Skip to content
Snippets Groups Projects

Basic support for GitLab Geo transfers

Merged Stan Hu requested to merge geo-transfer-support into master
  1. Mar 03, 2017
    • Stan Hu's avatar
      Add basic support for GitLab Geo file transfers over HTTP · 1aff5fe4
      Stan Hu authored
      A Geo transfer request arrives with a JWT header with the right data (e.g. URL
      `/api/v4/geo/transfers/lfs/1` for LFS object ID 1, with a JWT token that
      includes the corresponding LFS OID).
      
      Workhorse proxies the request and the Rails backend verifies the validity of
      the request.  If the request is valid, the Rails backend uses X-Sendfile
      functionality in Workhorse/nginx to send data back to the client.
      
      Current Geo Nodes use the system hook token for authentication, which is not
      that secure. This implementation creates an access identifier and an secret
      access key for each GeoNode. The GeoNode uses that to create a JWT token in
      the Authorization header. The secret access key is encrypted with the
      db_key_base valid and replicated in PostgreSQL. Since `db_key_base` has to be
      correct to decode this field, we are ultimately relying on the security of
      that key.
      
      The primary GeoNode receives the Authorization header, looks up the proper
      GeoNode with the access identifier, and then validates the JWT token. We
      expect that the times of the nodes are synchronized within 1 minute to prevent
      replay attacks.
      1aff5fe4
Loading