Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable key chaining to protect super/sub namespaces #460

Merged
merged 4 commits into from
Dec 6, 2023
Merged

Enable key chaining to protect super/sub namespaces #460

merged 4 commits into from
Dec 6, 2023

Conversation

jhiemstrawisc
Copy link
Member

Another tool for admins, this PR allows a registry to be run such that it requires key chaining to register a sub/super namespace of an already-registered namespace. For example, if /foo/bar is registered, when key chaining is enabled, neither /foo nor /foo/bar/baz can be registered unless by a key paired with /foo/bar. Another example -- if /foo and /foo/bar are both registered, then we cannot register /foo/bar/baz unless the key is also registered to one of the superspace set (/foo and /foo/bar.

I think eventually we should enable these types of registrations via tokens as well -- if I own /foo and I want to enable Emma to register /foo/bar, I should be able to generate a token with the key registered to /foo to enable any public key Emma wants to use. Based on feedback to this PR, I'll open that as an issue for future development.

@jhiemstrawisc
Copy link
Member Author

Closes issue #333

@jhiemstrawisc jhiemstrawisc mentioned this pull request Dec 6, 2023
Closed
@jhiemstrawisc
Copy link
Member Author

Notes on testing:

  1. Build and fire up a registry. Then launch an origin with a namespace like /foo/bar ensuring that the origin is pointed at your local registry. Double check that the namespace is saved in the sqlite database. Once confirmed, terminate the origin.
  2. If running as root, delete /etc/pelican/certificates/* and /etc/pelican/issuer.jwk. Adjust accordingly for non-rootly execution.
  3. Run a new origin, this time with a namespace that either prefixes or suffixes /foo/bar. For example, you could do /foo or /foo/bar/baz. Because you deleted the origin's registration key in the previous step, the origin will generate a new key and attempt to register it. Registration should fail at the origin with a periodic ERROR message that explains why registration fails. The registry should report a WARNING with similar information.
  4. Now re-do this whole shebang, but add Registry.RequireKeyChaining: false to your pelican config. This should turn the feature off and allow registration under different keys.

@haoming29 haoming29 linked an issue Dec 6, 2023 that may be closed by this pull request
Only register top-level namespaces while we bootstrap authorization for sub-spacing #333
Closed
@jhiemstrawisc
Enable key chaining in the registry
e410814 
Let's say that `/foo/bar` is already registered with some set of associated public keys. It
makes sense that we wouldn't want someone else to register `/foo` or `/foo/bar/baz` unless
they had the permission of the owner of `/foo/bar`, because we treat namespaces hierarchically.
This token chaining feature allows a registry to be run such that it will deny requests to
register `/foo` or `/foo/bar/baz` unless the registration token passed during registration is
signed by a key that's already associated with `/foo/bar`.
@jhiemstrawisc
Add test for registry key chaining
f069540
@jhiemstrawisc
Add more tests
2c319fa
@jhiemstrawisc
Fix test
1bea9cb
turetske
turetske approved these changes Dec 6, 2023
View reviewed changes
Copy link
Collaborator

@turetske turetske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@turetske turetske merged commit e8d3c16 into PelicanPlatform:main Dec 6, 2023
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@turetske turetske turetske approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Only register top-level namespaces while we bootstrap authorization for sub-spacing
2 participants
@jhiemstrawisc @turetske