Project

General

Profile

Actions

Idea #20250

open

Simple read-only S3 endpoint

Added by Brett Smith 12 months ago. Updated 12 months ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
Keep
Target version:
Story points:
-

Description

A user has a client tool that can talk to any S3 endpoint. They are pointing it at keep-web. For their workflow, they would prefer that this tool only read from Keep, and not be able to write. This is not meant to be a security control, but just a guardrail to prevent specific types of workflow mistakes. The people using this tool often created these collections or can write to them in Workbench, and that's fine.

The user suggested having keep-web provide a specific S3 API endpoint that is always read-only, even if the user has write permission in Arvados.

Another possibility might be some documented way to client tools to get API tokens that are scoped to be read-only and then use those for all future access. Need to discuss the approach we want to take.

Actions

Also available in: Atom PDF