Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Credentials: Define how rules are applied (match all or match any) #804

Open
MBadea17 opened this issue Jan 16, 2025 · 1 comment
Open

Credentials: Define how rules are applied (match all or match any) #804

MBadea17 opened this issue Jan 16, 2025 · 1 comment
Assignees
@paulo-ocean
Labels
Type: Enhancement New feature or request

Comments

@MBadea17
Copy link

Currently, the way Ocean Node handles the web3 address-based access credentials is to allow access to everybody if no credentials are defined for an asset.

To increase the security of the assets shared using Ocean technology in enterprise-grade environments, we need to make the Ocean Node more restrictive when handling the assets with no address-based credentials defined. Therefore, the behavior of the Ocean Node needs to be updated as follows:

  • if no address-based credentials are defined (both allow and deny lists are empty), access to the asset is restricted to everybody;
  • to allow access to everybody, the symbol * will be used in the allow list;
  • if a web3 address is present on both deny and allow lists, the deny list takes precedence, and access to the asset is denied for the respective address.

Also, the structure of the credentials object within the DDO needs to be updated to accommodate the credentials used by the newly added Policy Server component, as follows:

{
  "credentials": {
    "allow": [
      {
        "type": "address",
        "values": ["0x123", "0x456"]
      },
      {
	"type": "PS-specific Type",
	"values": [{}]
      }    
    ],
    "deny": [
      {
        "type": "address",
        "values": ["0x2222", "0x333"]
      }
    ]
  }
}

The "address" type object includes the addresses-based credentials (directly handled by Ocean Node) while the "PS-specific Type" object includes the credentials that the Policy Server will assess. The type of Policy Server access credentials will differ from one Policy Server implementation to another. For instance, the Policy Server developed for walt.id SSI stack will handle credentials of type "SSIpolicy".
@MBadea17 MBadea17 added the Type: Enhancement New feature or request label Jan 16, 2025
@alexcos20
Copy link
Member

alexcos20 commented Jan 22, 2025
edited
Loading

The agreed structure will look like:

{
  "credentials": {
    "match_allow": "all",
    "match_deny": "any",
    "allow": [
      {
        "type": "address",
        "values": ["0x123", "0x456"]
      },
      {
	"type": "PS-specific Type",
	"values": [{}]
      }    
    ],
    "deny": [
      {
        "type": "address",
        "values": ["0x2222", "0x333"]
      }
    ]
  }
}

Where:

  • match_allow is an optional parameter, which defines if it's enough to have one rule matched (match_allow: "any") or all allow rules should match (default value, if match_allow does not exists or it's different from 'any")
  • match_deny follow same pattern as above, but default value is "any"

Deny lists are always checked first

@alexcos20 alexcos20 changed the title Update how access credentials are handled by Ocean Node Credentials: Define how rules are applied (match all or match any) Jan 22, 2025
@oceanprotocol oceanprotocol deleted a comment from paulo-ocean Jan 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@paulo-ocean paulo-ocean

Labels
Type: Enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alexcos20 @MBadea17 @paulo-ocean