Change Details

Once [[ https://phabricator.wikimedia.org/T206010 | questions about the external interface have been answered ]], we'll need to plan the remainder of the implementation, including the use of technologies, and operational semantics. ## Mediawiki Integration Mediawiki supports plugging of session persistence using a `BagOStuff` implementation, and there already exists a [[ https://doc.wikimedia.org/mediawiki-core/master/php/classRESTBagOStuff.html | `RESTBagOStuff` ]], (apparently [[ https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/293554 | created for this purpose ]]). The only issue with [[ https://doc.wikimedia.org/mediawiki-core/master/php/classRESTBagOStuff.html | `RESTBagOStuff` ]] is that it uses PHP's [[ https://secure.php.net/manual/en/function.serialize.php | serialize() ]] and [[ https://secure.php.net/manual/en/function.unserialize.php | unserialize() ]] for the body of `PUT` and the response of `GET` respectively, and we have specified JSON. Options include: Updating the existing implementation as a breaking change, update the existing implementation to support optional (configurable) JSON encoding, or creating another implementation based on [[ https://doc.wikimedia.org/mediawiki-core/master/php/classRESTBagOStuff.html | `RESTBagOStuff` ]]. ## Replication semantics Based on the requirements for session storage, we should be able to assume in all cases that `GET` and `PUT` use Cassandra's `ConsistencyLevel.LOCAL_QUORUM` and that `DELETE` uses `ConsistencyLevel.EACH_QUORUM`. NOTE: The software created to implement this will be a very straightforward key-value implementation, likely applicable to other use-cases in the future, not all of which will necessarily be satisfied by these semantics. However, rather than generalize this now (either through configuration, or per-request parameters), we will define these as constants, and revisit when/if a future use-cases arise. ## Technology It's worth considering whether the presumably default choice here, namely Javascript/NodeJS, is right for this use-case. The raison d'etre for this service is session storage, so security is paramount. With NodeJS, the only practical source of dependencies is http://npmjs.org. Dependencies, both those explicitly declared, as well as those that are transitive, are fetched whenever `npm install` is invoked, and there is no chain of trust. These dependencies -- the entire contents of `node_modules/` -- are as much a part of our production applications as any that we write, yet despite the time, care, and effort we put into reviewing even the smallest of changes to our code bases, the contents of `node_modules/` remain opaque to us. A saner approach for something so security critical, would be to prioritize a manageable list of dependencies that can be sourced entirely from within our current version of Debian. During a meeting on session storage, the following criteria were suggested as a way of evaluating technologies: - availability of debian-sourced dependencies - tooling - ease of coding - complexity of front-end set-up - compatibility with cassandra and stability of driver | | Debian-sourced dependencies | Tooling | Ease of coding | Operational complexity | Cassandra driver | | ---- | ---- | ---- | ---- | ---- | ---- | | Javascript/Nodejs | No | Service runner, template, etc | Very | Webserver embedded | Good (via npmjs.org, //!!not in Debian!!//) | | PHP | Possibly, sort of (if package in Sid is fixed and uploaded to backports) | ??? | Very | FastCGI integrated w/ Nginx/Apache(?) | Good; //!!Only present in unstable ([[ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865271 | and it is broken ]])!!// | | Python | Yes | Django, Falcon, Flask, etc | Very | | Good; v3.7.1 in Stretch (v3.14.0 in Sid) |

Once [[ https://phabricator.wikimedia.org/T206010 | questions about the external interface have been answered ]], we'll need to plan the remainder of the implementation, including the use of technologies, and operational semantics. ## Mediawiki Integration Mediawiki supports plugging of session persistence using a `BagOStuff` implementation, and there already exists a [[ https://doc.wikimedia.org/mediawiki-core/master/php/classRESTBagOStuff.html | `RESTBagOStuff` ]], (apparently [[ https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/293554 | created for this purpose ]]). The only issue with [[ https://doc.wikimedia.org/mediawiki-core/master/php/classRESTBagOStuff.html | `RESTBagOStuff` ]] is that it uses PHP's [[ https://secure.php.net/manual/en/function.serialize.php | serialize() ]] and [[ https://secure.php.net/manual/en/function.unserialize.php | unserialize() ]] for the body of `PUT` and the response of `GET` respectively, and we have specified JSON. Options include: Updating the existing implementation as a breaking change, update the existing implementation to support optional (configurable) JSON encoding, or creating another implementation based on [[ https://doc.wikimedia.org/mediawiki-core/master/php/classRESTBagOStuff.html | `RESTBagOStuff` ]]. ## Replication semantics Based on the requirements for session storage, we should be able to assume in all cases that `GET` and `PUT` use Cassandra's `ConsistencyLevel.LOCAL_QUORUM` and that `DELETE` uses `ConsistencyLevel.EACH_QUORUM`. NOTE: The software created to implement this will be a very straightforward key-value implementation, likely applicable to other use-cases in the future, not all of which will necessarily be satisfied by these semantics. However, rather than generalize this now (either through configuration, or per-request parameters), we will define these as constants, and revisit when/if a future use-cases arise. ## Technology The proposed system is simple enough that it could easily be created using any number of languages and/or frameworks. Given the common choices for similar or related projects at the WMF, we can probably narrow the choices to Javascript/NodeJS, Python, and PHP. ### Javascript/Nodejs The raison d'etre for this service is session storage, so security is paramount. However, with NodeJS, the only practical source of dependencies is http://npmjs.org. Dependencies, both those explicitly declared, as well as those that are transitive, are fetched whenever `npm install` is invoked, and there is no chain of trust. These dependencies -- the entire contents of `node_modules/` -- are as much a part of our production applications as any that we write, yet despite the time, care, and effort we put into reviewing even the smallest of changes to our code bases, the contents of `node_modules/` remain opaque to us. A saner approach for something so security critical, would be to prioritize a manageable list of dependencies that can be sourced entirely from within our current version of Debian (Stretch). ### Python ### PHP ---- | | Debian-sourced dependencies | Tooling | Ease of coding | Operational complexity | Cassandra driver | | ---- | ---- | ---- | ---- | ---- | ---- | | Javascript/Nodejs | No | Service runner, template, etc | Very | Webserver embedded | Good (via npmjs.org, //!!not in Debian!!//) | | PHP | Possibly, sort of (if package in Sid is fixed and uploaded to backports) | ??? | Very | FastCGI integrated w/ Nginx/Apache(?) | Good; //!!Only present in unstable ([[ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865271 | and it is broken ]])!!// | | Python | Yes | Django, Falcon, Flask, etc | Very | | Good; v3.7.1 in Stretch (v3.14.0 in Sid) |

