Skip to content

docs(paxos-standalone): surface the no-auth warning and default to loopback binds#222

Merged
SebastianThiebaud merged 1 commit into
mainfrom
docs/paxos-standalone-unauth-hardening
May 23, 2026
Merged

docs(paxos-standalone): surface the no-auth warning and default to loopback binds#222
SebastianThiebaud merged 1 commit into
mainfrom
docs/paxos-standalone-unauth-hardening

Conversation

@SebastianThiebaud
Copy link
Copy Markdown
Contributor

@SebastianThiebaud SebastianThiebaud commented May 23, 2026

Summary

examples/paxos-standalone exposes a tonic peer transport that feeds any deserialize-valid Message<HighWaterCommand> straight into OmniPaxos::handle_incoming with no peer-identity or membership check, and every RPC (peer + client API) is plaintext. The example is publish = false and documents this — but the "Authentication & TLS" note sat below the cargo run block, where a copy-paster could miss it, and --listen/--tso-listen were required args with no safe default.

  • README: add a > **Warning** — no authentication or encryption callout immediately above the run instructions, stating the plaintext/no-auth exposure and the loopback-by-default posture.
  • Bind defaults: default --listen and --tso-listen to 127.0.0.1:0, so binding off-loopback is an explicit operator override rather than something an omitted flag can produce.

Sibling audit (per the issue)

No change needed for the other paxos examples — neither exposes the unauthenticated peer transport:

  • paxos-piggyback routes paxos messages in-process via MeshSink (no tonic peer server).
  • paxos-embedded likewise uses an in-process MeshSink; its only network bind, the tsoracle API, is already hardcoded to 127.0.0.1.

So there's no off-loopback or unauthenticated exposure to fix or to file a follow-up for.

Closes #202

Test plan

  • README "Authentication & TLS" warning visible above the first cargo run invocation
  • cargo doc --no-deps -p example-paxos-standalone renders cleanly (no warnings)
  • Running node 1 with no --listen/--tso-listen binds loopback onlylsof -nP -iTCP -sTCP:LISTEN shows the process's two sockets on 127.0.0.1 (OS-assigned ports), no 0.0.0.0/*
  • scripts/run.sh unaffected — it passes --listen/--tso-listen explicitly, overriding the new defaults
  • cargo build/cargo clippy -p example-paxos-standalone clean; pre-commit hook (workspace fmt + clippy) passed

@SebastianThiebaud
docs(paxos-standalone): surface the no-auth warning and default to lo…
ac1e3ce 
…opback binds

The example's paxos peer transport accepts any deserialize-valid message and
feeds it straight into `OmniPaxos::handle_incoming` with no peer-identity or
membership check, and every RPC is plaintext. The "Production caveats" note
explaining this sat below the cargo-run block where a copy-paster could miss
it, and `--listen`/`--tso-listen` were required with no safe default.

- Add a `> **Warning**` callout above the run instructions stating the
  no-auth/plaintext exposure and the loopback-by-default posture.
- Default `--listen` and `--tso-listen` to `127.0.0.1:0` so binding
  off-loopback is an explicit operator override rather than something an
  omitted flag can produce. `scripts/run.sh` is unaffected (it passes both
  explicitly).

The sibling examples need no change: paxos-piggyback and paxos-embedded route
paxos messages in-process via `MeshSink` (no tonic peer transport), and
paxos-embedded's only network bind — the tsoracle API — is already loopback.

Closes #202
@coveralls
Copy link
Copy Markdown

coveralls commented May 23, 2026

Coverage Report for CI Build 26342191821

Coverage increased (+0.03%) to 94.82%

Details

  • Coverage increased (+0.03%) from the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

Coverage Stats

Coverage Status
Relevant Lines: 10676
Covered Lines: 10123
Line Coverage: 94.82%
Coverage Strength: 553435.29 hits per line
💛 - Coveralls

@SebastianThiebaud SebastianThiebaud merged commit 5b882c6 into main May 23, 2026
19 checks passed
@SebastianThiebaud SebastianThiebaud deleted the docs/paxos-standalone-unauth-hardening branch May 23, 2026 20:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

examples/paxos-standalone: unauthenticated plaintext peer RPC — harden README placement and bind-address defaults

2 participants

@SebastianThiebaud @coveralls