[architecture] Decoupling Transport Security and Application Logic

[aluzzardi]

Trying to articulate some architecture thoughts.

I'd like to think that our security model is encapsulated at the transport layer and doesn't "leak" into the application logic.

This is pure and simple separation of concerns.

This is why, for instance, I like the fact that the user explicitly sets the role on the NodeSpec (#690) and the agent acts on that, instead of checking the role in the cert (transport concern). Or that we accept a node rather than a certificate.

In the future, one can imagine that an agent and a manager running on the same node could communicate directly through code rather than gRPC (I'm not saying we should, just giving an example of why separation of concerns between transport and application is good).

Given that, I propose that we architect in a way in which TLS can be disabled - we should NEVER disable TLS, but it forces us not to mix transport and application.

Given this philosophy, for example, the Dispatcher API would include Node IDs - it's just that in the transport we would check that the agent is allowed to do so (e.g. node ID == cert node ID).

Thoughts on that?

/cc @diogomonica @aaronlehmann @stevvooe

[aaronlehmann]

This seems reasonable. The tradeoff is that there's more complexity and room to screw up when we have IDs in two places that have to be cross-checked against each other. It's a hard judgement call whether it's worth it or not at this point.

[aluzzardi]

ping @diogomonica

[diogomonica]

I'm fine with this. Seems like a good design abstraction.