Rhasspy skills and mqtt ACL

I had started this project about 4 5 months ago but unfortunately for lack of time I couldn’t continue, my initial plan was to share the project when I arrived at a semi-functional state but I had to stop for lack of time before starting to work again on it I wanted to know if someone is already working on avoiding doing double work. I tried to design it so it needs little changes to the Rhasspy code. All skills will connect to the MQTT server put in bridge mode in fact this will act as an intermediary between the skills and the MQTT server managing access through ACL.


Each skill receives a username and password as environment variables to access the MQTT bridge and thanks to these credentials the server determines the topics which it can access. By default, there are some basic topics but the developer can add others if he needs to access them. To install new skills for now there is no graphical interface but I think that I will do a CLI that interface thanks to a rest API which sends a compressed archive with Dockerfile, a manifest.json the intent, and other files needed to run the container. Once decompressed, the server reads the manifest.json in which it will find the skills name, the permissions, the extra topics etc… Once the docker image is built the container is created and the credentials are passed as environment variables which are then hashed and after that registered in the “database”. Once done the container is started. For now, some parts are still missing for example the code that will have to deal with the creation of mosquitto.conf for the configuration of the MQTT bridge but if no one is already working on a similar project I could continue and then share the code once it reaches a functional state. Let me know if anyone has any advice or needs clarification.

After some work, I have published the source code. It is in alpha so some features are still missing but it is a good proof of concept. If someone wants to give feedback or suggestions I would be happy.

2 Likes

This is great! I haven’t looked in detail at the code yet, but did you see Secure architecture for Rhasspy apps where this idea has been discussed before? Maybe this can you give you some additional ideas. For instance, I would run the apps in the Docker containers as unprivileged users instead of as root (the default), to further minimize risks.
I’ll find some time soon to try this.

Thanks for sharing the link because I missed the discussion but I already implemented some ideas by default skills can access only three topics:

  • hermes/intent/# (READ or SUBSCRIBE)
  • hermes/intent//# (READ or SUBSCRIBE)
  • hermes/dialogueManager/# (WRITE)

every skill can’t access the internet but can talk with the MQTT bridge

I will improve the docker permission management in fact in the main container everything is executed as root even mosquitto. Thanks for the suggestion

1 Like

I fixed the problem of permission management, now apps are executed as unprivileged users and I develop a CLI that interfaces with rhasspy skills so now to install a new skill it just needs to be typed.

rhskill install time_skill 

The next feature I will work on is skill configuration so the ability to pass data to skills for example an API token.

4 Likes

After some work, the skill if declared in the manifest can access the internet and prompt the user some value such as API token. To demonstrate the new feature I have created a new weather skill this is only an example and luck of many functionalities.

rhskill install weather_example

The next step would be to refactor the code a bit and prepare for a more stable release.

Hello, on which platform did you compile your package?
I downloaded it but installing it on my PI4 gives me:

pip install rhasspy-skills-cli
Looking in indexes: https://pypi.org/simple, https://www.piwheels.org/simple
Collecting rhasspy-skills-cli
Could not find a version that satisfies the requirement rhasspy-skills-cli (from versions: )
No matching distribution found for rhasspy-skills-cli

ditto if I download it on PyPi the project in wheel format:

pip install /home/pi/rhasspy_skills_cli-0.2.1-py3-none-any.whl
rhasspy_skills_cli-0.2.1-py3-none-any.whl is not a supported wheel on this platform.

thank you in advance
Arpagor

Which python version do you have?
Probably the error is caused by the python version I added for requirement python 3.8 but with version 0.2.2 I lowered it to 3.7. Let me know if this resolves the problem.

I have a python 3
Python 3.7.3 (default, Jan 22 2021, 20:04:44)
[GCC 8.3.0] on linux
I just tried the installation again and the only warning I received is:

anyio 3.2.1 has requirement idna> = 2.8, but you’ll have idna 2.6 which is incompatible.

and a warning for the path:

The script rhskill is installed in ‘/home/pi/.local/bin’ which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.

It’s almost good :smile:

Arpagor

I have just tested on Raspberry Pi OS Lite with the same python version and it works. To solve the warning for the path I used PATH=/home/pi/.local/bin:$PATH. The warning for the idna version probably is caused by another installed package that requires version 2.6 but even with this version rhskill works.

After some testing and refactoring the rhasspy-skills is more stable and have some new features. At this moment there is no skill ready to be used but my plan is to create new skills for my personal need and the publishing them, this will require some time but I hope at the end to have multiple useful skills that can be installed with a single command. If someone in the meantime what to try to develop a skill feel free to ask any questions.