Tony Finch, December 2021
In these notes I will explain how the University's DNS systems depend on Jackdaw. For completeness, I will include some background information about Jackdaw in general, so that you know enough about the context for the DNS-specific parts to make sense.
what is Jackdaw?
Jackdaw is a web application platform based on Oracle, Apache httpd,
and mod_perl.
Jackdaw hosts two important applications: the user admin database, and the IP Register database.
system setup
Jackdaw was set up to host the user admin database before the
mainframe Phoenix was shut down in 1995. Because of the high cost of
hardware and licence fees back then, Jackdaw is designed to host extra
instances of its databases (called jdawtest and jdawdev) on the
same server.
Similarly, there are multiple instances of Apache (live and test), and
each mod_perl application has parallel live and test installations,
again, all on the same server.
The applications themselves (in our case, ipreg) use Jackdaw libraries that allow users to choose which instance of the database to talk to.
Most of this complication only becomes relevant for maintaining the ipreg code that lives on Jackdaw. Unfortunately it makes testing rather tricky and confusing.
database design
Jackdaw has an unusual design compared to newer web application frameworks.
It is, really, first and foremost a database application platform; the web user interface is secondary. So a large part of the application logic and access control is implemented in the database, using packages of stored procedures.
Many of the services that depend on Jackdaw bypass the web server when talking to the database, and instead use ssh. (Many of them predate Jackdaw's web server.)
a typical Jackdaw API
This is the general pattern used by many clients of jackdaw, including the DNS servers and the Hermes user admin scripts, etc.
A unix user account is created on Jackdaw which corresponds to a particular function or set of closely-related functions.
A matching user is created in the Oracle database such that the unix user can log in to Oracle without a password.
The Oracle user is set up with just the permissions it needs to read the necessary views or invoke the stored procedures that perform its functions.
Scripts are installed in the unix user account which access Oracle in a controlled manner.
Service-specific keys are added to the unix user's
~/.ssh/authorized_keys, with a restricted IP address ACL, and a restricted command so clients can only run permitted scripts.
ipreg-related services
The DNS system has the following accounts on Jackdaw. The setup for
these accounts (scripts and ssh access control) is managed by some
ipreg Ansible playbooks.
ipdns- most important part of the hourly DNS and DHCP update job; has read-only access to much of the IP Register database for building new versions of our DNS zones.ipfilter- maintains interlocks in the database, corresponding to configurations in the network, so that a host can't be unregistered until its special network setup is removed. Has limited write access to parts of the IP Register database.ipreg- the owner of the IP Register database; used for running admin scripts, not as a service API.The
ipregadmin scripts are also installed onentin/local/ipregisterfrom which they access the Oracle database directly (not over ssh) authenticated as an individual user (e.g.fanf2,rwhb2).gossamer- the interface used by the old (Solaris-based) managed web servers, and by the Plone version of Falcon; has some fairly complicated stored procedures for allocating IP addresses to web servers etc.mwsuser- the interface used by the Linux-based managed web servers, the Drupal version of Falcon, and a few other UIS services; documented at https://www.dns.cam.ac.uk/ipreg/api/mws3.htmlThe
mwsuserdoes not strictly follow the Jackdaw pattern; instead of enforcing access controls in the database,mwsuserhas privileged access to the IP Register database, and the perl script is responsible for access permission checks.
ipreg web interface
The main user interface to the IP Register database, for computer officers to manage their part of the University's DNS, consists of a number of web forms under https://jackdaw.cam.ac.uk/ipreg/
A few of these forms are also used for scripted (API-ish) access to the IP Register database by a number of institutions.
Jackdaw's mod_perl web framework handles authentication for the
ipreg forms, in conjunction with the Oracle database; Oracle SQL views
and packages also handle access control.
Jackdaw provides two kinds of authentication:
Raven authentication (
mod_ucam_webauthstyle) for interactive logins. Jackdaw has its own implementation of the ucam webauth protocol inside Oracle.Long-term cookies for API access. Jackdaw provides a self-service web user interface for managing API cookies. The long-term cookie machinery in Oracle is closely-related to the Raven authentication machinery.
On Jackdaw, the ipreg web user interface is installed in various
places under /home/www/ alongside the other applications hosted on
Jackdaw.
reskinned web interface
There is an unfinished prototype to move the ipreg web user interface off Jackdaw. It does not remove IP Register's dependence on Jackdaw's Oracle database.
authentication still relies on Jackdaw's Oracle SQL implementation of ucam webauth
the IP Register database and all the service users listed above are still hosted on Jackdaw
The prototype includes:
a port of the
mod_perlparts of Jackdaw's web frameworka port of the ipreg forms to the Project Light web template
a port of Jackdaw's long-term cookie management interface
The reskinned web UI requires access to wwwdns, a DNS-specific
semi-privileged Oracle user on Jackdaw, corresponding to Jackdaw's own
www account. The DNS web server would access Oracle on Jackdaw over
the network as the wwwdns user. So far wwwdns has only been set up
on a clone of Jackdaw, not the live database.
For development, the DNS web site has test and dev instances. The reskinned ipreg UI has configurable database credentials, so different instances of the DNS web site can be configured to use different instances of Jackdaw.