Multiple access grants (user access) for same Bucket/Prefix/Permissions

AkaashMukherjee · August 24, 2020, 10:59pm

Hi,

I’ve been playing around with uplink/tardigrade and have started using the access.Share functionality in the uplink go library. What I’ve read and noticed is that for any combination of Bucket/Prefix/Permissions the serialized access token is always the same. I was wondering if there was any way to create multiple serialized access tokens for the same combination of Bucket/Prefix/Permissions.

The application is for a medical data project. Where the buckets would be patients and the access would be for any number of healthcare workers to the bucket.

The main reason for wanting this granularity is to revoke access to one healthcare professional at a time instead of needing to kill an entire prefix or bucket.

Thanks!

Alexey · August 25, 2020, 5:29am

The access grant depends on options what you give to it. If the sharing option is always the same - the serialized access grant will be the same too.
For example

uplink mb sj://test
Bucket test created

uplink cp orders.db sj://test/
149.92 MiB / 149.92 MiB [-------------------------------------------------------------------------] 100.00% 2.96 MiB p/s
Created sj://test//orders.db

uplink share sj://test
Sharing access to satellite 11QdXggTXA43GhnnUoVZMVvxVdyqFvR3UhXvhLRL22EDN8b7fF@:10000
=========== ACCESS RESTRICTIONS ==========================================================
Download  : Allowed
Upload    : Disallowed
Lists     : Allowed
Deletes   : Disallowed
NotBefore : No restriction
NotAfter  : No restriction
Paths     : sj://test (entire bucket)
=========== SERIALIZED ACCESS WITH THE ABOVE RESTRICTIONS TO SHARE WITH OTHERS ===========
Access    : 1twrhhYp232QWbfAuoXnAAXXotFJSZrRLFDogNvrkWTe3F4XXWkFm7Jm55dKxwyX8orGMN5FpJpbMKYM9qZnMGPjxoxPRUDYT8viEgR5YEzk4PLHZYrcaqcorwx8dtLEAM6qG7g4wjiGeALvN2zbpxHdVTz6D2GckUGxPZAW7KaFwmMHtHKo5H4yYv4XJuroPvMBibPVJAv3nTpssdRncScou5FvtvFogXZj8BFtkxZnAXRapk8asVsf4GgRZ64e6CFWape2qCLmLAyP
=========== BROWSER URL ==================================================================
URL       : https://link.tardigradeshare.io/1twrhhYp232QWbfAuoXnAAXXotFJSZrRLFDogNvrkWTe3F4XXWkFm7Jm55dKxwyX8orGMN5FpJpbMKYM9qZnMGPjxoxPRUDYT8viEgR5YEzk4PLHZYrcaqcorwx8dtLEAM6qG7g4wjiGeALvN2zbpxHdVTz6D2GckUGxPZAW7KaFwmMHtHKo5H4yYv4XJuroPvMBibPVJAv3nTpssdRncScou5FvtvFogXZj8BFtkxZnAXRapk8asVsf4GgRZ64e6CFWape2qCLmLAyP/test/

