'zed context' appears to deadlock when run over a remote terminal if DISPLAY=
is set (e.g. a remote workstation), due to keyring integration
#140
Labels
area/CLI
Affects the command line
First off, SpiceDB is very cool and seemingly the best Zanzibar implementation there is. Thanks for that! It's a fun product that I'm still wrapping my head around. Now, a quick story.
Last night while trying to debug a kubernetes deployment, I realized
zed
was hanging on any usage of thecontext
command to manage credentials while trying to interface with the service. It was completely bizarre, and looked like this (after akubectl proxy
):In fact it was so bizarre because I had used
zed
previously, on another machine, to test a docker container. And I did that again to be sure I wasn't losing it, and it was just fine. It prompted me for a password for the JWT keys; I remembered that. So what could be the problem? I triedstrace
and nothing immediately popped out; it was waiting on a futex, which almost always means waiting on some IPC or lock mechanism; unfortunately a futex is too low level to work off of. I read the manual and saw that it integrates with the system keyring, but just writes JWT files according to the go keyring package. I confirmed it wrote those JWT files on my working machine. The source code (when I read it) seemed innocuous enough. But I couldn't figure it out.So I went to sleep, and this morning while getting coffee it dawned on me: I thought of the words "GNOME Keyring", and realized the system where the hang occurs has a full GUI (desktop environment) active. More precisely, it is an Ubuntu Virtual Machine running a GNOME desktop (I need GNOME for some proprietary software to run its user interface on this machine). But I develop on this machine by using
vscode
with its powerful SSH integration to help desktop GUI latency/my Mac has better font rendering. On the other hand, the system wherezed
worked was completely headless and had no UI active at all. GNOME Keyring will prompt you for encryption passwords via the UX if, and only if, the GUI is active.Sure enough, this morning I sat down, sat at VSCode on my Mac, typed in the words
zed context set local ...
and the hang started. I moved over and opened my Ubuntu Virtual Machine, and sure enough, the culprit causing the hang reveals itself:So I honestly don't know what to do here because the actual thing is, everything is "Working as expected." So the problem is:
keyring
, appears to hangBut this is all by design. It's kind of expected that if the desktop was open, you'd be using it. However it's extremely non-intuitive is this happens when you aren't using the desktop, because there is literally no possible way to tell if anything is happening.
Maybe it would be possible to just add more tracing messages, honestly? The fact I couldn't even tell what
zed context
was trying to do until I refreshed my memory (by usingzed context
successfully on the other machine) made it hard to figure out what might be happening.There is also the more broad question of authenticating with SpiceDB in the long run. While I understand SpiceDB occupies a special infrastructural role — it being used to build your auth infrastructure means "self bootstrapping" user authorization is tricky — I suspect a simple pre-shared bearer token won't work for everyone, forever; but it is simple. So in the future assuming basic authentication came from some other mechanism the keyring might instead be avoided entirely, making this moot. I don't know (e.g. the simplest case would be to configure a CA and only allow clients with a signed proper TLS cert to connect; or ed25519, etc...)
One case I haven't checked is that my Desktop UI was actually logged into GNOME; it might be the case that if your user doesn't have a desktop login session available, then the keyring will be prompted remotely over the terminal instead (because there is no working display server for the user.) I'll test this just to be sure...
The text was updated successfully, but these errors were encountered: