Diff for "SoyuzPrivateArchiveTokens"

Not logged in - Log In / Register
Differences between revisions 2 and 3
Revision 2 as of 2009-01-05 15:55:24
Size: 4905
Editor: michael.nelson
Comment: Added an unresolved issue
Revision 3 as of 2009-01-06 08:47:59
Size: 7327
Editor: michael.nelson
Comment:
Deletions are marked like this. Additions are marked like this.
Line 73: Line 73:
The current spec includes a token (in a sources.list entry... it'd be great to see an example of what this will look like). This token could be potentially copied and used by others. But with the current .htaccess solution, I'm not sure how this could be prevented while at the same time allowing users ongoing access to updates (security/bug fixes). The current spec includes a token (in a sources.list entry... it'd be great to see an example of what this will look like). This token/sources.list entry could be potentially copied and given to be used by others. Two potential solutions (assuming that access is controlled via .htaccess), are below.
Line 75: Line 75:
I'm wondering whether it might be worth the extra effort of proxying the archive urls so we can do more than htaccess? There's probably lots I'm missing... just let me know. AFAICS it doesn't make sense to automatically '''revoke''' the subscription after allowing time to download the software (by revoking the Archive Subscriber record, which would effectively deactivate the token), because the user is still a subscriber after they have downloaded the software (you might want to provide ongoing security/bug-fix updates to a subscriber, for example).

It might make sense to include an expiry-date for the Archive Auth Token itself, so that from when a subscriber generates a token, the token can be used for a certain time (enough to download the software), but this would require more than just a date_deactivated field on the Archive Auth Token (AFAICS, date_deactivated is just a reflection of the Archive Subscribers revocation or membership expiry). If, later on (say in two months time), an update becomes available for the software (bug/security-fix), there are two options that I can see:
 1. The subscriber is notified via email (as the token in their sources.list will no longer enable apt-get to see that an update is available? (I don't know enough about apt-get yet to know if this is the case)) with a link to generate a new key for their LP user, providing them with a new sources.list entry (with the new token), with which they replace the old one (Cons: what a pain! Pros: secure with a new token generated by the user).
 2. The subscriber's old expired token (that is already in their sources.list entry) is given a new expiry date. apt-get on users machine will automatically then see that an update is available (Pros: easy for user, Cons: user may miss the window of opportunity, little less secure as expired token is re-activated).

=== Archive URL proxying - worth the extra effort/complexity ? ===
I'm wondering whether it might be worth '''eventually''' proxying the archive urls so we can do more than htaccess? By proxying the archive urls we would be able to:
 * keep stats on access (related to tokens) with ease (the Archive Auth Token would itself simply have fields for num_downloaded etc.).
 * give tokens both an expiry as well as a number of available downloads (From what I've read, I understood that the tokens are always to be for a single user, but I'm not sure how this would work for volume licensing. Say a company with 80 employees wants to install Terry's software on all their machines, it would be useful to purchase a token that can be used for 100 downloads/updates at a time, to avoid the admin nightmare of getting every employee to create an LP account, then putting them in the right team etc.).

Please let me know where I've misunderstood things!

Contents

Contents

  1. Overview
    1. Overall Summary
    2. Release Note
    3. Rationale
    4. Use cases
    5. Assumptions
  2. User Interface
  3. Implementation
    1. Code Changes
    2. Schema Changes
    3. Migration
  4. Unresolved issues
    1. Limiting downloads while allowing unlimited updates
    2. Archive URL proxying - worth the extra effort/complexity ?

Overview

Overall Summary

Summary: Store and manage access tokens for private archives. These tokens will be stored in the database and published to disk during the normal publishing cycle. A UI will manage the tokens allowing archive owners to generate new ones and delete old ones.

Goal/Deliverables:

  • Publisher changes to generate the .htaccess file
  • Schema changes to store the tokens
  • UI changes to add/delete tokens

We will know we have finished when private archive owners can manage 3rd party access to their archives with no intervention from LP admins.

Release Note

Rationale

It's currently very time-consuming for admins to set up the .htaccess file for private archives. It's also frustrating for end-users to have to wait for an admin to do it.

We also wish to drive adoption of Launchpad, such that users of PPAs will need to have a Launchpad account to receive their access tokens.

Use cases

  • Terry runs a private PPA containing commercial Python-related software packages. He wishes to allow Michael, his beta partner, access to download the packages at any time. Terry visits his PPA page, follows a link to a page that controls user-access to the archive, selects Michael's Launchpad account and generates an access token with no expiry date. Terry does not directly see the token but the page shows that Michael has permission to access the archive.
  • John is a user who wants to download some of Terry's software. He arranges payment with Terry who gives him access via a token that expires in 1 week. John navigates to his profile page and follows a link to another page that lists all his access tokens for archives that he has permission to see. He copies the sources.list entry (which is presented with the basic auth. access token embedded already) to his own machine and downloads the software using his normal package managing software.
  • Monty runs a private PPA in which he wishes to distribute software to his team of employees. He sets up an access permission that authorises a whole team to access his archive. Each team member will then have a separate token available so that when Monty fires someone from his team, only that person's access token is removed and the rest of the team retains access.

Assumptions

  • Passwords are secure in the database.

User Interface

The PPA will have a new linked page that is available to the archive's owner(s) only. It will list authorised Launchpad users who can access the archive. It will allow the PPA owner to add, remove and set expiry dates on access for each user/team.

Archive users will be able to see a private page that shows all their current archive access via a list of archives and their corresponding sources.list entries, the latter being presented with the basic auth. token necessary to access the archive.

At some point this will be integrated with Ubuntu so that clicking a link will install the sources.list entry.

Implementation

  • Schema changes (1 day)
  • Fix the publisher to generate a .htaccess based on the tokens in the database (3 days)
  • Add the admin UI to manage the tokens (4 days)
  • Add UI for the archive user to list access (3 days)

Code Changes

Code changes should include an overview of what needs to change, and in some cases even the specific details.

Schema Changes

What Database changes are you proposing? Do you need a new index created? Proposing a new table? If so, what does it look like?

Migration

Include:

  • data migration, if any
  • redirects from old URLs to new ones, if any

  • how users will be pointed to the new way of doing things, if necessary. (If your change is big enough, consider using the rollout template.)

Unresolved issues

Limiting downloads while allowing unlimited updates

The current spec includes a token (in a sources.list entry... it'd be great to see an example of what this will look like). This token/sources.list entry could be potentially copied and given to be used by others. Two potential solutions (assuming that access is controlled via .htaccess), are below.

AFAICS it doesn't make sense to automatically revoke the subscription after allowing time to download the software (by revoking the Archive Subscriber record, which would effectively deactivate the token), because the user is still a subscriber after they have downloaded the software (you might want to provide ongoing security/bug-fix updates to a subscriber, for example).

It might make sense to include an expiry-date for the Archive Auth Token itself, so that from when a subscriber generates a token, the token can be used for a certain time (enough to download the software), but this would require more than just a date_deactivated field on the Archive Auth Token (AFAICS, date_deactivated is just a reflection of the Archive Subscribers revocation or membership expiry). If, later on (say in two months time), an update becomes available for the software (bug/security-fix), there are two options that I can see:

  1. The subscriber is notified via email (as the token in their sources.list will no longer enable apt-get to see that an update is available? (I don't know enough about apt-get yet to know if this is the case)) with a link to generate a new key for their LP user, providing them with a new sources.list entry (with the new token), with which they replace the old one (Cons: what a pain! Pros: secure with a new token generated by the user).
  2. The subscriber's old expired token (that is already in their sources.list entry) is given a new expiry date. apt-get on users machine will automatically then see that an update is available (Pros: easy for user, Cons: user may miss the window of opportunity, little less secure as expired token is re-activated).

Archive URL proxying - worth the extra effort/complexity ?

I'm wondering whether it might be worth eventually proxying the archive urls so we can do more than htaccess? By proxying the archive urls we would be able to:

  • keep stats on access (related to tokens) with ease (the Archive Auth Token would itself simply have fields for num_downloaded etc.).
  • give tokens both an expiry as well as a number of available downloads (From what I've read, I understood that the tokens are always to be for a single user, but I'm not sure how this would work for volume licensing. Say a company with 80 employees wants to install Terry's software on all their machines, it would be useful to purchase a token that can be used for 100 downloads/updates at a time, to avoid the admin nightmare of getting every employee to create an LP account, then putting them in the right team etc.).

Please let me know where I've misunderstood things!

CategoryProposal

SoyuzPrivateArchiveTokens (last edited 2009-01-28 14:18:40 by michael.nelson)