squillace
commented
3 years ago I think this is one of the more important things we need to do relatively soon. And go back to #337.
Open chris-crone opened 4 years ago
squillace
commented
3 years ago I think this is one of the more important things we need to do relatively soon. And go back to #337.
When running an action, the CNAB runtime needs to pass credentials into the invocation container. For actions that create, delete, or modify objects, these credentials must have privileges that allow doing so on the target platform. For installed applications that interact with the platform, one would expect a clear separation of concerns enforced by a separate set of less privileged credentials that the application uses.
Because of how the CNAB installation model works, it cannot enforce this separation of concerns and cannot guarantee that the installation credentials are not passed to the installed application or elsewhere. To mitigate this, runtimes could create ephemeral credentials that are invalidated shortly after action completion.
This has two benefits: 1) It guarantees that the installation credentials cannot be reused 2) It facilitates auditing the action's effect on the platform (i.e.: what the action did)
I see this as a complement to #337 and a candidate for the non-normative portion of the specification as it requires that the runtime tool understands the target installation platform.