-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Load permission settings from config files #1074
Comments
As discussed in today's call. I have two questions:
We've also found this Deno discussion: denoland/deno#12763. We must discuss both points before a PR. In any case, I'm pinging @nodejs/tsc, specially @tniessen and @bmeck to hear your thoughts. |
I would encourage people to avoid building config files for specific features; see nodejs/node#48852 and nodejs/node#43973 as attempts to create config files for the test runner and module loaders, respectively. I think users deserve to be able to configure Node in its entirety through a single config file. nodejs/node#48890 was a starting point; we can add support for configuration via a JSON (or other format) file if desired. |
The idea is to use an existing config file @GeoffreyBooth ( |
Before |
@RafaelGSS there are a few major concerns I have with environment variables:
I'm pretty -1 on using ENV for this since it just isn't designed for complex usages or large values. I agree for very simple not fully specified things it would be fine but would cause a preference on large scale permissions grants due to problems at large scale constraints. |
I would note I am not proposing that we ban these flags from .env etc. just that it seems a poor best practice at a glance. |
The concern I raised in this issue was that is not clear, at the first moment, what issue a separated config file for the permission model will solve. I mean, currently, it's annoying to allow a bunch of paths through the CLI. Imagine: However, due to the fact, you can pass the same flags through the As a separate discussion, but that overlaps with it. Have we ever considered a unified nodejs configuration file? Not by env vars, but a single file where I can define multiple rules of nodejs mechanism, such as policies. |
@RafaelGSS simply put if you have finer grained / verbose levels of settings you end up with problems due to how shells work. On my machine: % getconf ARG_MAX
1048576 Is the maxium space I can use up as seen with: % node -p "child_process.spawnSync('echo', [' '.repeat($(getconf ARG_MAX))]).error.message"
spawnSync echo E2BIG This includes normal environment variables and argv. It isn't too hard to hit this limit with any complex system. |
Yes, see https://github.com/orgs/nodejs/discussions/44975 and the issues it cites. Basically we thought that supporting |
This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made. |
This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made. |
This issue is to discuss implementation of the point referenced in the title of #898.
My first concern would be on which flag to use to pass the file. The options that I can think of are:
--experimental-policy
flag. My main concern is this would imply the need to also set policy.--experimental-permission
flag (I'm still unsure that's even possible).--permission-file
).Another doubt I have is what would be the expected behaviour on precedence when permissions are set on both flags (e.g.
--allow-fs-read
) and file. Options:I would go with:
1.2. Add an optional file to the
--experimental-permission
flag (If possible) as we wouldn't need a new flag.2.1. Fail when both set. I'd assume that to be a mistake, and throw an error explaining the problem. Also this might prevent some sort of attacks using the unconfigured one.
Any ideas and suggestions are welcomed.
The text was updated successfully, but these errors were encountered: