Access Control service for /wsapi and Computing Unit endpoints security #3634
Description
Introducing Access Control for Computing Unit Connections
Date: August 4, 2025
Assignee: Ali Risheh
Reviewer: Chen Li
This document outlines the implementation of a new Access Control Service, which introduces a mandatory authorization layer for all user connections to Computing Units (CUs).
1. The Issue
Previously, the system's architecture allowed users to establish a direct WebSocket connection to a Computing Unit via the /wsapi endpoint. While a user-token was passed as a URL parameter, there was no explicit access control check to verify if the user was actually authorized to connect to the requested Computing Unit. This created a potential security vulnerability where any authenticated user could theoretically access any CU if they knew its identifier.
2. Why the Issue Is Happening
The core problem was the lack of an intermediate authorization step. The system's design allowed for direct connections, bypassing any granular permission checks. The user-token was present but was not actively used to enforce access rules for individual Computing Units.
3. The Solution
The solution is the introduction of a new Access Control Service. This service acts as a mandatory authorization gateway, managed by Envoy, for all connection requests to a Computing Unit. It ensures that no user can connect to a CU without proper permission.
