Project

General

Profile

Feature #2328

Updated by Tom Clegg almost 10 years ago

The proposed permissions model for Keep is as follows: 

 A Keep locator string may end with a _permission hint_ in the form "+Asignature@timestamp". The _signature_ string here is a cryptographic hash consisting of alphanumeric characters, and _timestamp_ is a Unix timestamp expressed as a 32-bit integer. 

 A valid permission hint grants the user the ability to GET, PUT or DELETE an object in Keep; permission is all-or-nothing. 

 The permission hint may be generated either by Keep (after the user writes a block) or by the API server (if the user has @can_read@ permission on the specified object).    Keep and API server share a secret that is used to generate signatures.    Permission hints do not incorporate secrets from the user; if another user acquires a locator that includes a valid permission hint, they have permission to GET, PUT or DELETE that object. 

 To verify a permission hint, Keep generates a new hint for the requested object (using the locator string, the timestamp, the permission secret and the user's API token, which must appear in the request headers) and compares it against the hint included in the request.    If the permissions do not match, or if the API token is not present, Keep returns a 401 error. 

 GET and HEAD: 
 * Keep server expects each read request to come with an API token (in HTTP headers) and a string +Asignature@timestamp (appended to the block hash) 
 * if the timestamp is in the past, 403. 
 * if or the signature is invalid, 401. 

 PUT: 
 * Keep server expects each write request to come with an API token (in HTTP headers) 
 * Keep server generates a +Asignature@timestamp string and appends it to the hash in the response after a successful PUT 

 Reference: 
 * "Ruby code for generating and verifying signatures":https://arvados.org/projects/arvados/repository/revisions/master/entry/services/api/app/models/blob.rb 

 Desired command line arguments to control permissions: 
 * @--enable-permissions=@ _true/false_ to enable or disable permission enforcement 
 ** For transition, maybe support a @--generate-permissions@ flag and a @--enforce-permissions@ flag. 
 ** Alternatively, make Keep always generate permission tokens, but only enforce them when the perms flag is turned on. 
 ** Permissions are always required for DELETE 
 * @--privileged-ip@ specifies IP addresses to be considered superuser. 
 ** If permissions are disabled, index (@GET /index.txt@) and @DELETE@ do not work unless remote address matches @--privileged-ip@ command line argument 
 * @--signature-ttl=num_seconds@ to control expiry time of signatures 
 * @--signature-key-fd=fdnum@ to read signing key from given file descriptor 

Back