Securing KG API

[jachro]

As a Renku owner, I'd like the knowledge-graph service API is secured :)

This epic is a starting point to some conversation about how to protect the KG API.

Once all the following issues are done:

SwissDataScienceCenter/renku-gateway/issues/168, SwissDataScienceCenter/renku-gateway/issues/169, SwissDataScienceCenter/renku-gateway/issues/170

Renku will start serving KG API to the world. All the endpoints will be secured by the Gateway verifying the access token and either returning 401 Forbidden or redirecting to the knowledge-graph service. However, securing the knowledge-graph API seems to be a bit more complicated topic as there are various aspects of protecting the data not just access to the endpoint.

• At the moment KG API does not check at all if a request issuing entity should get some data or not. I imagine the Gateway would be able to pass some sort of access token to the KG so it can verify it by calling a relevant Keycloak API. Question: do we want to make the access token mandatory for all the data or just related to private/internal projects?
• Assuming there's no need to present an access token for getting to the public project's data, what if for instance there's a call to get public project's datasets but some of these datasets are also used by private/internal projects? Should we use the same model as GitLab and simply list all the project except those which we have no access to?
• Similarly to the point above, assuming the caller has a valid access token for getting to its project's data, and using the same example with project's datasets, some of the datasets are linked to private/internal projects which this user has no access to, should we present just the data he's got access to? The so-called GitLab model, of presenting only the data the caller has access to, seems to be reasonable but a bit difficult to achieve. Can we maybe take advantage of the consent users are acknowledging by clicking the Activate Knowledge Graph and simply show all the data for all the users? In the end, it's just metadata, not the content of the repository. I can also imagine, that e.g. if somebody uses a dataset from my public project, I would maybe wish to see all the usages regardless of the visibility of the projects.

[ableuler]

Question: do we want to make the access token mandatory for all the data or just related to private/internal projects?

I would prefer to not make it mandatory. This will allow us to offer some functionality to the logged-out user too.

Should we use the same model as GitLab and simply list all the project except those which we have no access to?

I haven't thought this through, but intuitively I would like to treat inter-project links as public information. For example, it could be ok to show the information that a public project X has used a dataset from a private project Y which has also been used in another private project Z. At the same time I would like to keep metadata about the private projects involved protected (name, author, etc).

[ciyer]

Can we make a few example scenarios here? I think we just need to distinguish between projects that are visible and invisible to the user. Projects are visible if the user has access to them and invisible otherwise. If we use A -> B to mean that B uses data from A and Visible[i] and Invisible[i] for the ith visible and invisible project, respectively.

I think the scenarios we need to handle are:

1. Invisible0 -> Visible0
2. Visible0 -> Invisible0
3. Visible0 -> Invisible0 -> Visible1
4. Visible0 -> Invisible0 -> Invisible1
5. Invisible0 -> Invisible1 -> Visible0

What should the user see in the KG in these situations?

Does the user see that there is an invisible project? And if there is more than one invisible project in the path, does the user learn that they are different projects (that Invisible0 != Invisible1)?

I can imagine circumstances where each of the possibilities make sense:

• Invisible projects are shown, but without names
• Invisible projects are shown, but not distinguished
• Invisible projects are now shown

[ableuler]

I can imagine circumstances where each of the possibilities make sense:

• Invisible projects are shown, but without names
• Invisible projects are shown, but not distinguished
• Invisible projects are now shown

I'd have the tendency to show them in indistinguishable manner per default. What would be scenarios for you where

• informing about the existence of a totally unspecified project would be revealing too much information?
• being able to distinguish otherwise hidden projects would be a big added value?