Delivery report of the SteamWorks specifications for Crank and Shaft
InternetWide.org drives an ideology of a free and open, well-distributed Internet architecture. As part of our endeavour we work towards an architecture to distribute configuration information between independently operated parties.
Using the LDAP protocol
Most current technology is designed to work over web interfaces, and much to our surprise that includes topics of automation. Although it is one of those protocols that are not visible to the public, it drives a lot of infrastructure. It is the storage component for Active Directory, to name just one commonly known application.
The value of LDAP lies in its well-defined data structures and protocol. This enables users to go and fetch data across operational boundaries, because the remote party is bound to communicate in a standard manner. In comparison, the web lacks standardisation in many places that LDAP has solved: locations, searching, data structures, references between resources. All this has been solved and standardised in LDAP. This aids greatly to automatic retrieval of data.
The SteamWorks Project
The SteamWorks project aims to make configuration information easy to distribute across operational realms. For instance, one party could enter the configuration details and another could pickup on them. We don't really need to say what those details are; they are already standardised and may in fact be modified without breaking standards, simply by assigning unique numbers to the newly constructed data.
What SteamWorks adds is an architectural asset. It provides components to author, collect/redistribute and process the information in LDAP, because this is where LDAP infrastructure has traditionally been lacking in easily accessible functionality. The entire project aims for near-realtime distribution of information, so that central changes to configurations end up reconfiguring programs virtually immediately.
Crank is a data entry component, built for easy access from a web interface. Data entered is made available for immediate transmission to subscribing Shaft components. Aside from controlling the data, the Crank also makes access control easier to manage than "manually" in the configuration of a concrete LDAP product. The interface is suitable for integration with a web environment, since this part of SteamWorks does take manual input, and the web is very useful for that. see more info or read the spec
Shaft is a data collection and distribution component, whose goal it is to subscribe to Crank and Shaft components and get an integral local copy from various sources. Shaft is intended to cross over to other operation realms, and authenticate to a Crank or Shaft instance. The locally consistent state of various sources is integrated, and made available to subscribers as one whole. see more info or read the spec
One more component to come
There is one more component to follow as part of the SteamWorks, namely Pulley. This will be quite a surprise, because it will enable powerful queries against the Shaft, and impacting local programs to use the settings.
This mechanism is useful to a very broad audience, because it makes extraction and processing of information from LDAP doable without a background in LDAP. It will feature a scripting language which is highly intuitive, as well as geared with lots of plugins to get some real work done.
The future is smiling
Our current purpose and testbed implementations will be to support the TLS Pool with configuration information, such as certificate pinning or lower bounds to TLS algorithms. One central cockpit can be managed to impact lots and lots of servers and workstations, and get them to implement changed security requirements.
We see many more opportunities though. One would be to use SteamWorks in collaboration with FreeIPA, an identity platform that can be used to configure systems locally. At present, FreeIPA is geared towards identification of users and machines, but the same architecture might use SteamWorks to also impact applications such as web/mail/chat servers setup on a (potentially complex) network.
Work ahead
There certainly is work to do. We aim to have these components implemented in the months to come, and work them into our TLS Pool project. We will be reporting on progress on this channel, so don't zap away!
Go Top