Agent workers
Hi @Chad23 ,
1. yes
2. only self hosted and cloud enterprise
3. yes windmill handle remote agents. Some customers have 600 of them: https://www.windmill.dev/docs/core_concepts/agent_workers
Agent Workers | Windmill
Agent Workers are a Cloud plans and Self-Hosted Enterprise Feature.
4 Replies
Even with restricted permissions agent workers are able to corrupt data via update on queries.
That makes it impossible to crowd source workers for very large projects (think seti@home or similar).
This could be solved if workers have an alternate mode that connects to the API instead of the DB and then having granular tokens.
Or maybe there could be one dedicated table per worker. Those could then be combined by materialised views.
That's not true @Alper , you can use specific postgresql user per worker agents
the customer we are working with is in a very secure setup
it does require our expertise on setting up RLS permissions which we have tried to distill in the article above
It doesn't mean we can't improve the way it currently works but http apis do not have the same capabilities as postgres transactions so if we were to do a pure http api mode, it would come at the expense of either performance, correctness, observability or reliability of the workflow engine
(executing jobs itself is trivial enough without pg transactions)
thanks for the clarification. i wasn't aware that the tradeoffs of using an http API would be that big
also, i need to understand better how the RLS separation would work, will investigate
RLS is as secure as you can get since it's the database enforcing the rules at the row-level
you can't cheat RLS (but rules need to be well set)
RLS is likely much more auditable than code logic to ensure security