uplink share sj://test/orders.db
Sharing access to satellite 11QdXggTXA43GhnnUoVZMVvxVdyqFvR3UhXvhLRL22EDN8b7fF@:10000
=========== ACCESS RESTRICTIONS ==========================================================
Download  : Allowed
Upload    : Disallowed
Lists     : Allowed
Deletes   : Disallowed
NotBefore : No restriction
NotAfter  : No restriction
Paths     : sj://test/orders.db
=========== SERIALIZED ACCESS WITH THE ABOVE RESTRICTIONS TO SHARE WITH OTHERS ===========
Access    : 12MysVccS73zpk55VwyeuhogQfYzqFKXGjRmGFtC4JBe3LMZTdL2tkRTTGMQHHzzF4SnsGAyXXYtwbGnU9GHG1zDxgu3UA6gL9R5ARueYimDi64XubRc5RU8wjAidmUc2Jd4P3crvw9anLc8LrmcMUoGi3r2WdNe1jwZCKiv5S5hKHMMLWcWHJn8aVUqanGQU2k82NoGnYn4wraE9qwFtmFTwwafVbru2FD9EPFLZCwc8yMGvYRANnqPvzjV5jSmC2n3sikZLBkucCuDu12KjQ3i6v2VaYnPNaooGjFeKJ6UHD7sxCJujgb39kgmJj37Jxjr7GUGdbUncmnb3pUqfQaXGAFuKPaM2aBY7NsyaCtA3riwnpLHEmqw3F9toBxjiYxaCy8VHnzMvMndZxZQ
=========== BROWSER URL ==================================================================
URL       : https://link.tardigradeshare.io/12MysVccS73zpk55VwyeuhogQfYzqFKXGjRmGFtC4JBe3LMZTdL2tkRTTGMQHHzzF4SnsGAyXXYtwbGnU9GHG1zDxgu3UA6gL9R5ARueYimDi64XubRc5RU8wjAidmUc2Jd4P3crvw9anLc8LrmcMUoGi3r2WdNe1jwZCKiv5S5hKHMMLWcWHJn8aVUqanGQU2k82NoGnYn4wraE9qwFtmFTwwafVbru2FD9EPFLZCwc8yMGvYRANnqPvzjV5jSmC2n3sikZLBkucCuDu12KjQ3i6v2VaYnPNaooGjFeKJ6UHD7sxCJujgb39kgmJj37Jxjr7GUGdbUncmnb3pUqfQaXGAFuKPaM2aBY7NsyaCtA3riwnpLHEmqw3F9toBxjiYxaCy8VHnzMvMndZxZQ/test/orders.db

As you can see - the serialized access is different for the bucket and object.
Let’s move further

uplink share --not-after +1h sj://test/orders.db
Sharing access to satellite 11QdXggTXA43GhnnUoVZMVvxVdyqFvR3UhXvhLRL22EDN8b7fF@:10000
=========== ACCESS RESTRICTIONS ==========================================================
Download  : Allowed
Upload    : Disallowed
Lists     : Allowed
Deletes   : Disallowed
NotBefore : No restriction
NotAfter  : 2020-08-25 06:21:28
Paths     : sj://test/orders.db
=========== SERIALIZED ACCESS WITH THE ABOVE RESTRICTIONS TO SHARE WITH OTHERS ===========
Access    : 1AkfbVy3UGffi8ennLBpqeCeCpcWqEEbu2KWTC5kYd4qWUuuHR2Zw66pfReNjoD7Fe3mFd46gEgCbyuEVdcXdNhAiCnDovJczAky4pfruaHjDrjrQmnZESAv7QgAxMXnWHhYn1hrFBbmWXeJGLUxMtpA1DbYxe4842MnErq9eFkhPh3xWxwVvPGBFMKvRUcYVzg4nv1UkdB65LxvmjpB8srPkfRLD56am2zsUpeBMYGnnHr1tGqnmrjG2DPvpqvH1phMKHpyJE3KGn1ijVmctGD3sMTQ9qZLmdkAKpfUJBiegHSVtJTKFCNLZjzJmLht6nVWg3dQeSgXMtYsWWj7FU36epXyPW6EjYFafYMW3drpLYMnXKHia577ehxb47SMtya7sXKC2FPCWg8e7feeS1fkb3UBHma422vx1bH9
=========== BROWSER URL ==================================================================
URL       : https://link.tardigradeshare.io/1AkfbVy3UGffi8ennLBpqeCeCpcWqEEbu2KWTC5kYd4qWUuuHR2Zw66pfReNjoD7Fe3mFd46gEgCbyuEVdcXdNhAiCnDovJczAky4pfruaHjDrjrQmnZESAv7QgAxMXnWHhYn1hrFBbmWXeJGLUxMtpA1DbYxe4842MnErq9eFkhPh3xWxwVvPGBFMKvRUcYVzg4nv1UkdB65LxvmjpB8srPkfRLD56am2zsUpeBMYGnnHr1tGqnmrjG2DPvpqvH1phMKHpyJE3KGn1ijVmctGD3sMTQ9qZLmdkAKpfUJBiegHSVtJTKFCNLZjzJmLht6nVWg3dQeSgXMtYsWWj7FU36epXyPW6EjYFafYMW3drpLYMnXKHia577ehxb47SMtya7sXKC2FPCWg8e7feeS1fkb3UBHma422vx1bH9/test/orders.db

