threefoldtecharchive / 0-robot

Distributed live cycle management system
Apache License 2.0
0 stars 0 forks source link

0-robot security schema enhancements #10

Closed rkhamis closed 6 years ago

rkhamis commented 6 years ago

Issue migrated from [https://api.github.com/repos/zero-os/0-robot/issues/253](), opened by @alichaddad

0-robot portal needs access to following api functionalities:

To have access to these functionalities the robot client needs to have the necessary token for each service to be able to see and gain access to their data. This isn't feasible since the portal is used as a visualization of the robot state, hence it won't have have the necessary tokens unless it uses the same client that created these services.

A solution to that is to adapt god mode to allow access to these functionalities without the need of going through the security schema.

rkhamis commented 6 years ago

commented by @alichaddad @zaibon @FastGeert, Is there another approach you would prefer?

rkhamis commented 6 years ago

commented by @zaibon from discussion with @FastGeert what you need for the god mode is actually disabling all the authentication scheme. So no more need for service secret or anything. Robot is just plain open and returns data in the GetService call.

rkhamis commented 6 years ago

*commented by @rkhamis @FastGeert @zaibon How about instead of having god mode bypassing all authentication to all requests on a robot, we have god mode activated through a special token only that's sent in the request which "unlocks" the entire robot.

This token would be generated by the server and activated with the god flag when running the robot

That way the robot is not completely vulnerable to all requests coming in

And in the portal, we'll only have to add a token/robot which isn't too cumbersome instead of for each service*

rkhamis commented 6 years ago

commented by @FastGeert @rkhamis Great thinking. Better way indeed.