asyncio.wait_for( forward_kerberos(proxy_request.message, loop=loop), timeout=15, loop=loop) return web.Response(body=codec.encode(krb5_response), content_type="application/kerberos") app = web.Application() app.router.add_post("/", handle_kkdcp)

35/45

slide-36
SLIDE 36

Python 3

async def forward_kerberos(data: bytes, loop=None) -> bytes: reader, writer = await asyncio.open_connection( 'kdc.demo.kblin.org', 88, loop=loop) writer.write(data) resp = await reader.read() return resp

36/45

slide-37
SLIDE 37

Demo Time!

# as root ./switch.sh py3 # as user ./run_demo.sh

37/45

slide-38
SLIDE 38

Go

Apart from the HTTP handler dispatch, no attempt at async code Uses stdlib ASN.1 encoder No error handling in code samples See full code at https://github.com/kblin/go-kkdcp · · · ·

38/45

slide-39
SLIDE 39

Go

func HandleKkdcp(w http.ResponseWriter, req *http.Request) { w.Header().Set("Content-Type", "application/kerberos") defer req.Body.Close() data, _ := ioutil.ReadAll(req.Body) proxy_request, _ := codec.Decode(data) krb5_response, _ := ForwardKerberos(proxy_request.Message) reply, _ := codec.Encode(krb5_response) w.WriteHeader(http.StatusOK) w.Write(reply) } func main() { router := mux.NewRouter() router.HandlerFunc("/", HandleKkdcp).Methods("POST") log.Fatal(http.ListenAndServe(":8124", router)) }

39/45

slide-40
SLIDE 40

Go

func ForwardKerberos(data []byte) (resp []byte, err error) { conn, _ := net.Dial("tcp", "kdc.demo.kblin.org:88") defer conn.Close() conn.Write(data) resp, _ = ioutil.ReadAll(conn) return resp, nil }

40/45

slide-41
SLIDE 41

Demo Time!

# as root ./switch.sh go # as user ./run_demo.sh

41/45

slide-42
SLIDE 42

Rust

Documentation missing "Just use the nightly version of the language" Could not find working ASN.1 library. So, no demo ☠ · · · ·

42/45

slide-43
SLIDE 43

Truth is subjectivity. – Søren Kierkegaard

Conclusions

slide-44
SLIDE 44

Conclusions

Python 3 and Go both worth investigating further Rust not quite ready for prime time yet Would probably pick Go myself · · ·

44/45

slide-45
SLIDE 45

Thank you