Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

swift acls necessary for public execution cname/staticweb #144

Open
larsbutler opened this issue Aug 21, 2014 · 0 comments
Open

swift acls necessary for public execution cname/staticweb #144

larsbutler opened this issue Aug 21, 2014 · 0 comments
Labels
enhancement

Comments

@larsbutler
Copy link
Member

We need to add a feature which allows for zapps to be executed publicly and anonymously. An example of such an app would be package repository to which anonymous users can send GET requests, with search parameters. This means that users of an application do not necessarily need to authenticate to ZeroCloud.

This is an important component in building various kinds of web services.

There are currently sever few distinct ways to execute code on ZeroCloud:

  1. POST a script to a /version/account URL
  2. POST a ZeroVM image file to a /version/account URL
  3. POST a job description to a /version/account or /version/account/container/object URL.
  4. GET a /open/account/container/object.
  5. GET/HEAD/POST/PUT/DELETE to /open/account/container/zapp_object?query string
  6. GET/HEAD/POST/PUT/DELETE to /api/account/container/any/path/with?querystring

This feature applies to 5 and 6 only.

  • REST endpoint has a zapp registered to it to handle the requests
  • Setuid is allowed
  • The container has X-Container-Meta-Rest-Endpoint set (see Document X-Container-Meta-Rest-Endpoint header #142)
  • All containers in the job description MUST have both Suid and Endpoint set, to allow the flow described below. For example: A publicly/anonymously executable zapp is deployed into container A. The zapp reads from container B. Container A must set X-Container-Meta-Zerovm-Suid: .r:*. Container B must set X-Container-Meta-Zerovm-Suid: .r:* and X-Container-Read: .r:*. Both containers must set X-Container-Meta-Rest-Endpoint: [the swift:// URL of the zapp in container A].
  • TODO: What about chained jobs?

Here's the logic for permissions and billing:

# This is not yet implemented
if anonymous user:
    if X-Container-Meta-Zerovm-Suid == *:
        allow execution
        bill the owner of endpoint
        ignore read/write permissions
    else:
      do not allow execution
elif owner (of the zapp):
    allow execution
    bill the owner
elif other authenticated user:
    if X-Container-Meta-Zerovm-Suid == *:
        allow execution
        bill the owner (not the user)
        ignore read/write permissions
    else:
        do not allow execution
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@larsbutler