Add capability for op-level security overrides?
ouroborus opened this issue ยท 24 comments
Description
I'd like to see ops able to access AE2 networks regardless of how players have configured an ME Security Terminal.
More generally, I'd like a configurable global security override system.
Environment
- Minecraft Version: 1.12.2
- AE2 Version: rv5-stable-3
- Forge Version: 14.23.1.2570
To starve off the many incoming posts....
Please provide a use case where this is needed that does not already have an in game work around. Realize that as OP you can still see into a network just not remove items. (That might have changed since 1.7.10 though)
Diagnosing a player's AE2 network that was causing the server CPU to peg the needle. I could break cables but couldn't place them so I was unable to easily repair what was supposed to be a temporary test.
Remove the security station, or add yourself to the security station.
Also, duplicate of #523
That might actually be the first somewhat valid case for it.
But then it's a completely wrong approach to solve the issue. You should really profile the server in these cases. Either by attaching a remote debugger or using something like the sampler mod. That is the only chance to let us analyse it and ideally provide a permanent solution for it.
Starting to dismantle the network only solves the urgent issue until it apears again (and again).
Cutting the whole network is probably the best temporary solution and afterwards working together with the player should be the fastest way to identify the issue.
If they aren't available for a long time, just break the security terminal, a small price to pay when affecting the server in a negative way. Also breaking the connection to the terminal will remove the protection from the network. While still allowing to reattach the terminal later as it will only protect it when being powered, which only appens after reconnecting it and restoring the original owner.
How can I add myself to the security station if I'm unable to access it due to security?
If I remove the security station, how would I replace it with its original configuration? (Note that I would be the owner of the security station, if I placed it, rather than the original player.)
I read through #523. Apparently @AlgorithmX2 had plans to add a console command to access a terminal but there was no followup on this in the thread and I don't see such a command.
If a player is an OP, they should always have absolute control over their server. (One can liken this to root access on Linux.) Subverting this undermines their ability to properly administer their server.
As said. Break the cable providing power the security terminal. No need to add yourself to it. The tools are available. But if you choose to ignore them, it is not our problem.
Certainly finding the terminal might be a bit difficult. But that is something, which should be provided by a admin mod, better even by forge/minecraft itself. Locating arbitrary TEs is simply a necessity for admins in general.
Even if we eve add a command, it will require some disclosure for the users. E.g. a warning that their network was compromised by an op and something like a insert only functionality for ops using a security terminal. So finding them is still required. The security system is simply too tightly coupled into everything else and not a simple bypass something like a bag. It can easily lead to dupes should a network act as op due to being owned by one. Thus we have also to balance between adding a few seconds of overhead for admins or allowing obscure dupes. I'd say most admins will prefer the safer option.
Also the comparison with root access is somewhat wrong. Just because having root/admin rights, won't allow decrypting encrypted user files. You might get lucky and use some tools to find the private key or passphrase. Otherwise you root privileges are limited to nuke the file itself, but not read the contents.
There's no cable when the security terminal is attached directly to the controller. Generally, it's possible to arrange, even accidentally, an AE2 system where breaking the security terminal is the only way to access the system. Breaking the security terminal leaves the system open to other, non-OP players.
Thanks to following proper object-oriented coding practices, adding OP override appears as simple as modifying SecurityCache.hasPermission
. Even disclosure can be triggered here as a kind of pending event and then dispatched, in some other code, to the owning player online or held until later when the owning player becomes available. (Now that I look at it, it seems do-able to override the whole security system however one sees fit via a server-side-only AE2 add-on mod.)
As is typical of analogies, it only goes so far. My opinion is that players shouldn't be able to hide their activities from or defy OPs.
For the specific issue I was trying to diagnose, it was some odd interaction involving at least export buses, a storage bus, and an empty, large colossal chest. My server usually sits around 60% CPU. With whatever was going on, CPU would rise to 100% with "can't keep up" skipping about 60 ticks at a time. I'm unable to reproduce the issue with just those parts so there's something else involved but the network is complex enough that I'm unable to figure out what else is involved. My gut instinct was that the colossal chest was somehow the main cause due to its voluminous interior but my own network also has one of the same size and doesn't suffer this problem. Removing the chest, the storage bus, or the export buses fixed the issue. The particular player has a habit building working networks, AE2 or otherwise, by shear perseverance rather than understanding.
Given all of that it seems unlikely that reporting this specific issue is going to achieve anything other than having the issue closed as, at best, unreproducable and, at worst, "not my problem".
This whole thing wouldn't have been as much of a problem as it was if security could be turned off without breaking wireless access (while the security terminal returns once security is turned back on, it loses all of its settings including stored biometric cards and owner; ideally, turning off security would mean just ignoring permissions and letting everything through rather than removing security terminals) or if OPs had carte blanche in regards to AE2 security.
@yueh Haven't seen any non-subpar suggestions. So far we have "break a different thing that can't be easily restored to original condition" and "do these things that will bring your server to a crawl" (profiling/debugging). I'm not sure why needing player's virtual thing-a-ma-bobs secure against OPs is even a concern.
