reframe broker object lookup method to use "instance" RP
As I thought through @u1082186's proposed multi-cloud broker some more, I realized our current broker is broken. It's of course my fault, because I always thought of brokers as being peer to peer (one side calls send()
, other calls recv()
, and vice versa, to exchange individual caps. However, of course multiple parties can all hold a cap to a single RP, and exchange caps amongst themselves with it (although they obviously need some way to coordinate that free-for-all).
Thus, even the local broker interface should change. Right now the broker has two methods:
* `register(service_name,rp)`
* `lookup(service_name)`
and the expected use case is a service that registers an RP, and a consumer that looks it up and is then given a cap to the registered RP, on which to send a cap to the service (presumably the first and only cap sent is a membrane; everything else would flow through the membrane).
However, because the consumer has a cap to the service RP, it could also recv()
on the RP... meaning the consumer could instead just keep calling recv()
and intercept other sent()
caps from other consumers, and provide a malicious service.
Consequently, I propose we could change the API to
* `register(service_name,rp)`
* `lookup(service_name,crp)`
where the controller would send()
the lookup
crp
argument to the register
rp
argument -- so that the consumer does not actually ever get a cap to the service's rp
.
I suppose that the current API could be useful for some multi-tenant RP exchanges, but we don't have those use cases right now.