search

fairDataSociety / fairOS-dfs

Decentralised File System (dfs) layer of the FairOS
https://docs.fairos.fairdatasociety.org/docs/
Apache License 2.0
25 stars 13 forks source link

Integrate Swarm's Access Control Trie (ACT) into fairOS-dfs with User-Based Access Control #646

Open asabya opened 2 weeks ago

asabya commented 2 weeks ago

Access control is a critical feature for fairOS-dfs to ensure secure and flexible data sharing among users. With the recent availability of the Access Control Trie (ACT) natively in Swarm, we have the opportunity to enhance fairOS-dfs by integrating this feature.

However, the native implementation of ACT in Swarm is node-based, meaning that only a node can act as a publisher or grantee, lacking the concept of a user within the access control mechanism.

Problem Statement

Proposed Solution

Integrate swarm-act into fairOS-dfs to enable user-based access control by:

Tasks

  1. Research and Analysis

    • Study the current implementation of ACT in Swarm.
    • Identify the gaps between node-based and user-based access control.

  2. Design User-Based Access Control Mechanism

    • Develop a method to initialize ACT with a user's key.
    • Define protocols for adding users as grantees within the ACT framework.

  3. Implement Integration

    • Modify fairOS-dfs to utilize swarm-act with user keys.
    • Ensure compatibility and maintain security standards during integration.

  4. Testing and Validation

    • Create unit and integration tests for the new access control features.
    • Validate user interactions and data sharing functionalities.

  5. Documentation

    • Update the fairOS-dfs documentation to include the new access control capabilities.
    • Provide usage guidelines and best practices for developers and end-users.

References

asabya commented 1 week ago

This ACT implementation will build upon the existing pod sharing functionality available in fairOS-dfs, but with a key enhancement. Instead of sharing the pod sharing reference directly, we'll wrap that reference using ACT and share the ACT's historyRef.

Once access is granted to a pod, the specific grantee will import the historyRef, open the pod, and access its files. Even if someone else obtains the historyRef, they won't be able to access the sharing information because of the access control enforced by ACT.

These imported Access Controlled Pods (ACPs) will be listed differently from regular shared pods, distinguishing them within the system.

asabya commented 1 week ago

Furthermore, the ACT integration in fairOS-dfs will include additional features such as:

By incorporating these features, fairOS-dfs enhances transparency and control over data sharing. Users can manage permissions more effectively, ensuring that sensitive information is only accessible to authorized individuals.

tfius commented 1 week ago

What is the implementation plan for lists and keeping them up-to date ?

asabya commented 1 week ago

The plan is straightforward, similar to how we store pods: we serialize the ACT list as a JSON blob and save its reference in a Single Owner Chunk (SOC) with topic ACT File.

{
  "acts": [
    {
      "name": "SharedDocuments",
      "historyRef": "abc123...",
      "createdAt": "2023-10-02T12:34:56Z",
      "grantees": [
        {
          "publicKey": "def456...",
          "grantedAt": "2023-10-02T12:35:00Z"
        },
        {
          "publicKey": "ghi789...",
          "grantedAt": "2023-10-02T12:36:00Z"
        }
      ],
      "content": [
        {
          "podName": "ProjectFiles",
          "reference": "jkl012...",
          "addedAt": "2023-10-02T12:37:00Z"
        }
      ]
    }
  ]
}

NOTE: there might be small changes in the json while implementation