Conversation
Remove the special-case concept of "global writes" and instead allow callers to provide a namespace mapping function that makes policy decisions about which clients are globally trusted and which clients should be isolated from each other. As a result, all clients are now able to write, but not necessarily into the shared global namespace. All clients can still read from the global namespace, as well as their own. The Namespaces table already existed in the schema, so no schema updates required. However, there are some breaking changes in the package API, WithJWTAuth now takes issuer URLs only and policy moves into the new WithNamespaceMapping option. cmd/gocached implements the spirit of the old API in terms of a namespace mapping function, with the main difference that it now allows writes if you don't have the global claims, but just into your own isolated namespace. Updates tailscale/corp#38092 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
| // from [GlobalNamespace]. See [WithNamespaceMapping]. Namespace is case- | ||
| // insensitive, but is otherwise treated as an opaque string. |
There was a problem hiding this comment.
case-insensitive is a little weird. Then you have to specify how it's case insensitive. And are those rules the same between Go and SQLite? Doesn't seem worth it for an opaque string.
But it's fine if you want to document it more.
There was a problem hiding this comment.
This bubbled up from the existing table constraint where it gets persisted:
Namespace TEXT NOT NULL UNIQUE CHECK (Namespace = lower(Namespace))
I can definitely document it more, but it sounds like maybe you think we should get rid of this constraint altogether? Or maybe we shouldn't allow user-defined strings to end up in the db? Although I couldn't think of a better way to map from claims to stable unique namespaces in a way that wouldn't require storage on the caller side too.
| // GlobalNamespace is a trusted namespace that all sessions can read from. | ||
| const GlobalNamespace Namespace = "" |
| // against one of these issuers. If [WithNamespaceMapping] is provided, then | ||
| // it may still be rejected if the mapping function returns an error for its | ||
| // claims. No requests other than token exchange are allowed without | ||
| // authentication. May be called multiple times; issuers accumulate. |
2 participants
Remove the special-case concept of "global writes" and instead allow callers to provide a namespace mapping function that makes policy decisions about which clients are globally trusted and which clients should be isolated from each other. As a result, all clients are now able to write, but not necessarily into the shared global namespace. All clients can still read from the global namespace, as well as their own. The Namespaces table already existed in the schema, so no schema updates required.
However, there are some breaking changes in the package API, WithJWTAuth now takes issuer URLs only and policy moves into the new WithNamespaceMapping option. cmd/gocached implements the spirit of the old API in terms of a namespace mapping function, with the main difference that it now allows writes if you don't have the global claims, but just into your own isolated namespace.
Updates tailscale/corp#38092