@bookerthegeek You said "add yourself to the security station". How, exactly, do you do that? As far I can tell, you can't access the terminal without permissions in the first place. You also can't change the NBT data on an attached security console via `/blockdata'.
I've re-read this issue discussion and it seems like the main roadblock for implementing this is no time for what is perceived as a complex change with little return. If you're willing to entertain PRs relating to implementing OP override, I'm willing to give it a shot.
Closing for now, as the risk of running machines as op is simply not worth to be taken for some very minor inconveniences in some subpar approaches.
A possible solution would be to allow OP's to easily add (and only add) themselves to players security stations (via automatically generating a card). This way it's also transparent for the player (he knows a OP has messed with his stuff). A general "allow for OP" is not practical as you loose the ability to fine-tune networks when you play as OP yourself.
May need some thought, but this is probably the way to go if we implement this.
I was able to put together a mod that lets OPs override AE2 security. Despite never having written a minecraft/forge mod before, I didn't find it particularly difficult.
I would still prefer that this capability was built in.
I'm honestly aghast that this is even being considered as a non-feature, let alone defended over and over as one. I really don't think you should be letting personal vendettas against authority get in the way of a standard feature. You guys seem like professionals.
That being said, did you post your mod anywhere @ouroborus ? I don't see a curseforge member under that name nor could I find a related repo. Would it be feasible for you to integrate it into AE for a PR for the devs? Did you thoroughly test it and make sure it didn't break anything?
Edit: and for the sake of posterity, I came across this issue because I was attempting to research a bug that I cannot recreate by myself. A user gave away their base when they quit and the new user took over their Network. They claim that replacing the security terminal with their own caused a ton of drives to pop off (literally every single drive of around 80+ are MIA). I found four interfaces with recipes on the ground while investigating and noticed that all of their long distances lines are broken at multiple points along the route. Almost or exactly no devices were connected. I was going to attempt to connect some of their devices to their current network and replace their security with my own, but despite being op I could not do that. I'm not sure how else to trouble shoot that solo. At least tomorrow I can recruit help. I'm not trying to report that issue, but I don't know how else I could have possibly recreated that environment solo without being able to override their security, at least temporarily, without removing their security.
I don't see a curseforge member under that name nor could I find a related repo
he can not, because he requires permission to do so, same goes for handing you out any binary or precompiled stuff.
@nullKomplex If someone would step up and provide a PR, we will gladly accept it. It just has to fit our requirements. We can't simply accept something on the premise of "It does work for me, but breaks for everyone else". E.g. something like fscan suggested would be totally fine (which is basically the idea we did have internally). But as noone ever made an actual PR or even a proposal for it, I would say there is not that much demand for it actually.
The effort for it is simply disproportionate to the saved time. E.g. I did encounter a single issue, were it would actually beneficial. But only in the range of saving maybe 2 minutes from 3-4 hours in total.
And can easily cost us a day or two to actually implement and test to ensure it does not have some severe sideeffects. That time can simply be invested into something affecting way more users.
@mindforger I believe LGPL or MIT grants me that permission depending on what I'm linking to.
@nullKomplex I haven't published my mod. It's a lot of hacky nonsense and I'm not interested in maintaining it any more than what is necessary to use it on my own server. I'll see about putting up a repository for it so you can at least peruse it if you wish.
@yueh I know this is an old issue, and one that has been gone over many a time. But I did have an idea that might resolve the issue for you?
First, I do understand your concerns (They have been gone over plenty of times before in other posts). It seems from a lot of things I have read that many of the complaints resolve around the admins ability to physically troubleshoot a network by narrowing down the parts that are causing a negative server impact by disconnecting that part of the network. I know that this is not a perfect way to solve problems, but on many of the medium to larger networks, Admins do not have the ability (either access to console or just the knowhow) to run a java profiler. Therefore the only way to troubleshoot is in game as less than ideal it is.
Why not a slight compromise? You do not want players, aven server staff (Which I agree with) to have total access to a network. Fine, there is no need for this use case. BUT a creative only item, usable only while in creative, that when right clicked on a part of the network (Other then the security terminal) turns that particular part off or removes it from the map of the network. Another right click would turn it back on.
As soon as that happens, the server adds a message to all the owners of the security station that the network was fiddled with, and everything can be turned back on with a simple right click by either the admin who did the turn off bit or the owner of the network (Or some other mechanic).
This would allow...
- Staff of the server who already have access to creative to disable parts of it for troubleshooting.
- These players would already have access to creative, and have to be in creative to use the tool
- The player would easily be able to fix the entire network in one go.
As for notification, a right in the security station that created a book with a log of the actions, and who did it, would allow the operations to be visible to the player, as this is for network troubleshooting. Just a thought.
Thank you for your hack @ouroborus . Unfortunately I don't think the method you used would be able to recreate the environment necessary to troubleshoot what I was investigating without enlisting the help of another player (like I'd have to do without your hack anyway), but on the bright side it appears to have been a farce and another user merely stole the drives lol. Still doesn't explain the 4 interfaces that popped off and the dozens of gaps between lengths of cables, but such a small bug that has only occurred once and in a scenario I've only ever heard of this once isn't worth investigating if I don't have the means to do so by myself via being an op.