With an option --not-after +1h the serialized access is different
Another example

uplink share --readonly=false sj://test/orders.db
Sharing access to satellite 11QdXggTXA43GhnnUoVZMVvxVdyqFvR3UhXvhLRL22EDN8b7fF@:10000
=========== ACCESS RESTRICTIONS ==========================================================
Download  : Allowed
Upload    : Allowed
Lists     : Allowed
Deletes   : Allowed
NotBefore : No restriction
NotAfter  : No restriction
Paths     : sj://test/orders.db
=========== SERIALIZED ACCESS WITH THE ABOVE RESTRICTIONS TO SHARE WITH OTHERS ===========
Access    : 13jc5LcbmFvVZzXhaMe5hcsoazkCRJrkeURX3SBvKMmzCfMkY3AgykB8KgGx9oaMkrB9p9gU2XcJwh1EopZTu3sbkh2PyAUAknirnzyN4nbH74RAQm6p2NrCiP4rjieTyTYVjuDuBfydXtGEp9qCh3t47wV8sNSd57GTSXrf2HLmhA6HfLpUw7dmnYH3q9gbES68J1myKWMec6nBXSVTufdeL5p6faJV3CvpmrpeikCfW3e7ugfgg5JhpAr8NWBZvNhrY5i9NjxgGcC3pjULUPzUFYEWouAg4NWGnPoGzcyYSuZvAAH6Snm7WcesFJxPnvhUMh2eriDKwvXKUwE5zFJ7b3Ex2zGEP5BcG3MyudPK84yixY8iA7m5bBxJn3yk7K5uPqVfGzTz8

Another example with subpath

uplink cp orders.db sj://test/subpath/
149.92 MiB / 149.92 MiB [-------------------------------------------------------------------------] 100.00% 2.46 MiB p/s
Created sj://test/subpath//orders.db

uplink share sj://test/subpath/orders.db
Sharing access to satellite 11QdXggTXA43GhnnUoVZMVvxVdyqFvR3UhXvhLRL22EDN8b7fF@:10000
=========== ACCESS RESTRICTIONS ==========================================================
Download  : Allowed
Upload    : Disallowed
Lists     : Allowed
Deletes   : Disallowed
NotBefore : No restriction
NotAfter  : No restriction
Paths     : sj://test/subpath/orders.db
=========== SERIALIZED ACCESS WITH THE ABOVE RESTRICTIONS TO SHARE WITH OTHERS ===========
Access    : 1KMPB38hRtDnixJcrXKUMAiohtcWa9EE98deJCFsUnTkHoqPRsN37R5rFnZfVV2qn7of2DuMyXChBB669L4q4gXa8AvnDziRkZJRcr3QYdY2ic9KoLC1Wz2D9v3vbQ6C8noVgk9naG9iRd2jdUaduExoNZeETyiJyyaNpLnoBkMHhRv8FGgoN8EvkECAGwzgr7t97jCpuL68JPPwA1jbZJH2SDyZtpETZAH1xVUmDLyTaVDnntdj5EYUFDgsg1usDPLiTHtSMWvFZRb8gNzK1QPX3fZFFSwMTRc8cTLRuDaujGBQsHcRmzbrM3EzADmhveRvL6TqF1pgPwBsMLzKhNXG29md753FTq4vH46TBS7Q87tbSpqeXXYW18hngae7TNm4yFSgne3nzvMNtQP5QFVFYgxBTWQ79EEyEYKwNBNkv78Y7Psxo1QSxoP8EdBsENPVvfggZndPLEUF3vzMSAbmNff7Ns5w1a4TS57AgqhwL9CDap8vsypvaAah1xYT9RTnL5gPmW6EF21KQ
=========== BROWSER URL ==================================================================
URL       : https://link.tardigradeshare.io/1KMPB38hRtDnixJcrXKUMAiohtcWa9EE98deJCFsUnTkHoqPRsN37R5rFnZfVV2qn7of2DuMyXChBB669L4q4gXa8AvnDziRkZJRcr3QYdY2ic9KoLC1Wz2D9v3vbQ6C8noVgk9naG9iRd2jdUaduExoNZeETyiJyyaNpLnoBkMHhRv8FGgoN8EvkECAGwzgr7t97jCpuL68JPPwA1jbZJH2SDyZtpETZAH1xVUmDLyTaVDnntdj5EYUFDgsg1usDPLiTHtSMWvFZRb8gNzK1QPX3fZFFSwMTRc8cTLRuDaujGBQsHcRmzbrM3EzADmhveRvL6TqF1pgPwBsMLzKhNXG29md753FTq4vH46TBS7Q87tbSpqeXXYW18hngae7TNm4yFSgne3nzvMNtQP5QFVFYgxBTWQ79EEyEYKwNBNkv78Y7Psxo1QSxoP8EdBsENPVvfggZndPLEUF3vzMSAbmNff7Ns5w1a4TS57AgqhwL9CDap8vsypvaAah1xYT9RTnL5gPmW6EF21KQ/test/subpath%2Forders.db

