Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create a migration pathway from direct-auth clients to a different auth type #226

Open
paulhowardarm opened this issue Aug 18, 2020 · 2 comments
Open

Create a migration pathway from direct-auth clients to a different auth type #226

paulhowardarm opened this issue Aug 18, 2020 · 2 comments
Labels
large Effort label multitenancy Getting Parsec to provide isolated key stores for multiple clients based on an identity mechanism

Comments

@paulhowardarm
Copy link
Collaborator

Summary

It should be possible for a Parsec client, which was originally using direct authentication on a service endpoint, to be upgraded to a different authentication mechanism on the same endpoint without losing visibility of the assets that it created beforehand.

Use Case

Consider a single-tenant Parsec system where a single client process is using the service with direct authentication (where the client is self-declaring its own application ID, and the communication with Parsec is secured using domain socket permissions only). The system is then upgraded such that multiple clients are now able to call the service, and they are authenticated and separated using an identity system such as UID. The pre-existing client process will necessarily have to switch from using direct authentication to using UID-based authentication (this change would occur automatically via logic in the client library). However, this would inevitably change the ID of the pre-existing client from whatever hard-coded ID it was using before, into its new UID. From Parsec's perspective, this becomes a new, distinct client with a new partition in the key store. Keys that the client created before the upgrade would no longer be visible. A migration path would solve this problem, and allow the pre-existing client process to seamlessly continue working.

Details

Requires design, but possibly could be based on mappings declared in a config file, assuming some human intelligence about what the previous hard-coded value was. Or it could be something more dynamic like a RenameClient API call.

We need to consider whether we should allow this migration path to work for any new auth type, or would it be reasonable to restrict it to just UID-based systems?
@paulhowardarm paulhowardarm added the multitenancy Getting Parsec to provide isolated key stores for multiple clients based on an identity mechanism label Sep 11, 2020
@ionut-arm ionut-arm added the large Effort label label Feb 3, 2021
@ionut-arm
Copy link
Member

This sounds somewhat fiddly and in need of a solid design. RenameClient might work well with our new admin concept!

@hug-dev
Copy link
Member

hug-dev commented Apr 29, 2021

If with #394 we are going to support having multiple authenticators in parallel, each key from each provider from each app name will be namespaced under its own authenticator.
It could make sense to have a more fine-grained operation to move (or even copy?) one key from one authenticator to another.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
large Effort label multitenancy Getting Parsec to provide isolated key stores for multiple clients based on an identity mechanism
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hug-dev @paulhowardarm @ionut-arm