This repository has been archived by the owner on Mar 21, 2024. It is now read-only.
Tenant Token #89
Merged
Tenant Token #89
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gmourier
requested review from
ManyTheFish,
bidoubiwa,
dichotommy and
Kerollmops
curquiza
previously approved these changes
Nov 11, 2021
Thanks @curquiza! Ping @meilisearch/integration-team ⚡️ |
bidoubiwa
suggested changes
Nov 15, 2021
bidoubiwa
previously approved these changes
Nov 25, 2021
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
The specification has been updated to use the term |
bidoubiwa
reviewed
Dec 13, 2021
Co-authored-by: Many <legendre.maxime.isn@gmail.com>
Co-authored-by: Bruno Casali <brunoocasali@gmail.com> Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com>
gmourier
force-pushed
the
scoped-api-keys
branch
3 times, most recently
from
3fa785e to
c593d54
Compare
|
Light reorganization of the specification and fix of some typos. I removed the pseudo-JS code because it doesn't bring much to the specification. SDKs and documentation are much better for this since they are presenting working code and I want to avoid managing 2 base codes. I need 2 approval reviews to merge this specification. If one person from the @meilisearch/integration-team and one person from the @meilisearch/docs-team can take a look at it, it will be really appreciated 🙏 Thanks to everyone for your work and feedback on this iteration. ❤️ |
… reorganize sections
gmourier
force-pushed
the
scoped-api-keys
branch
from
c593d54 to
4bc0396
Compare
brunoocasali
approved these changes
Mar 7, 2022
bors bot
added a commit
to meilisearch/meilisearch-php
that referenced
this pull request
Mar 7, 2022
297: Adding generateTenantToken method to the client r=alallema a=alallema ## Tenant tokens Introduction of the new method `generateTenantToken` in order to facilitate the generation of the tenant token. Related to: - this issue: meilisearch/meilisearch#1991 - this spec: meilisearch/specifications#89 Co-authored-by: alallema <amelie@meilisearch.com> Co-authored-by: Amélie <alallema@users.noreply.github.com>
gmourier
added a commit
that referenced
this pull request
Mar 9, 2022
* init specification * update filename * update typo * rephrase motivation * rename master occurences by main * replace mention of main by master * Update text/0089-scoped-api-keys.md Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> * replace client code by frontend or backend * Update text/0089-scoped-api-keys.md Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> * Update text/0089-scoped-api-keys.md Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> * Update text/0089-scoped-api-keys.md Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> * update javascript code sample for generateScopedApiKey method * Rename Scoped API Key to Tenant Token * Apply suggestions from code review Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> * precise message from reviews * Add JWT part * Rename specification file * Update specification texts * Add examples for indexesPolicy * Update indexesPolicy examples texts * Update indexesPolicy examples texts * Update indexesPolicy examples texts * Add a multi-tenant definition and tenant examples for MeiliSearch * Update text/0089-tenant-tokens.md Co-authored-by: Tommy <68053732+dichotommy@users.noreply.github.com> * Update text/0089-tenant-tokens.md Co-authored-by: Tommy <68053732+dichotommy@users.noreply.github.com> * Add array format for indexesPolicy and rename iss to apiKeyPrefix * update indexesPolicy formats example * rename indexesPolicy to searchRules and add supported JWT signatures * Rephrase searchRules explanations * Update text/0089-tenant-tokens.md Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> * Update text/0089-tenant-tokens.md Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> * Update text/0089-tenant-tokens.md Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> * Rephrase explanations from suggestions * Update scheme * Update text/0089-tenant-tokens.md Co-authored-by: Many <legendre.maxime.isn@gmail.com> * Mention tenant token revoking * Add precision on SDKs and Meilisearch role for Tenant Token * Apply suggestions from code review Co-authored-by: Bruno Casali <brunoocasali@gmail.com> Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> * Add Future Possibilities on tenant token formatting error * Replace MeiliSearch by Meilisearch, fix typos, rephrase sentences and reorganize sections Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> Co-authored-by: Tommy <68053732+dichotommy@users.noreply.github.com> Co-authored-by: Many <legendre.maxime.isn@gmail.com> Co-authored-by: Bruno Casali <brunoocasali@gmail.com>
