Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict access to shared running workspaces #13188

Closed
jldec opened this issue Sep 21, 2022 · 5 comments
Closed

Restrict access to shared running workspaces #13188

jldec opened this issue Sep 21, 2022 · 5 comments
Labels
meta: stale This issue/PR is stale and will be closed soon team: webapp Issue belongs to the WebApp team team: workspace Issue belongs to the Workspace team

Comments

@jldec
Copy link
Contributor

jldec commented Sep 21, 2022
edited
Loading

This issue specifically covers MVC access restriction on shared running workspaces
Any of the following would be a reasonable first step.

  • A modification of the default behavior to limit access to users who can access the underlying repo (similar to Epic: Restrict access to snapshot URLs #8257)
  • A team-level configuration flag turning the feature on/off for all workspaces associated with a team
  • A team-level configuration flag limiting shared access to members of a team
@jldec jldec added team: webapp Issue belongs to the WebApp team team: workspace Issue belongs to the Workspace team labels Sep 21, 2022
@jldec
Copy link
Contributor Author

jldec commented Sep 21, 2022

Note workspace aspect (from comment)

Running workspace access is mediated by ws-proxy, who has no notion of the authentication on server side. We'd need to introduce guest tokens (which we conceived of when we introduced the owner token, hence the name).

cc: @atduarte , @gtsiolis

@atduarte atduarte mentioned this issue Sep 21, 2022
Closed
@csweichel
Copy link
Contributor

csweichel commented Sep 28, 2022
edited
Loading

A team-level configuration flag limiting shared access to members of a team

(expansion on #13188 (comment))

When we originally built the workspace sharing feature we made provisions for this.

To implement team-level sharing (or any other form of "scoped" runtime sharing), we'd extend the current workspace admission spec with a "team" mode. This would cause ws-manager to produce a guest token (in addition to today's owner token) which is valid until the admission is changed to a different mode. The fetchWorkspaceToken call would then return this guest token to anyone authorised to access the workspace.

@csweichel
Copy link
Contributor

  • A modification of the default behavior to limit access to users who can access the underlying repo (similar to Epic: Restrict access to snapshot URLs #8257)
  • A team-level configuration flag turning the feature on/off for all workspaces associated with a team

Both features, IMHO live well in the scope of a "policy skateboard" we should be thinking about.

@csweichel
Copy link
Contributor

A short term fix would be to introduce a query token that needs to be passed in order to access a shared workspace. I.e. knowing the URL is not enough.

@stale
Copy link

stale bot commented Jan 2, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the meta: stale This issue/PR is stale and will be closed soon label Jan 2, 2023
@stale stale bot closed this as completed Jun 12, 2023
@github-project-automation github-project-automation bot moved this to Awaiting Deployment in 🌌 Workspace Team Jun 12, 2023
@github-project-automation github-project-automation bot moved this to In Validation in 🍎 WebApp Team Jun 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
meta: stale This issue/PR is stale and will be closed soon team: webapp Issue belongs to the WebApp team team: workspace Issue belongs to the Workspace team
Projects
🍎 WebApp Team
Status: In Validation
🌌 Workspace Team
Status: Awaiting Deployment
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jldec @csweichel