[tahoe-dev] Access control and permissions on a tahoe grid

Kevin Reid kpreid at mac.com
Fri Jun 12 20:54:44 UTC 2009 

On Jun 12, 2009, at 13:59, Rufus Pollock wrote:

> We've just started an "Open Data Grid" for storing "open data"
> (<http://grid.okfn.org/>) using Tahoe, and we're going to be doing a
> lot more work with it over the coming months.
...

> 1. Can you have a "Grid Administrator" (with root-style permissions)?
>
> As I understand it from the documentation the ability to do stuff with
> objects is controlled by the capability URI you have. If you have a
> readcap you can read, if you have the writecap you can write etc.
> Furthermore, these capability URIs are created when the object is
> created and made available /to the creator/.
>
> In our setup we want people to be able to "donate" nodes to the grid.
> At the same time there needs to be some way to monitor/control what
> people upload (the aim is to store open data of general interest not
> someone's personal backups or their CD collection) and we also want to
> ensure not just anyone can come and delete objects.

You don't need a root, a read-write-everything user, and you can't get  
it in Tahoe, by design, anyway. What you want is storage accounting,  
which once implemented will allow you to define and subdivide  
permissions to use specified amounts of space.

http://allmydata.org/trac/tahoe/browser/docs/proposed/accounting-overview.txt

To implement your "data of general interest" policy, you could provide  
someone with a storage authority which permits them to use U+A bytes,  
where A is the margin for uploading new files, and U is the total size  
of files which they have published links to in your catalog (directly  
or indirectly by a Tahoe directory) which have been reviewed as being  
of general interest.

> 2. How do you control who can join a grid?
>
> Is there any way to configure my node only to talk to these other
> nodes? Given that new nodes join a grid via an introducer I wondered
> if there were some way to use the introducer for this function. (E.g.
> I have to be a given a token which I pass to the introducer in order
> to be "allowed in")

What do you wish to accomplish by this, and why?

   - Restricting downloading of files/view directories?

   - Restricting uploading of new files?

   - Something else?

> 3. Is it ever possible to revoke capabilities.
>
> For example, if I give you the writecap to directory X is there any
> way to rescind that later on (i.e. can I change the writecap for that
> directory without deleting it)?

It is impossible to implement revocation without having a server you  
rely on (as opposed to Tahoe's basic stored-anywhere-in-the-grid  
model) to implement that revocation, and proxy all operations until  
revocation. This is not currently supported in Tahoe -- see

   http://allmydata.org/pipermail/tahoe-dev/2009-May/001770.html

-- 
Kevin Reid                            <http://homepage.mac.com/kpreid/>

More information about the tahoe-dev mailing list