Once [[ https://phabricator.wikimedia.org/T206010 | questions about the external interface have been answered ]], we'll need to plan the remainder of the implementation, including the use of technologies, and operational semantics. ## Mediawiki Integration Mediawiki supports plugging of session persistence using a `BagOStuff` implementation, and there already exists a [[ https://doc.wikimedia.org/mediawiki-core/master/php/classRESTBagOStuff.html | `RESTBagOStuff` ]], (apparently [[ https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/293554 | created for this purpose ]]). The only issue with [[ https://doc.wikimedia.org/mediawiki-core/master/php/classRESTBagOStuff.html | `RESTBagOStuff` ]] is that it uses PHP's [[ https://secure.php.net/manual/en/function.serialize.php | serialize() ]] and [[ https://secure.php.net/manual/en/function.unserialize.php | unserialize() ]] for the body of `PUT` and the response of `GET` respectively, and we have specified JSON. Options include: Updating the existing implementation as a breaking change, update the existing implementation to support optional (configurable) JSON encoding, or creating another implementation based on [[ https://doc.wikimedia.org/mediawiki-core/master/php/classRESTBagOStuff.html | `RESTBagOStuff` ]]. ## Replication semantics Based on the requirements for session storage, we should be able to assume in all cases that `GET` and `PUT` use Cassandra's `ConsistencyLevel.LOCAL_QUORUM` and that `DELETE` uses `ConsistencyLevel.EACH_QUORUM`. NOTE: The software created to implement this will be a very straightforward key-value implementation, likely applicable to other use-cases in the future, not all of which will necessarily be satisfied by these semantics. However, rather than generalize this now (either through configuration, or per-request parameters), we will define these as constants, and revisit when/if a future use-cases arise. ## Technology It's worth considering whether the presumably default choice here, namely Javascript/NodeJSThe proposed system is simple enough that it could easily be created using any number of languages and/or frameworks. Given the common choices for similar or related projects at the WMF, is right for this use-case. The raison d'etre for this service is session storagewe can probably narrow the choices to Javascript/NodeJS, Python, so security is paramountand PHP. W### Javascript/Nodejs The raison d'etre for this service is session storage, so security is paramount. However, with NodeJS, the only practical source of dependencies is http://npmjs.org. Dependencies, both those explicitly declared, as well as those that are transitive, are fetched whenever `npm install` is invoked, and there is no chain of trust. These dependencies -- the entire contents of `node_modules/` -- are as much a part of our production applications as any that we write, yet despite the time, care, and effort we put into reviewing even the smallest of changes to our code bases, the contents of `node_modules/` remain opaque to us. A saner approach for something so security critical, would be to prioritize a manageable list of dependencies that can be sourced entirely from within our current version of Debian (Stretch). During a meeting on session storage, the following criteria were suggested as a way of evaluating technologies:### Python - availability of debian-sourced dependencies - tooling - ease of coding - complexity of front-end set-up - compatibility with cassandra and stability of driver### PHP ---- | | Debian-sourced dependencies | Tooling | Ease of coding | Operational complexity | Cassandra driver | | ---- | ---- | ---- | ---- | ---- | ---- | | Javascript/Nodejs | No | Service runner, template, etc | Very | Webserver embedded | Good (via npmjs.org, //!!not in Debian!!//) | | PHP | Possibly, sort of (if package in Sid is fixed and uploaded to backports) | ??? | Very | FastCGI integrated w/ Nginx/Apache(?) | Good; //!!Only present in unstable ([[ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865271 | and it is broken ]])!!// | | Python | Yes | Django, Falcon, Flask, etc | Very | | Good; v3.7.1 in Stretch (v3.14.0 in Sid) |