RFC: 004 Security enhancement thoughts

[twilson63]

In the TSC meeting yesterday Casey @cawilson1 brought up security, I think I thought of a way to add some sound defaults in core.

core should include a user object, which contains a ‘sub’ property and we can include a’scope’ property, the scope property per action should contain one of the following, for example on the data create doc endpoint

• HYPER63 - all access
• DATA:*
• DATA:WRITE

if the scope contains one of the values then the op is allowed otherwise it is rejected

—-

If this works I think it opens the door to creating a token endpoint that can be used to generate tokens for hyper63

this way we can safely leverage the hcma secret pattern, I will post more thoughts about this on another thread.

—-

Basically in core we can implement checks for these basic scopes, then the implementation team can manage token generation around these scopes

as far as tenants that is an upstream details

[cawilson1]

I like the idea of hyper63 having some security configs and frameworks that can at least be opted in for. While it is true that often bigger orgs might have strict security guidelines and opinions that might make them unlikely to use hyper63's security services, I think for small and medium orgs, a more likely problem may be that people just don't know security best practices. On top of that, understanding these best practices may take significant domain-specific knowledge that is not of interest/use to a developer interested in getting something out and keeping it running.

I think adding some optional security management features could add a lot of value to hyper63. Keeping up with security best practice is as exhausting, and probably less fun/interesting for most devs than new tools/frameworks. !!!Good!!! out-of-the-box security solutions are both more secure and less time-consuming than custom implementations.

Main potential downside: security best practices fall on maintainers of hyper63. Still, I don't think this would be too much of an issue if some reasonable best practices are used, and opt-ins for outsourcing security to services that specialize in it are available.

[twilson63]

Cool, here is what I am thinking:

Is to build-in some default scopes into the core, then in LargeCorp, they can just map their custom to these core scopes in the app layer or the client layer.

Scopes

• HYPER63 - this scope is the superadmin scope, if a request comes in with this scope in the JWT token, then it can do any request.
• DATA:* - this scope is the admin scope of the data port, any action on the data port this scope can do, including creating and deleting data stores and indexes.
• DATA:WRITE - this scope, can read and write, query and delete documents, but can not create/delete data stores or indexes
• DATA:READ - this scope can only read and query documents.

The idea is to follow this pattern for all ports, DATA, STORAGE, CACHE, and SEARCH

• STORAGE:* - this scope is the admin scope of the storage port, any action on the storage port this scope can do, including creating and deleting storage buckets.

• STORAGE:WRITE - this scope, can read and write and delete objects, but can not create/delete data stores or indexes

• STORAGE:READ - this scope can only read objects and list buckets.

• CACHE:* - this scope is the admin scope of the cache port, any action on the cache port this scope can do, including creating and deleting cache stores.

• CACHE:WRITE - this scope, can read and write and delete keys, but can not create/delete cache stores

• CACHE:READ - this scope can only read keys and query keys.

• SEARCH:* - this scope is the admin scope of the search port, any action on the search port this scope can do, including creating and deleting search indexes.

• SEARCH:WRITE - this scope, can read and write and delete index docs, but can not create/delete search indexes

• SEARCH:READ - this scope can only read index docs and search indexes.

[twilson63]

I think we should hold off on this request until we have a better example of the need here and the problem it solves.