session: add a new session token v2 #350
Conversation
End-rey
requested review from
carpawell,
cthulhu-rider and
roman-khimov
as code owners
End-rey
force-pushed
the
new-session-token-v2
branch
from
e65a42a to
11f58a6
Compare
session/types.proto
Outdated
| // Not valid before epoch, the first epoch when token is valid. | ||
| uint64 nbf = 2 [json_name = "nbf"]; | ||
|
|
||
| // Issued at Epoch |
There was a problem hiding this comment.
| // Issued at Epoch | |
| // Issued at epoch. |
There was a problem hiding this comment.
oh, it was just copied, ok. but still dot at the end would look better according to other fields
session/types.proto
Outdated
| // Account represents an identity in NeoFS. | ||
| // It can be either direct (OwnerID) or indirect (NNS domain). | ||
| message Account { | ||
| // Account identifier |
There was a problem hiding this comment.
most of the time, we add dots at the end of comments in this repo
session/types.proto
Outdated
|
|
||
| // Account represents an identity in NeoFS. | ||
| // It can be either direct (OwnerID) or indirect (NNS domain). | ||
| message Account { |
There was a problem hiding this comment.
are we sure such a general entity should be described in the session package?
There was a problem hiding this comment.
There was a problem hiding this comment.
it would look better there for me, yes
End-rey
force-pushed
the
new-session-token-v2
branch
from
11f58a6 to
694d30d
Compare
End-rey
force-pushed
the
new-session-token-v2
branch
2 times, most recently
from
b967342 to
7a51333
Compare
refs/types.proto
Outdated
| message Account { | ||
| // Account identifier. | ||
| oneof identifier { | ||
| // Direct account reference via OwnerID (hash of public key). |
There was a problem hiding this comment.
Hash of verification script to be more correct.
refs/types.proto
Outdated
| // Direct account reference via OwnerID (hash of public key). | ||
| OwnerID owner_id = 1 [json_name = "ownerID"]; | ||
|
|
||
| // Indirect account reference via NeoFS Name Service. |
There was a problem hiding this comment.
What's the expected NNS contents? This should be described as well.
refs/types.proto
Outdated
|
|
||
| // Account represents an identity in NeoFS. | ||
| // It can be either direct (OwnerID) or indirect (NNS domain). | ||
| message Account { |
There was a problem hiding this comment.
Account is OwnerID, we need some other term for this entity.
There was a problem hiding this comment.
session.Target is an option, we don't have any other users for it now.
session/service.proto
Outdated
|
|
||
| // CreateV2Request is information necessary for creating a session token v2. | ||
| message CreateV2Request { | ||
| // Session creation request v2 body. |
There was a problem hiding this comment.
This most likely to be used as the last token in chain, so we need some way to pass this chain for auth.
session/types.proto
Outdated
| // Extended version supporting multiple verbs and targets. | ||
| message ObjectSessionContextV2 { | ||
| // Object request verbs. | ||
| enum Verb { |
There was a problem hiding this comment.
Don't we already have some set of verbs?
session/types.proto
Outdated
|
|
||
| // Target resource specification. | ||
| message Target { | ||
| // Container where operation is allowed. |
session/types.proto
Outdated
| repeated Verb verbs = 1 [json_name = "verbs"]; | ||
|
|
||
| // If true, applies to all containers owned by the subject. | ||
| bool wildcard = 2 [json_name = "wildcard"]; |
There was a problem hiding this comment.
Doesn't make much sense to me as a separate field, missing container_id is exactly that.
session/types.proto
Outdated
| TokenLifetime lifetime = 5 [json_name = "lifetime"]; | ||
|
|
||
| // Authorization context - what operations are allowed. | ||
| oneof context { |
session/types.proto
Outdated
| ObjectSessionContextV2 object = 6 [json_name = "object"]; | ||
|
|
||
| // ContainerService authorization context. | ||
| ContainerSessionContextV2 container = 7 [json_name = "container"]; |
There was a problem hiding this comment.
Maybe we can have a single set of object/container operations? I'm not sure what this separation buys us.
End-rey
force-pushed
the
new-session-token-v2
branch
from
7a51333 to
45af0fd
Compare
End-rey
force-pushed
the
new-session-token-v2
branch
2 times, most recently
from
d863037 to
f7f489d
Compare
End-rey
force-pushed
the
new-session-token-v2
branch
from
f7f489d to
a4dfb59
Compare
Session Token v2 solves the delegation, power of attorney, and chain-of-trust problems. It enables: - Account-based authority (direct or NNS-based indirect) - Multi-account subjects (multiple entities can use same token) - Multi-verb operations (GET, PUT, DELETE in single token) - Delegation chains (verifiable like X.509 certificates) - Indirect accounts (NeoFS Name Service resolution) Refs #241. Signed-off-by: Andrey Butusov <[email protected]>
Refs #241.