-
Notifications
You must be signed in to change notification settings - Fork 40
Security
Heyang Zhou edited this page Aug 23, 2022
·
4 revisions
mvstore exposes two API servers on different ports:
- Data plane. There is no authentication by default, and anyone can access any database provided that they know the namespace key. But the user can opt-in to the hashproof security mechanism described in the next section.
- Admin API. This does not have any built-in security, and all clients are assumed to be trusted. Please ensure you have a secure API gateway in front of the Admin API.
Namespace keys in the form of some-name:some-hash are protected by the hashproof mechanism. This requires a hex-encoded 32-byte BLAKE3 hash of a secret hex string (that is never stored in FDB).
When opened from SQLite, the database name some-name:some-hash.preimage-of-the-hash should be used.
For example, the namespace:
mydb:53147f3ce49ed4f60dfa5b9654c36ba6103c11f5737df3dabd4cbd296c4161bd
should be connected using the database name:
mydb:53147f3ce49ed4f60dfa5b9654c36ba6103c11f5737df3dabd4cbd296c4161bd.deadbeef
Because the hex string deadbeef hashes to 53147f3ce49ed4f60dfa5b9654c36ba6103c11f5737df3dabd4cbd296c4161bd.