Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simplify authentication process #53

Open
naitian opened this issue Jan 5, 2023 · 3 comments · May be fixed by #70 or #82
Open

Simplify authentication process #53

naitian opened this issue Jan 5, 2023 · 3 comments · May be fixed by #70 or #82

Comments

@naitian
Copy link
Member

naitian commented Jan 5, 2023

I've been using sink for other projects (very handy!), and I think there's potential for it to be generally useful, but setting up the authentication with a new user / file is a huge friction point.

I wonder if there is an easier way (maybe like a sink auth that automates the process at least a little bit).

Maybe out of scope, but would be useful to have.
@erxclau
Copy link
Member

erxclau commented Jan 5, 2023

I think you might be describing something like the Google credentials setup at TT. I think it authorizes file access through actual users instead of through a service account. From what I remember, there was a slightly longer initial setup for less friction for each individual use.

Since we set this up to authenticate with a service account, I don't think there's a good way for the service account to authorize itself to have access to files. We need the user to add the service account to a new file (unless the file is inside a folder that the service account has overall access to).

I do plan on spending some time revisiting Google authentication this semester through #35 and setting up a new service account to move away from the sourdough account. But I do agree that it may also be worthwhile to look into a refactor of our authentication/authorization flow.

Setting up a new service account in it of itself is probably a pain point if we want to renew service accounts every year for security reasons. This process (along with AWS IAM setup) may benefit from some automation with infrastructure as code.

@naitian
Copy link
Member Author

naitian commented Apr 20, 2023

Yeah I wonder if there's some way to even just automate the creation of a service account.

This is outside the Daily's use case, but I often want to use sink for one-off projects where I am collaborating with others. I don't want to reuse a service account, since I might want some collaborators to have access to files for one project but not another.

@naitian
Copy link
Member Author

naitian commented Apr 20, 2023

Using actual users is probably preferable if that can be done in an ergonomic way, but one alternative might look something like this:

There is an admin service account that has the permission to create and manage service accounts. Users who have admin credentials can then run sink create-auth <name> to create a new consumer user <name> and creates a corresponding <name>.json file, which can then be distributed to whoever.

This feels pretty messy though, so hopefully there's a better way of going about this.

@erxclau erxclau linked a pull request Apr 29, 2023 that will close this issue
Open
10 tasks
@erxclau erxclau linked a pull request Jun 14, 2023 that will close this issue
Draft
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@naitian @erxclau