Edit: it actually just occurred to me I could attempt to test it in reverse by moving their security terminal off, putting my own on (this is all assuming I can move them in the first place), fixing the now broken parts of the network, and then moving mine off and putting theirs back on. I simply intended to patch up their network without changing security settings, at least not yet anyway, but that silly workaround might just work. Though I would also be using slightly different steps to recreate, which could cause nothing to occur when something normally would have.
... the admins ability to physically troubleshoot a network by narrowing down the parts that are causing a negative server impact by disconnecting that part of the network. I know that this is not a perfect way to solve problems, ...
In no way is this any solution. Admins/Player will just turn it off, forget it and it won't ever reach us to actually investigate and potentially fix it. Not reporting stuff because someone thinks that was just a one-off issue, it was already reported, i do not want to bother them, or similar are the rule and not exception. As long as there is no automatic way to obtain crash/profiling reports, having a hard counter at least ensures to some degree that we will get a report about it.
... Admins do not have the ability (either access to console or just the knowhow) to run a java profiler.
There is literally always to option to run a sampler. Maybe with the exception of some hoster only allowing their predefined mod packs. But why even use them, or at least escalate the issue to the hoster and have them deal with it.
Otherwise it is just unwillingness to actually learn how to administrate a server. I would not even have an issue to guide anyone into the right direction to learn it, if they actually want to. Just the issue tracker is the wrong place for it.
Why not a slight compromise? ... (and the rest of it)
Simply no. It will take a ridiculuous amount of time to implement it with practically no benefit at all. Or maybe something like saving 1 minute when dealing with some issue but as tradeoff now having to waste hours to identify why a ME network suddenly dupes everrything or acts completely different for each user. Most server admins simply do not understand that it is not as easy as allowing an OP to bypass something like a protected TE chest. So it is pretty pointless to even discuss it any further. Especially as there is at least one or two valid proposals on how to solve it without breaking everything, but these are mostly buried under new "ideas", complains, etc.
@nullKomplex Forge is kinda prone to corrupting data since 1.7.10. It did get a bit better during 1.12, but I still would not fully trust it. As ME networks are essentially a stupidly large multiblock, it is way more prone to it. While it usually might reset an unused/empty furnace or similar and these are probably never noticed, AE will suddenly start to disassemble parts of the network due to it and thus is way more noticable. If you even add Sponge on top, it's pretty much guaranteed to be a constant issue as they tend to break it even more.
The best option would be to spend the 10 minutes it would take to add and test (compile/load times not included) #3294 (comment) instead of the literal hours you'll spend to implement and test your method. Seems weird that you're talking about it shortly after stating that RoI was a limiting factor. Lower return and way more investment. Not to mention extra inconvenience for each admin. I don't know what your deal is.
@yueh You've said you'd be willing to accept a PR for this feature. Specify the requirements and then the community can get to work on it.
As said fscan's comment is basically our internal idea for it. But it needs some further work, e.g. there are still cases it would not cover, still require locating the terminal, and so on. It would pretty much only cover the situation, if the terminal is directly attached to a controller and breaking the controller would shut down the whole system and there is nothing to move TEs available. Otherwise breaking the cable next to it or moving it away is pretty much equal in terms of effort.
But it's pretty much the only option to directly add a card to a security terminal to avoid potential issues. And no, something like right clicking the controller/network with a card won't work. While only one terminal will be used as source, there can be multiple ones on the network without any real way to tell which one is responsible. So it would be a nice way to have admins dupe stuff for players on request, would the be added to all.
Further it would still be too much effort for something simple as looking at an export bus and if it is set to autocraft some really complex items using consumable items. Which should not need any interaction with the terminal. It should just allow read only access for anyone, as it would also be nice and let players look at other builds and see how they are configured to use it for their own builds. Should it actually be an issue, that bus can simply be removed without touching the security terminal ever. Which would reduce the need to actually touch it to some very specific cases like profiling certain crafting jobs, as they will require specific rights (except if we simply allow anyone to start a simulate, but not submit it). All without ever having to locate a security hidden in some random dimension.
The big problem here is that nothing like that is supported by the current GUI/Container code, which itself is already pretty messy and really needs a rewrite. Which suddenly opens so many possibilities, which I always wanted to add in terms of UI improvements, better integration for addons, not relying in magic etc. Designing this around a security model, which by default assumes read permissions for everything and only write access is handled by security terminals is then pretty negligible. And it might even be an idea to allow multiple security providers, which would make it so much easier to share it across networks.
So for now, the best option would certainly be to allow ops to view the security terminal gui and insert their own card with basic permissions into it (but no security permission). So they cannot pull it back out and it would be left as hint for the actual owner. Something like a timestamp when each card was inserted would be nice. But that would certainly conflict with my idea for 1.13 in terms of performance/memory consumption. And it still wouldn't be that useful for many trivial cases.