MSC4124: Simple Server Authorization #4124
Conversation
Gnuxie
changed the title
turt2live
added
requires-room-version
We now only allow one knock ever per server and these should only refrence the `m.room.create` event. matrix-org#4124 (comment)
| The intent of the event is to only let the room administrators | ||
| explicitly aware of the server's existence. | ||
|
|
||
| ### The `make_server_knock` handshake |
There was a problem hiding this comment.
If someone can find a way to avoid the handshake, that would be great.
The only reason why it is included is because we use the signing of the m.server.knock template to verify the origin of the event. And it stops other servers creating m.server.knock events for servers that do not exist or servers that are not wanting to send a knock event to the room.
| ### Mismatch with `m.room.power_levels` | ||
|
|
||
| There is an argument to be made that the ability to manage | ||
| `m.server.participation` should not be flat in the way that | ||
| `m.room.server_acl` is. Consider Alice being the room creator | ||
| and Bob being an admin. Bob could create an `m.server.participation` | ||
| event that denies Alice's server from participating, even if Alice | ||
| is the same or a higher power level. |
There was a problem hiding this comment.
It's unclear to me how to deal with this, considering there is no conception of server power or authority, unlike in previous proposals. It initially seems very complicated to map user power level back to servers, but thinking about it, it could be done.
You could take the power level event, and map each user to a server and work out what the server's highest ambient power level is.
| This MSC proposes simple authorization rules that consider the origin | ||
| server of a given event, with the aim of replacing `m.room.server_acl`. |
There was a problem hiding this comment.
This could do with a paragraph or two before this one which describes how server ACLs work today, and why they're insufficient.
For example:
[Server ACLs] in Matrix operate as a network firewall described by the room, requiring participation from all joined servers to be fully enforced. As they are not applied to the room model though, leaks can occur where a server not enforcing the ACLs (typically due to simply not implementing them) "pulls" events from banned servers into the room via
prev_events. When an event referencing the banner server's events is sent over federation, the remote servers in turn fetch the banned events and present them to users.Workarounds currently include banning/kicking all users from a banned server, and monitoring for leaks to potentially ban servers not enforcing the ACLs. These solutions require a room moderator to be highly knowledgeable on how ACLs actually work, which is rarely the case.
There was a problem hiding this comment.
I have now added a giant context section, but maybe this section should be moved to matrix-org/matrix-spec#928? what do you think?
There was a problem hiding this comment.
I think that the section should be moved to the issue because it's independent to the proposal, but the proposal should be modified to keep referring back to it. But I want to hear from you before I do that.
There was a problem hiding this comment.
Proposals should have enough context to be understood in isolation, as issues may be edited or mutated after the MSC is accepted. #4126 is an example for incorporating issue context into the proposal.
There was a problem hiding this comment.
Ok, in that case I will add each point to the issue and make a shorter reference to them.
| This MSC was also created in reaction to [MSC2870](https://github.com/matrix-org/matrix-spec-proposals/pull/2870), | ||
| that describes itself as stop gap to cover what the MSC has described | ||
| short comings of `m.room.server_acl`. We also agree that MSC2870 is | ||
| a stop gap and that the `m.room.server_acl` has severe shortcomings, | ||
| but we take the view that after 4 years of proposed stop-gaping, | ||
| there is enough time to introduce a more complete solution. |
There was a problem hiding this comment.
The language around MSC2870 here feels a bit strong. I'd suggest something along the lines of this:
| This MSC was also created in reaction to [MSC2870](https://github.com/matrix-org/matrix-spec-proposals/pull/2870), | |
| that describes itself as stop gap to cover what the MSC has described | |
| short comings of `m.room.server_acl`. We also agree that MSC2870 is | |
| a stop gap and that the `m.room.server_acl` has severe shortcomings, | |
| but we take the view that after 4 years of proposed stop-gaping, | |
| there is enough time to introduce a more complete solution. | |
| [MSC2870](https://github.com/matrix-org/matrix-spec-proposals/pull/2870) | |
| describes a mechanism to help prevent rooms from breaking when a | |
| room moderator redacts a server ACL event, and notes that such a | |
| mechanism should be considered temporary until another MSC can replace | |
| the server ACLs system with something more built into the room model. | |
| This MSC is one variation on that future proposal. |
| Related issues: | ||
| - https://github.com/matrix-org/matrix-spec/issues/928 | ||
|
|
||
| ## Proposal |
There was a problem hiding this comment.
Overall I think some sequence diagrams and example events would be helpful here. It's not clear to me what causes a server to try knocking (is it based on user action? which actions?), or how the various events really interact with each other.
There was a problem hiding this comment.
Yes, that's a really good idea, I'll try find the way other MSCs embed diagrams
There was a problem hiding this comment.
I've added diagrams for room creation and joining a room, are there any other scenarios you think will be helpful to show on a diagram?
There was a problem hiding this comment.
The diagrams look like a great start, thank you! Could we get some examples of what the flows look like when the knock rule isn't passive?
Separately, some words on what Bob's user experience looks like would be good. This won't be a normative section, but helps ensure the proposal has considered user impact in its decisions.
| ### Problem: size limit | ||
|
|
||
| It is theorized by me completely from thin air that the server ACL | ||
| event can contain roughly `512` entries before a limit to the | ||
| event size is reached. A survey of #matrix-org-coc-bl:matrix.org | ||
| suggests that most ACL events contain `150`~ deny entries. | ||
| However, there have been unstable periods in Matrix's history | ||
| due to vulnerability of servers where the number of deny entries | ||
| has been much greater. For example, Synapse previously had weak | ||
| registration requirements by default that was exploited in a major | ||
| incident. There could be a need to protect rooms from vulnerable | ||
| servers again in the future. |
There was a problem hiding this comment.
@tulir said
that size limit section is wrong
64kb / 20 bytes per server = 3k
or if someone attacked the system with max length domains (63 bytes + tld = 75 or so in total) the limit would be 873
Rendered
Signed-off-by: Gnuxie [email protected]