gmourier
added
Implemented
gmourier
added a commit
that referenced
this pull request
Mar 14, 2022
* Search API (#118) * Add specification the search API endpoints * Add errors * Add a future possibility about error code * Replace spec id * Fix typo * Harmonize sentences * Apply suggestions from code review Co-authored-by: Clémentine Urquizar - curqui <clementine@meilisearch.com> * Fix type definition by http verb for filter parameter * fix typos Co-authored-by: Clémentine Urquizar - curqui <clementine@meilisearch.com> * Handle empty cell as `null` value for CSV format (#110) * Add null value part and example * Update text/0028-indexing-csv.md Co-authored-by: Clément Renault <clement@meilisearch.com> * Replace MeiliSearch by Meilisearch Co-authored-by: Clément Renault <clement@meilisearch.com> * Dumps (#105) * Init dumps specification * Apply suggestions from code review Co-authored-by: Tamo <tamo@meilisearch.com> * Describe CLI flags and error messages * Apply suggestions from code review Co-authored-by: Clémentine Urquizar - curqui <clementine@meilisearch.com> * remove wrong statement * Add dump creation as a task into future possibilities section * Rename spec file and mentions technical aspects Co-authored-by: Tamo <tamo@meilisearch.com> Co-authored-by: Clémentine Urquizar - curqui <clementine@meilisearch.com> * Remove the error on put/post documents when sending paylaod with 0 document object (#98) * Add CLI flag/option to telemetry specification (#107) * Add CLI analytics * Add log_level * use snake case * Add backticks on examples * Apply suggestions from code review Co-authored-by: Tommy <68053732+dichotommy@users.noreply.github.com> * Fix debounce-duration-sec parameter name Co-authored-by: Tommy <68053732+dichotommy@users.noreply.github.com> * Keys API - Update the error message for `expiresAt` (#114) * update the wrong date message * Change ISO-8601 by RFC 3339 * Update errors: backticks, example error message and placeholder var Co-authored-by: Guillaume Mourier <guillaume@meilisearch.com> * Dump support (#122) * Add dump version support * Fix titles numerotation, clear API endpoints definition, apply curquiza suggestion to gain one title level * Update text/0105-dumps-api.md Co-authored-by: Guillaume Mourier <guillaume@meilisearch.com> Co-authored-by: Guillaume Mourier <guillaume@meilisearch.com> * Tenant Token (#89) * init specification * update filename * update typo * rephrase motivation * rename master occurences by main * replace mention of main by master * Update text/0089-scoped-api-keys.md Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> * replace client code by frontend or backend * Update text/0089-scoped-api-keys.md Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> * Update text/0089-scoped-api-keys.md Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> * Update text/0089-scoped-api-keys.md Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> * update javascript code sample for generateScopedApiKey method * Rename Scoped API Key to Tenant Token * Apply suggestions from code review Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> * precise message from reviews * Add JWT part * Rename specification file * Update specification texts * Add examples for indexesPolicy * Update indexesPolicy examples texts * Update indexesPolicy examples texts * Update indexesPolicy examples texts * Add a multi-tenant definition and tenant examples for MeiliSearch * Update text/0089-tenant-tokens.md Co-authored-by: Tommy <68053732+dichotommy@users.noreply.github.com> * Update text/0089-tenant-tokens.md Co-authored-by: Tommy <68053732+dichotommy@users.noreply.github.com> * Add array format for indexesPolicy and rename iss to apiKeyPrefix * update indexesPolicy formats example * rename indexesPolicy to searchRules and add supported JWT signatures * Rephrase searchRules explanations * Update text/0089-tenant-tokens.md Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> * Update text/0089-tenant-tokens.md Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> * Update text/0089-tenant-tokens.md Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> * Rephrase explanations from suggestions * Update scheme * Update text/0089-tenant-tokens.md Co-authored-by: Many <legendre.maxime.isn@gmail.com> * Mention tenant token revoking * Add precision on SDKs and Meilisearch role for Tenant Token * Apply suggestions from code review Co-authored-by: Bruno Casali <brunoocasali@gmail.com> Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> * Add Future Possibilities on tenant token formatting error * Replace MeiliSearch by Meilisearch, fix typos, rephrase sentences and reorganize sections Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> Co-authored-by: Tommy <68053732+dichotommy@users.noreply.github.com> Co-authored-by: Many <legendre.maxime.isn@gmail.com> Co-authored-by: Bruno Casali <brunoocasali@gmail.com> * Auto-Batching (#96) * init auto-batching specification * replace file name * Add content and explanations * fix typo * change wording * Update auto-batching * Mention batchUid identifier * Update spec titles numerotation * Separate consecutive tasks type * Add a simple schema to represent the batchUid and tasks picking * Apply suggestions from code review Co-authored-by: Clémentine Urquizar - curqui <clementine@meilisearch.com> * Update auto-batching spec with CLI flags explanations * Modify Task API resource to display the batchUid * Add the batchUid field to the Task API object description * Fix parameter name * Replaces MeiliSearch by Meilisearch, fix typos, rephrase sentences and reorganize section * Rename --enable-autbatching to --enable-auto-batching * Update text/0096-auto-batching.md Co-authored-by: Clémentine Urquizar - curqui <clementine@meilisearch.com> * Update text/0096-auto-batching.md Co-authored-by: ad hoc <postma.marin@protonmail.com> * Add precisions * Rephrase debounce-duration-sec option * Apply suggestions from code review Co-authored-by: ad hoc <postma.marin@protonmail.com> * Apply suggestions from code review Co-authored-by: Tamo <irevoire@protonmail.ch> Co-authored-by: Clémentine Urquizar - curqui <clementine@meilisearch.com> Co-authored-by: ad hoc <postma.marin@protonmail.com> Co-authored-by: Tamo <irevoire@protonmail.ch> * Bump OAS to v0.26.0 Co-authored-by: Clémentine Urquizar - curqui <clementine@meilisearch.com> Co-authored-by: Clément Renault <clement@meilisearch.com> Co-authored-by: Tamo <tamo@meilisearch.com> Co-authored-by: Tommy <68053732+dichotommy@users.noreply.github.com> Co-authored-by: cvermand <33010418+bidoubiwa@users.noreply.github.com> Co-authored-by: Many <legendre.maxime.isn@gmail.com> Co-authored-by: Bruno Casali <brunoocasali@gmail.com> Co-authored-by: ad hoc <postma.marin@protonmail.com> Co-authored-by: Tamo <irevoire@protonmail.ch>
meili-bors bot
added a commit
to meilisearch/meilisearch-swift
that referenced
this pull request
Apr 12, 2022
273: Feature/Tenant Token: Add a module which can generate tenant tokens r=bidoubiwa a=brunoocasali Create the `generateTenantToken` following the specification meilisearch/specifications#89 Co-authored-by: Bruno Casali <brunoocasali@gmail.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
A
Tenant tokenis generated by the user code to be used by an end-user when making search queries.It allows users to have multi-tenant indexes and thus restricts access to documents depending on the end-user making the search request.
A Tenant Token is a JWT containing the information necessary for Meilisearch to verify it and extract permission/rules to apply it to the end user's search.
Key Points
Tenant tokensare JWTs generated on the user side by using Meilisearch SDKs or their custom code.Tenant tokensare not stored nor retrievable on the Meilisearch side.Tenant tokenscontain rules that ensure that aTenant tokenholder (e.g. an end-user) only has access to documents matching rules chosen at thetenant tokencreation.Tenant tokensare signed from a MeilisearchAPI keyresource on the user's code.Tenant tokensmust not be signed by the master key.Tenant tokenscannot be more permissive than the signingAPI key.Tenant tokensmust be signed by anAPI Keyhaving thesearchaction defined.Tenant tokenscan have different rules for each index accessible by the signing API key. These rules are described in thesearchRulesJSON object.searchRulesobject is the search parameterfilter.Tenant tokensare sent to Meilisearch via theAuthorizationheader like anyAPI Keysor the master key.Tenant token, thetenant tokenis decoded, then thesearchRulesare applied for the search request before the search parameters.Motivation
Tenant tokensare introduced to solve multi-tenant indexes use-case.Users today need to set up workarounds to have multi-tenant indexes. They have to use server code to implement the access restriction logic before requesting Meilisearch. It isn't easy to maintain, to implement, and the performance is not optimal because the frontend code does not communicate directly with Meilisearch.
Rendered