Basic support for GitLab Geo transfers
How this works:
- A Geo transfer request arrives with a JWT header with the right data (e.g. URL =
/api/v3/geo/transfers/lfs/1for LFS object ID 1, with a JWT token that includes the corresponding LFS OID)
- Workhorse proxies the request and the Rails backend verifies the validity of the request.
- If the request is valid, the Rails backend uses
X-Sendfilefunctionality in Workhorse/nginx to send data back to the client.
Current Geo Nodes use the system hook token for authentication, which is not that secure. This implementation creates an access identifier and an secret access key for each GeoNode. The GeoNode uses that to create a JWT token in the
Authorization header. The secret access key is encrypted with the
db_key_base valid and replicated in PostgreSQL. Since
db_key_base has to be correct to decode this field, we are ultimately relying on the security of that key.
The primary GeoNode receives the
Authorization header, looks up the proper GeoNode with the access identifier, and then validates the JWT token. We expect that the times of the nodes are synchronized within 1 minute to prevent replay attacks.
The MR to schedule the downloads will come in a separate MR. That currently depends on !1197 (merged) being merged and some work in a personal branch.