Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update how access credentials are handled by Ocean Node #804

Open
MBadea17 opened this issue Jan 16, 2025 · 1 comment
Open

Update how access credentials are handled by Ocean Node #804

MBadea17 opened this issue Jan 16, 2025 · 1 comment
Labels
Type: Enhancement New feature or request

Comments

@MBadea17
Copy link

Currently, the way Ocean Node handles the web3 address-based access credentials is to allow access to everybody if no credentials are defined for an asset.

To increase the security of the assets shared using Ocean technology in enterprise-grade environments, we need to make the Ocean Node more restrictive when handling the assets with no address-based credentials defined. Therefore, the behavior of the Ocean Node needs to be updated as follows:

  • if no address-based credentials are defined (both allow and deny lists are empty), access to the asset is restricted to everybody;
  • to allow access to everybody, the symbol * will be used in the allow list;
  • if a web3 address is present on both deny and allow lists, the deny list takes precedence, and access to the asset is denied for the respective address.

Also, the structure of the credentials object within the DDO needs to be updated to accommodate the credentials used by the newly added Policy Server component, as follows:

{
  "credentials": {
    "allow": [
      {
        "type": "address",
        "values": ["0x123", "0x456"]
      },
      {
	"type": "PS-specific Type",
	"values": [{}]
      }    
    ],
    "deny": [
      {
        "type": "address",
        "values": ["0x2222", "0x333"]
      }
    ]
  }
}

The "address" type object includes the addresses-based credentials (directly handled by Ocean Node) while the "PS-specific Type" object includes the credentials that the Policy Server will assess. The type of Policy Server access credentials will differ from one Policy Server implementation to another. For instance, the Policy Server developed for walt.id SSI stack will handle credentials of type "SSIpolicy".
@MBadea17 MBadea17 added the Type: Enhancement New feature or request label Jan 16, 2025
@paulo-ocean
Copy link
Contributor

Adding some comments, as discussed on the slack channel.
The '*' can be an element of the list:

"allow": [
      {
        "type": "address",
        "values": ["*"]
      },

(this would allow all)

Also, we might want a env var to enable/disable the new behavior

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MBadea17 @paulo-ocean