Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Idea/Proposal: Permissions for Api Keys and Pre signed upload urls. #21

Open
kelindi opened this issue Dec 31, 2022 · 2 comments
Open

Comments

@kelindi
Copy link

kelindi commented Dec 31, 2022

Idea/Proposal: Build permissions for Api Keys and Pre signed upload urls.

Contributors @kelindi 
Status Draft
Revision  

Proposal

NOTE: This is a draft and is not finalize yet. We'll have to polish it until we all agreed on the approach.

Only give api keys the necessary permissions.

  • Read
  • Write
  • Read/Write
  • User defined limits for certain actions (ex: "An Api key limited to only upload one file")
    • This could be used to implement a temporary pre signed url/api-key for serverless uploads
    • User requests to upload a file a file from the frontend -> frontend receives a temporary api key from Estuary -> Frontend uses the temporary api key to directly upload the file to Estuary
@snissn
Copy link

snissn commented Jan 2, 2023

This is cool! Right now it's easy to make a new API key with a short time expiration date. Could we augment that to also limit the number of times a key can be used? If we can that should allow us to make one time keys. It doesn't necessarily let us make keys with a singular use though. I think we can also add in for a key specific endpoints or verbs (get vs post) that we want to allow. I like this idea overall a lot! I believe we want to change auth in the near future to use meta mask type logins but I can't think of any future plans that this proposal conflicts with

@alvin-reyes
Copy link
Contributor

This is good. We can create a ACL and permission rules and define the rules using echo middleware to detect the user permissions. We can define functions for each permission and we can write the logic for each permission and ID them so we can assign multiple permission rules per user.

I imagine we will have the following permission types.

  • readOnlyPerm
  • writeOnlyPerm
  • readWritePerm
  • uploadOnlyPerm
  • oneTimeUseTempKeyPerm
  • tempKeyGeneratorPerm
  • uploadFromSignedPerm
  • yourCustomFuncWithYourLimitLogicPerm

and the api key table will have a permission column with an array of permissions.

When a user wants to upload, estuary sends a new API key for the user with an "upload one file only" permission. API key is passed from frontend and directly upload it to estuary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants