I have scoured the docs and can't find a way to limit how much space in /var can be taken up by an app or a grain.I am trying to limit storage space by grain. Is this possible at present? Thanks!
--
You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Hmm, it sounds to me like what you really want is per-user quotas, like Oasis has, but in self-hosted Sandstorm. I would argue that you shouldn't be creating grains for specific friends, but rather giving them permission to create their own grains. At least, that's how Sandstorm is designed to work.
Maybe it would be reasonable to implement [per-user quotes on self-hosted Sandstorm] based on the same logic that displays the grain size in the top bar -- we could periodically query that size while the grain is running, and assume the last-observed size is accurate. This wouldn't be hack-proof, but probably your friends aren't going to implement elaborate hacks to fool your quota enforcement?
Now, one solution that would scale better for my obscure and seemingly odd anonymous-users-store-their-crap-on-my-server use case, as well as be much more broadly applicable to other Sandstorm users, would be to have passwordless logins via GPG-encrypted email! (In an issue you mention decentralized GPG login, which may be similar?)
Maybe it would be reasonable to implement [per-user quotes on self-hosted Sandstorm] based on the same logic that displays the grain size in the top bar -- we could periodically query that size while the grain is running, and assume the last-observed size is accurate. This wouldn't be hack-proof, but probably your friends aren't going to implement elaborate hacks to fool your quota enforcement?My friends wouldn't, I agree, but why wouldn't this be hack-proof? Just because of the time delay between that figure being updated?
Hmm, it sounds to me like what you really want is per-user quotas, like Oasis has, but in self-hosted Sandstorm. I would argue that you shouldn't be creating grains for specific friends, but rather giving them permission to create their own grains. At least, that's how Sandstorm is designed to work.Per-user quotas would solve the friend case, you're right.Retaining User AnonymityFor users that want high degrees of anonymity and don't want to connect via Google, via GitHub, nor have unencrypted emails flowing from my server through Sendgrid/Mailgun/Mandrill to their email provider, it's hard to beat handing out API keys via some encrypted channel.Now, one solution that would scale better for my obscure and seemingly odd anonymous-users-store-their-crap-on-my-server use case, as well as be much more broadly applicable to other Sandstorm users, would be to have passwordless logins via GPG-encrypted email! (In an issue you mention decentralized GPG login, which may be similar?)In that case there would still be a record of who has an account on my Sandstorm installation (by email), but that's not so bad. Plus, everyone has email, but not everyone has GitHub or Gmail.Note that GPG-encrypted email invites are not as important, because at /admin/invites I can create a link and GPG-encrypt it myself, unlike passwordless login emails, and that invitation process is manual anyway (for me, the administrator), also unlike passwordless login emails.So, long story longer, having per-user storage quotas + passwordless logins via GPG-encrypted email would rock, for both usability and privacy reasons; users could then use Sandstorm as designed, and avoid having to create GitHub or Gmail accounts, as well as avoid having GitHub or Google know they have an account on my server and know every time they log in.
Maybe a shorter-term compromise would be for you to set up an LDAP server with usernames and passwords. We'll be adding LDAP login soon, as part of "Sandstorm for Work". Assuming your use case isn't profit-oriented, I'd be happy to give you a free feature key to unlock this feature (or you could build from source and remove the feature key check, but then you don't get auto-updates).
If you can deal with the following:- Sandstorm sends a "passwordless login email" to the person, and- A somewhat simplistic piece of software (e.g. Python script, ~100 line go program) receives the mail and GPG encrypts it to the recipient, and- Only then does the email pass into the normal email network......then this is something that the Tor Project also wants for https://storm.torproject.org/ , which is their Sandstorm server. You'd have to have a config file or similar for what keys to trust, and there might be some other wrinkles, but it seems to me that's doable outside of Sandstorm, and if you were to make that, I think it would solve your problem!What do you think? Possibly interested in making it happen? (-:
The easiest way to do this, in my opinion, is to set SMTP_URL in Sandstorm to a SMTPd that is a (e.g.) Python script that listens on SMTP.
Or, maybe it GPG-encrypts all mails to the recipient if it has the keys.In that case, you could manage this tool and its configuration entirely outside Sandstorm.
Personally, I like that because it means that we aren't a showstopper for this tool working; you can create it and document how to integrate it without waiting for us to do anything.What do you think?
set SMTP_URL in Sandstorm
The easiest way to do this, in my opinion, is to set SMTP_URL in Sandstorm to a SMTPd that is a (e.g.) Python script that listens on SMTP.That sounds awesome aside from having this fresh new SMTP server being considered spam my Google and Yahoo and everyone else's servers... but it could almost pretend to be an SMTP server and really send encrypted emails to SendGrid/Mandrill/etc to really send them.
Or, maybe it GPG-encrypts all mails to the recipient if it has the keys.In that case, you could manage this tool and its configuration entirely outside Sandstorm.Even aside from the not-needing-Sandstorm-integration-per-se aspect, GPG-encrypting all mails "if it has the keys" sounds really promising and simple. My only concern there are bugs where maybe someone's email is stored as firstnam...@gmail.com and then it's also referenced as firstname.last...@gmail.com -- with the dot -- which isn't picked up by the script, and then a plaintext email is sent.If there's a setting somewhere which says that all emails to a certain user must be encrypted... well, but the above bug would cause problems here, too.Actually, for the very sensitive use cases I have in mind, it'd be better to only send the person a passwordless login email if it has their GPG key, else it returns an error saying it can't log them in without their key.GPG or bust.
Personally, I like that because it means that we aren't a showstopper for this tool working; you can create it and document how to integrate it without waiting for us to do anything.What do you think?I really think this sounds amazing and I'm going to work on this ASAP. You said people at Tor want this, too? They probably have about the same use cases in mind as I do... If there's any more info you can pass along there related to who I should contact or what stage they're at with Sandstorm or whatever, please send me an encrypted email. You can import my key with this command:$ gpg --keyserver pgp.mit.edu --recv-keys 0x3F8AA1E2
set SMTP_URL in SandstormAre you talking about the setting one set in the web UI as the admin of a Sandstorm server? Or can this be set as env var, or some other option? Thanks!
Yes - then relay it to SendGrid/Mandrill/etc. That's what I mean! Glad that concept came through, even if by you creating it separately from me.
GPG or bust.The one thing I don't like about that is that it means that *new* users will see the option to log in via email address, and then not receive their email token.
In that case, probably you should email them an unencrypted note saying:"To log in via email token, please communicate with the admin over a safe channel to register a GPG key."IMHO that is not an information leak since email metadata (From: To: Subject: ) are not encrypted anyway.
Collisions on 32-bit key IDs are a practical attack. ...Anyway, can-do.
set SMTP_URL in Sandstorm
I mean the one set in the web UI, yes.Cheers!