Geo: Increase granularity of certain JWT requests from Geo secondaries
From !30547 (comment 342939760):
Sidenote: I'm also wondering if we really need different JWT payloads for authentication anyway. Some endpoints only send requests with payload
scope: geo_api
and the primary always checks that the decoded data is exactly that. Why do other endpoints likeGET transfers/:type/:id
check for payloadfile_type: params[:type], file_id: params[:id]
instead?If [the code for] authentication was the same for all requests from Geo nodes, then we could reduce complexity. Checks could be further dried up, and we risk less mistakes.
I don't have a strong opinion on that but the dynamic payload should be more secure because in that case, the tokens have more granular permissions.
Initial proposal
Perhaps we can put the requested path into the payload.
So handling a request to:
-
/api/v4/geo/transfers/lfs/3
checks for payloadscope: "geo/transfers/lfs/3"
instead offile_type: "transfers", file_id: "3"
. This is equally granular as before. -
/api/v4/geo/status
checks for payloadscope: "geo/status"
instead ofscope: "geo_api"
. This is more granular than before. -
/api/v4/projects/7/snapshot
checks for payloadscope: "projects/7/snapshot"
instead ofscope: "geo_api"
. This is much more granular than before.
Etc.
The MVC can be to implement this change for the endpoints that only check for scope: "geo_api"
. That represents an immediate increase in security, and shouldn't increase the number of code paths.
Later, one at a time, we can switch other endpoints (e.g. transfers
) to reuse this approach. This represents no direct change in security, but it reduces complexity of handling authentication, which is beneficial for maintaining secure code.