access's Introduction

Access Control

Libraries and services for access control on the M-Lab platform.

Create JSON Web Keys

The m-lab/access package support JWK keys generated by jwk-keygen.

Create a signing key pair:

go get gopkg.in/square/go-jose.v2/jwk-keygen
~/bin/jwk-keygen --use=sig --alg=EdDSA --kid=1

Access Envelope Service

For new services, we want to balance access to the platform with protecting platform integrity and measurement quality.

Until a service supports access control natively, the "access envelope" service accepts access tokens, validates them, and upon acceptance, adds an iptables rule granting the client IP time to run a measurement before removing the rule again after a timeout.

access's People

Contributors

Stargazers

Watchers

access's Issues

envelope: should export a datatype for the envelope access logs

Successful access to the envelop should be logged.

Mismatch between envelope access and measurement service could be a sign of a problem.

This is especially important if the inner service has no logging of its own.

Since clients create a second TCP connection between the envelope and the inner measurement service, there may be no way to associate an envelope connection with a measurement other than time. Currently there is a limit of one connection at a time, so there is no risk of concurrency.

envelope: consider granting access to RemoteAddr subnets for CGNs

Currently, the envelope service expects the client IP in the token claim Subject field. The envelope grants access to this IP, irrespective of the RemoteAddr delivering the access token.

The original thinking was to only grant access to the original locate service requester. However, in the case of carrier grade nats, there's no guarantee that two tcp connections from the same client will have the same RemoteAddr. However, it's our understanding that even if individual CGN IPs differ, they typically come from the same subnet.

So, to help, what if the locate service returned v4 or v6 decorated hostnames based on the client request IP. Then the envelope service would use the RemoveAddr to calculate either a v4/24 or v6/64 and grant access to the subnet.

This would:

use the same tcp protocol on both requests to the locate and envelope service
decrease the chances of CGNs preventing access to services behind the envelope.

In this case, the token claim Subject could be the service, "envelope", rather than the original client IP. Or, we could additionally confirm the subnet is the same.

envelope: consider using the token expiration as the grant timeout

Today the access token expiration is set by the locate service and defines the valid lifetime of the access token. The envelope service has an independent "timeout-after" parameter that grants client access to the service for that length of time.

What if the envelope service used the token expiration as the grant timeout also?

The locate service would need to know the typical experiment timeframe. The envelope service would not include independent policy.

Recommend Projects

m-lab / access Goto Github PK

access's Introduction

Access Control

Create JSON Web Keys

Access Envelope Service

access's People

Contributors

Stargazers

Watchers

Forkers

access's Issues

envelope: should export a datatype for the envelope access logs

envelope: consider granting access to RemoteAddr subnets for CGNs

envelope: consider using the token expiration as the grant timeout

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent