Please take this topic as a starting point for the definition of the Data Access Policy that we would like to see in Bamboo.
I think we all agree that the current situation is not sustainable in production:
- Datasets IDs are not available.
- Formhub does give public access to the bamboo dataset ID if linked.
- Bamboo is not available over SSL.
- Bamboo has no restriction on access: Knowing dataset ID and API is sufficient.
- Bamboo has no notion of write permission. Anybody with access can update, delete and add data.
- Bamboo has no public/private distinction.
First, I believe we need to define what we want to be able to do ;
Please note that I am assuming that:
- bamboo is a data store service
- a bamboo “customer” is the owner of one or multiple datasets.
- dataset owner can manage his own dataset's access.
One thing I really like about the current situation is that it's super simple to use, and anonymous.
While we definitely need to offer private and secure dataset, I believe we should keep the unsecure, open and easy way.
Thus I'd like to propose 3 layers of security:
- Anonymous: Doesn't require credentials, tied to a global Anonymous profile (quota, etc)
- Identified: Requires an API Key, ties the requests to it.
- Authenticated: Requires an API Key+Secret (OAuth probably)
Thoughts (not in order):
Switch to SSL only
This is not directly related to authentication but since we want to protect data, first step is probably to disallow clear HTTP.
It is possible to have both together but that's not the point right?
It's just a little setup, a little money ($70/y on godaddy) and some communication to existing users.
User Management
We want to know who owns a dataset.
This will allow us to contact the owner if needed (IO too high, data corrupted, scheduled maintenance, etc) and also allow us to present/group all datasets tied to a particular user.
For this authentication, we will need a classical auth mechanism, like a custom user/pass system or use a third party (google, github, facebook, OpenID). It might be interesting to have formhub here as the identity provider.
I'm in favor of externalizing this.
A User account would provide:
- User-level API Key
- User-level OAuth credentials
- Ability to generate per-dataset Keys and OAuth credentials (for distribution).
- Ability to revoke Keys or OAuth credentials (User-level and Dataset-level)
Identified Users
We want to know who's using a dataset.
This is usually done through simple API Keys. The owner of a DS provides API Keys to self or other clients accessing the data.
Using this would permit: quota, ban, statistics based on data consumers.
It's interesting and easy to implement.
I don't know how we would perform unit tests though if we require one (no anonymous).
Anonymous User
Anonymous (no Key provided) would simply default to a special unique Identified User name Anonymous.
All anonymous requests would share the same profile.
Authenticated Users
Authentication would need to be secure and allow third-parties (FH, jarvis-bi?) to consume the data too.
After some research I believe the best & easiest way to do it is to be an OAuth 1.0a Provider.
On the client side, it means that clients will need to use an OAuth library.
On the server side, using a library such as oauthlib (which seems like the best fit) still requires a good amount of work.
Datasets Permissions
We want dataset owner to set permissions.
Just like we can give per-user permissions to forms on Formhub, dataset owners should be able to give permissions to users.
Main differences:
- Permission is not for a User but for a Consumer (Anonymous, Identified Key or Authenticated Key).
- Permission is not global but per-endpoint
- Permission is not READ or READ-WRITE, it is Rest-oriented:
GET, PUT, POST, DELETE
- Since this would be hell to setup manually, UI/API should provide templates/profile for this.
Implementation Tasks
- Database for storing Users, Keys & Permissions.
- User Login U.I
- User Management UI + API
- Create/Revoke Keys and OAuth credentials
- Implement OAuth Server
- Implement identification/authentication in every controller.
- Implement identification + authentication in pybamboo (requests already supports OAuth)
Please send-in your comments ; am I missing something?
Please take this topic as a starting point for the definition of the Data Access Policy that we would like to see in Bamboo.
I think we all agree that the current situation is not sustainable in production:
First, I believe we need to define what we want to be able to do ;
Please note that I am assuming that:
One thing I really like about the current situation is that it's super simple to use, and anonymous.
While we definitely need to offer private and secure dataset, I believe we should keep the unsecure, open and easy way.
Thus I'd like to propose 3 layers of security:
Thoughts (not in order):
Switch to SSL only
This is not directly related to authentication but since we want to protect data, first step is probably to disallow clear HTTP.
It is possible to have both together but that's not the point right?
It's just a little setup, a little money ($70/y on godaddy) and some communication to existing users.
User Management
We want to know who owns a dataset.
This will allow us to contact the owner if needed (IO too high, data corrupted, scheduled maintenance, etc) and also allow us to present/group all datasets tied to a particular user.
For this authentication, we will need a classical auth mechanism, like a custom user/pass system or use a third party (google, github, facebook, OpenID). It might be interesting to have formhub here as the identity provider.
I'm in favor of externalizing this.
A User account would provide:
Identified Users
We want to know who's using a dataset.
This is usually done through simple API Keys. The owner of a DS provides API Keys to self or other clients accessing the data.
Using this would permit: quota, ban, statistics based on data consumers.
It's interesting and easy to implement.
I don't know how we would perform unit tests though if we require one (no anonymous).
Anonymous User
Anonymous (no Key provided) would simply default to a special unique Identified User name Anonymous.
All anonymous requests would share the same profile.
Authenticated Users
Authentication would need to be secure and allow third-parties (FH, jarvis-bi?) to consume the data too.
After some research I believe the best & easiest way to do it is to be an OAuth 1.0a Provider.
On the client side, it means that clients will need to use an OAuth library.
On the server side, using a library such as
oauthlib(which seems like the best fit) still requires a good amount of work.Datasets Permissions
We want dataset owner to set permissions.
Just like we can give per-user permissions to forms on Formhub, dataset owners should be able to give permissions to users.
Main differences:
GET,PUT,POST,DELETEImplementation Tasks
Please send-in your comments ; am I missing something?