Comments (1)
EdSchouten
commented on June 5, 2024
If you only do remote caching (no remote execution), then you can make both your CAS and AC read-only for traffic coming from individual dev VMs. If you use remote execution, you must always permit writes to the CAS, as clients will upload input files into it. If you want to limit write access, you can always follow a recipe like this:
Set up a proper authorization policy
The default we provide in the README is:
putAuthorizer: { allow: {} },
You can change that to something like this:
putAuthorizer: { jmespathExpression: 'authenticationMetadata.private.mayWriteAC' },
This says: Only allow clients to put/write objects into the data store if the private part of their authentication metadata has a boolean field named mayWriteAC with value true.
Setting up an authentication policy
Now that we've added authorization logic for conditionally permitting write access to the AC, we must also set up our authentication facilities accordingly, so that we can distinguish both sources of traffic. Notice how the README simply says this:
authenticationPolicy: { allow: {} },
This says: simply allow all traffic, and give it an empty instance of the authentication metadata. If we wanted to give all incoming traffic write access to the AC with the authorization policy above, you can write:
authenticationPolicy: { allow: { private: { mayWriteAC: true } } },
But this is of course undesirable. We only want to grant some users write access. So let's use this instead:
authenticationPolicy: { any: { policies: [
{ jwt: {
publicKey: ...,
maximumCacheSize: 10000,
cacheReplacementPolicy: 'LEAST_RECENTLY_USED',
claimsValidationJmespathExpression: '`true`',
metadataExtractionJmespathExpression: '{ "private": { "mayWriteAC": `true` } }',
} },
{ jwt: {
publicKey: ...,
maximumCacheSize: 10000,
cacheReplacementPolicy: 'LEAST_RECENTLY_USED',
claimsValidationJmespathExpression: '`true`',
metadataExtractionJmespathExpression: '`{}`',
} },
] } },
And there you have it: traffic using JWTs signed using one key will be able to write into the AC, while the other ones will not. The reason being that the second entry yields empty authentication metadata, which does not satisfy the expression used in the authorization policy.
Hope that helps!
from bb-storage.
Related Issues (20)
- install bazel with bazelisk? HOT 2
- Bring back S3 support HOT 14
- Feature request: introduce time to first byte metrics
- GetCapabilities() behavior with mixed action cache permissions doesn't behave as desired
- Missing `storage_type` label on some local blobstore metrics
- Support highly available deployments HOT 11
- Revisit deprecation of GCS storage backend HOT 12
- Missing shell in bb-storage docker image HOT 1
- Support for compression from buildbarn HOT 5
- Panic in local blockstore write HOT 3
- Doc Update: ISCC / AC storages are only compatible with local replicator HOT 1
- gRPC Client Certificate Refresh Interval is not respected
- Filesystem errors in bb-storage are recorded as "Unknown" in prometheus
- Feature request: Support RSA signed JWTs
- Feature request: Support JWKS for specifying JWT public keys HOT 4
- Failed to fetch file errors in "builds without the bytes" builds in a sharded setup HOT 7
- Failed to create authorization header parser for JWT authentication policy: Unsupported public key type HOT 3
- Cannot open raw block device provisioned by kubernetes when running as non root user HOT 3
- Support connection draining in kubernetes environments HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bb-storage.