So, the access grant is depends on grant options and path to the object. You can see them

uplink share --help
Shares restricted access to objects.

Usage:
  /bin/uplink share [ALLOWED_PATH_PREFIX]... [flags]

Flags:
      --access string                     the serialized access, or name of the access to use
      --disallow-deletes                  if true, disallow deletes. see also readonly
      --disallow-lists                    if true, disallow lists
      --disallow-reads                    if true, disallow reads
      --disallow-writes                   if true, disallow writes. see also readonly
      --export-to string                  path to export the shared access to
  -h, --help                              help for share
      --not-after string                  disallow access after this time (e.g. '+2h', '2020-01-02T15:01:01-01:00')
      --not-before string                 disallow access before this time (e.g. '+2h', '2020-01-02T15:01:01-01:00')
      --readonly                          implies disallow_writes and disallow_deletes. you must specify --readonly=false if you don't want this (default true)
      --writeonly                         implies disallow_reads and disallow_lists

Global Flags:
      --advanced                         if used in with -h, print advanced flags help
      --config-dir string                main directory for uplink configuration (default "/root/.local/share/storj/uplink")

Could you elaborate what you want to differentiate?

littleskunk · August 25, 2020, 10:51am

--not-before now would be the easiest way to get different access grants all the time without any downside.

AkaashMukherjee · August 25, 2020, 5:24pm

@Alexey, that’s what I thought. At any time, t, there is only one token to access a bucket/permission/prefix combination.

@littleskunk, I imangine that this changes the access token to the bucket/permission/prefix combination and that the old one is no longer valid, correct?

@Alexey, the ideal situation for me is is if there were multiple access tokens the same bucket/permission/prefix combination. The use case is where patients in a medical data system each have their own bucket and healthcare workers use their serialized access to access patient data.

Example, nurse 1 and nurse 2 want to access patient data for the bucket and prefix akaash/x-ray with read permissions. They get the same token. Now say I want to remove access to nurse 2 while leaving access to nurse 1. The only way I can see doing this is revoking the access to the bucket to everyone, creating a new token for akaash/x-ray and distributing that token to only nurse 1.

In an ideal situation nurse 1 and nurse 2 would have different access tokens to akaash/x-ray with the same permissions

littleskunk · August 25, 2020, 5:30pm

If you have created a grant you can only revoke it including all sub access grants or create a sub access grant with more restrictions. Once an access grant is created you can’t change any of the restrictions. You always have to create a new access grant with the restrictions you want.

AkaashMukherjee · August 25, 2020, 5:34pm

@littleskunk, hmm ok. I thought of a hack where I could play with the NotAfter property of the Permission struct. If I choose this somewhat arbitrarily for a time, t, way in the future, I would get different grants, correct?

littleskunk · August 25, 2020, 5:38pm

Again you can get different access tokens by just using --not-before now. Even if that timestamp differs only by 1 that will already create a new access token. This will give you the option to remove them later one by one.

AkaashMukherjee · August 25, 2020, 5:40pm

Right, I understand now. Thanks, that works!

Here’s the code in uplink/go to get it to work, for those who may be interested later:

permission := uplink.FullPermission() // create permission struct however you want
permission.NotBefore = time.Now()