[tahoe-dev] VolunteerGrid2 desperately needs a "safe gateway"

Brian Warner warner at lothar.com
Tue Feb 8 06:05:34 UTC 2011


On 2/7/11 7:18 PM, David-Sarah Hopwood wrote:
> On 2011-02-08 02:42, Scott Dial wrote:
>> However, your idea about a "safe web gateway" is something that I had a
>> desire for as well, for my own personal grid. In that case, I am only
>> consuming my own resources by making caps known to the internet at-large
>> -- no different than hosting files on a webserver. Toward that end, I
>> setup a proxy such that path "/" required authorization and "/uri" and
>> "/file" did not.
>>
>> Unless I am mistaken, that gives anonymous access to directories and
>> files on my grid without giving access to create or upload files or to
>> servers.
> 
> The ability to PUT to paths starting with /uri gives upload authority.

Or POST.

Also, the ability to PUT/POST to paths starting with /uri/DIRCAP (where
DIRCAP is a writecap) also allows for file upload. PUT
/uri/DIRCAP/newfile.txt is how you copy a new file into an existing
directory.

If you'd like to prevent uploads, configure the proxy to require
authorization for PUT/POST to anything below /uri and /file . The root
doesn't need it (all the upload forms on the welcome page target /uri),
nor does /status. GETs can only download, of course, no need for
authorization there, unless you're protecting your upstream bandwidth
from people who know a filecap but you don't want downloading it from
your gateway.

I think /file is just for files (no directories), but I can't remember
if PUT to /file/MUTABLEFILEWRITECAP is a way to modify a mutable file,
so wrapping /file with PUT/POST authorization is probably a good idea.

Incidentally, I'm trying to figure out how consume-storage-authority
should be expressed in the webapi. We represent read-data or modify-file
authority with filescaps, and put them in the URL. Can you imagine using
the same thing for a secret which granted you (and not someone else) the
right to consume storage space? The URL format that comes to mind would
be e.g.:

 PUT /store/$STORAGECAP/uri/$DIRCAP/$NEWFILENAME   or
 PUT /store/$STORAGECAP/uri   (for an unlinked upload)

If you're just browsing, in read-only mode, you wouldn't include the
/store/$STORAGECAP prefix (and you wouldn't include it in a URL that you
share, unless you wanted to share both the right to modify a specific
file/dir *and* the right to consume space in your name).

How crazy does that sound?

cheers,
 -Brian



More information about the tahoe-dev mailing list