[Koha-devel] [Changed topic] Action hooks
dcook at prosentient.com.au
dcook at prosentient.com.au
Thu Dec 9 06:55:27 CET 2021
I’ve been thinking about this more today, and I think that I’m coming around to the plugin idea.
I still think it would be a good idea to have an event-driven messaging system, but it seems to me that adding that system will take a lot more work/discussion/thinking/experimenting than just improving plugin security and plugin tooling… so I might return to looking at some of the following:
Bug 28499 - Add support for no-UI / administrative plugins
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28499
Bug 25672 - Administrators should be able to disable client-side plugin upload
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25672
Bug 25370 - Create allowlist of plugins allowed to be installed by Web UI
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25370
Bug 24632 - Plugins should support simple signing for security/verifiability
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24632
Bug 25671 - Install 1 Koha plugin for X Koha instances using the CLI
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25671
Bug 28498 - Add CLI counterpart for plugin actions
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28498
At the moment, I’m more concerned with security than logistics I think.
I think the most feasible option with the least amount of work is probably going to be Bug 25370. I’ll default to allowing all plugins to be loaded, and then locally I’ll just make sure that all instances have a restricted list. That should make everyone happy…
David Cook
Senior Software Engineer
Prosentient Systems
Suite 7.03
6a Glen St
Milsons Point NSW 2061
Australia
Office: 02 9212 0899
Online: 02 8005 0595
From: Koha-devel <koha-devel-bounces at lists.koha-community.org> On Behalf Of dcook at prosentient.com.au
Sent: Friday, 3 December 2021 9:59 AM
To: 'Marcel de Rooy' <M.de.Rooy at rijksmuseum.nl>; 'koha-devel' <koha-devel at lists.koha-community.org>
Subject: Re: [Koha-devel] [Changed topic] Action hooks
That’s cool to hear, Marcel! Happy to share my thoughts.
A couple reasons I don’t want to use plugins:
1. I don’t want to turn on Koha plugins for 100+ different Koha instances around the world.
a. Overall, I think the Koha plugin system is insecure, and allows library staff too much control over the system. I typically keep it disabled with only a few exceptions. (I’ve opened a few bugs and provided a few patches for improving plugin security but they haven’t gone anywhere yet on Bugzilla.)
b. I also wouldn’t want library staff to potentially meddle with the plugin I install. I think this plugin is really a system plugin rather than a user plugin. It should be invisible to library staff.
2. I’d be looking to install/upgrade plugin code on 100+ different Koha instances which presents a maintenance challenge
a. While I think some vendors use Ansible to do this, I’m not currently satisfied with the CLI plugin tooling for install/upgrade/downgrade/uninstall. (I’ve done some work on this as well on Bugzilla but the work hasn’t progressed and it’s dropped down my priority list.)
i. Using an Ansible push also isn’t an option in some security/operational contexts. In some contexts, you provide artifacts and leave deployment/operations up to a different team
b. I rather install this “system plugin” 1 time on a server rather than X times. (I think this is something some other vendors have struggled with and worked around as well.)
c. I’d need to change the instance creation process to install this plugin as well. (Not the end of the world but a bit annoying and introduces more room for errors.)
That said, the hooks already exist, so I can see the appeal, and I can see how they’d work well for other people, especially with fewer Koha instances to manage.
I suppose it mostly comes down to control, security, and maintenance/management.
Also, other systems like Dspace and Fedora write out to message queues out of the box, and it makes it easy to add integrations to them without touching the core application at all. It would be great if Koha could do the same without needing a plugin. (If it were core functionality, we could use it for indexing as well and replace the “zebraqueue”.)
David Cook
Senior Software Engineer
Prosentient Systems
Suite 7.03
6a Glen St
Milsons Point NSW 2061
Australia
Office: 02 9212 0899
Online: 02 8005 0595
From: Koha-devel <koha-devel-bounces at lists.koha-community.org <mailto:koha-devel-bounces at lists.koha-community.org> > On Behalf Of Marcel de Rooy
Sent: Thursday, 2 December 2021 6:15 PM
To: 'koha-devel' <koha-devel at lists.koha-community.org <mailto:koha-devel at lists.koha-community.org> >
Subject: Re: [Koha-devel] [Changed topic] Action hooks
> I also have a use case where I want to send Koha biblio data elsewhere on create/update/delete, but Koha plugins won't be suitable. I've been thinking that it would be good to publish a message to a RabbitMQ topic on biblio create/update/delete. In fact, that could potentially replace the existing C4::Biblio::_after_biblio_action_hooks and Koha::Item::_after_item_action_hooks functions, and then the background_jobs_worker.pl or some other work could invoke the plugins.
I am running plugins to do the same for some time already. They are pushing these crud actions to a message queue. Works fine for me. Could you tell what makes plugins not suitable for that task?
<https://www.rijksmuseum.nl/nl/zien-en-doen/tentoonstellingen/vergeet-me-niet>
Ook in het Rijksmuseum:
<https://www.rijksmuseum.nl/nl/zien-en-doen/tentoonstellingen/henk-wildschut> Document Nederland 2021: Afstand. Henk Wildschut fotografeert corona
<https://www.rijksmuseum.nl/nl/zien-en-doen?filter=familiemaand>
<https://www.instagram.com/rijksmuseum/>
x
<https://www.facebook.com/rijksmuseum>
x
<https://www.linkedin.com/company/rijksmuseum/>
x
<https://twitter.com/rijksmuseum>
Please think before you print
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20211209/e4616e1f/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3552 bytes
Desc: not available
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20211209/e4616e1f/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 910 bytes
Desc: not available
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20211209/e4616e1f/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 737 bytes
Desc: not available
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20211209/e4616e1f/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 799 bytes
Desc: not available
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20211209/e4616e1f/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 804 bytes
Desc: not available
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20211209/e4616e1f/attachment-0007.png>
More information about the Koha-devel
mailing list