Project

General

Profile

Actions

Idea #20250

open

Simple read-only S3 endpoint

Added by Brett Smith 12 months ago. Updated 12 months ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
Keep
Target version:
Story points:
-

Description

A user has a client tool that can talk to any S3 endpoint. They are pointing it at keep-web. For their workflow, they would prefer that this tool only read from Keep, and not be able to write. This is not meant to be a security control, but just a guardrail to prevent specific types of workflow mistakes. The people using this tool often created these collections or can write to them in Workbench, and that's fine.

The user suggested having keep-web provide a specific S3 API endpoint that is always read-only, even if the user has write permission in Arvados.

Another possibility might be some documented way to client tools to get API tokens that are scoped to be read-only and then use those for all future access. Need to discuss the approach we want to take.

Actions #2

Updated by Peter Amstutz 12 months ago

I think all you need is a token scoped to "GET /" will limit you to read-only access to the API.

Actions #3

Updated by Brett Smith 12 months ago

Peter Amstutz wrote in #note-2:

I think all you need is a token scoped to "GET /" will limit you to read-only access to the API.

Yeah we discussed this, but then it just sort of moves the question to, is there an easy way to get a token with this scope? i.e., one that doesn't involve writing your own API client.

Actions

Also available in: Atom PDF