TopazD - Expose data store plugin admin operations via SSH #688
Description
In order to allow data(base) store plugins to expose admin capabilities remotely, the proposal is to expose an optional, opt-in admin service as part of topazd, which is accessible via SSH. The admin service will require a user certificate, which is signed with the CA cert associated with the topazd service.
The topazd config will be extended with an option admin service block
type Config struct {
Enabled bool `json:"enabled"`
ListenAddress string `json:"listen_address"`
KeyPath string `json:"key_path"`
}
When enabled, listen_address specifies the host and port for the admin service. The key_path points to the key used to verify whether the cert from the connecting user is signed with that key.
# create the host key
ssh-keygen -t ed25519 -f admin_service_host_ed25519_key -N ""
# create key for user `alice`
ssh-keygen -t ed25519 -f alice_key -N ""
# sign user key with the host key, valid for 1 week
ssh-keygen -s admin_service_host_ed25519_key \
-I alice-cert \
-n alice \
-V +1w \
alice_key.pub
Now Alice can invoke admin commands using SSH, using the command structure: admin <plugin-name> command.
The planned commands are:
ssh -i alice_key -p 2222 alice@localhost admin boltdb stats
ssh -i alice_key -p 2222 alice@localhost admin boltdb backup
ssh -i alice_key -p 2222 alice@localhost admin boltdb sync
- stats: dump data store statistics.
- backup: initiate a backup, saved to a location defined in the data store plugin configuration block.
- sync: if data synchronization is enabled, this will trigger an on-demand (pull) sync. Before this was possible via the Aserto Control Plane
The command set will be fixed, and there is no interactive shell.
Looking forward to everyone's input and feedback!