Return-Path: <ick-discuss-bounces@ick.liw.fi>
X-Original-To: distix@pieni.net
Delivered-To: distix@pieni.net
Received: from yaffle.pepperfish.net (yaffle.pepperfish.net [88.99.213.221])
	by pieni.net (Postfix) with ESMTPS id 811A9415CE
	for <distix@pieni.net>; Fri, 23 Nov 2018 18:37:19 +0000 (UTC)
Received: from platypus.pepperfish.net (unknown [10.112.101.20])
	by yaffle.pepperfish.net (Postfix) with ESMTP id 59D8141310
	for <distix@pieni.net>; Fri, 23 Nov 2018 18:37:19 +0000 (GMT)
Received: from ip6-localhost.nat ([::1] helo=platypus.pepperfish.net)
	by platypus.pepperfish.net with esmtp (Exim 4.80 #2 (Debian))
	id 1gQGKN-0003wW-9i; Fri, 23 Nov 2018 18:37:19 +0000
Received: from koom.pieni.net ([88.99.190.206] helo=pieni.net)
 by platypus.pepperfish.net with esmtpsa (Exim 4.80 #2 (Debian))
 id 1gQGKM-0003w6-OH
 for <ick-discuss@ick.liw.fi>; Fri, 23 Nov 2018 18:37:18 +0000
Received: from exolobe1.liw.fi (62-78-212-250.bb.dnainternet.fi
 [62.78.212.250]) by pieni.net (Postfix) with ESMTPSA id 37EC4415CE
 for <ick-discuss@ick.liw.fi>; Fri, 23 Nov 2018 18:37:18 +0000 (UTC)
Received: from exolobe1.liw.fi (localhost [127.0.0.1])
 by exolobe1.liw.fi (Postfix) with ESMTPS id 8BE3A11FA95
 for <ick-discuss@ick.liw.fi>; Fri, 23 Nov 2018 20:37:17 +0200 (EET)
Date: Fri, 23 Nov 2018 20:37:16 +0200
From: Lars Wirzenius <liw@liw.fi>
To: ick-discuss@ick.liw.fi
Message-ID: <20181123183716.GB5774@exolobe1.liw.fi>
MIME-Version: 1.0
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Pepperfish-Transaction: ee3b-8a12-5000-8f58
X-Pepperfish-Transaction-By: platypus
Subject: New Ick component: Muck, for JSON storage
X-BeenThere: ick-discuss@ick.liw.fi
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: discussions about the ick CI system <ick-discuss-ick.liw.fi>
List-Unsubscribe: <https://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/ick-discuss-ick.liw.fi>,
 <mailto:ick-discuss-request@ick.liw.fi?subject=unsubscribe>
List-Archive: <http://listmaster.pepperfish.net/pipermail/ick-discuss-ick.liw.fi>
List-Post: <mailto:ick-discuss@ick.liw.fi>
List-Help: <mailto:ick-discuss-request@ick.liw.fi?subject=help>
List-Subscribe: <https://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/ick-discuss-ick.liw.fi>,
 <mailto:ick-discuss-request@ick.liw.fi?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============2330713778803060933=="
Mime-version: 1.0
Sender: ick-discuss-bounces@ick.liw.fi
Errors-To: ick-discuss-bounces@ick.liw.fi


--===============2330713778803060933==
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="BwCQnh7xodEAoBMC"
Content-Disposition: inline


--BwCQnh7xodEAoBMC
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi all.

One of the problems Ick currently has is that every user can see, and
modify, and delete, any project and any pipeline of any user. To fix
this, Ick needs to assign an owner to each such "resource", and only
allow authorized users to access the resource.

To begin with, "authorized" will mean "is owned by", but later this
will become more flexible: the owner will be able to specify for
various groups of users what they can do.

The first step is to introduce the concept of resource ownership. For
this, I intend to add a new component to Ick, which stores structured
data in the form of JSON objects. I've written a proof-of-concept
prototype of this, and it's called Muck. The code is at
<http://git.liw.fi/muck-poc>. A README has some documentation:
zhttp://git.liw.fi/muck-poc/tree/README>.

Muck stores JSON objects in memory, but persistently: they get written
to disk and loaded back into memory if the service is restarted.
Access is via a RESTful HTTP API, with authorization handled by signed
JWT access token provided by Qvisqve. In other words, exacly like the
controller and artifact store.

Unlike the controller and artifact store, however, each resource is
assigned an owner upon creation. The owner is taken from the "sub"
claim of the access token. For now, only the owner can see, update, or
delete the resource.

Each resource is assigned a random identifier by Muck. There is a way
to search for resources, based on metadata or resource content.

Muck exists. I will (slowly) start converting the controller and other
components, and API users, to use it. Once that is done, mortal
enemies will be able to share an Ick instance without having to fear
each other.

Thoughts?

--=20
I want to build worthwhile things that might last. --joeyh

--BwCQnh7xodEAoBMC
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEETNTnrewG6wEE1EJ3bC+mFux6IDEFAlv4SNsACgkQbC+mFux6
IDFaig/+I5IMJgdEEjMxtCoy/+v9rHGKSTbSZKdTSSvl6U6D6+1eOpDyvJDd5aUK
o83jhQk7rLxndZ76gKw4ADiuBNh+mLCg9evfJ/Y9FtYitbZu5rKiakuHabl+H7cT
PmOq4sVmHyZgbME00pr0Lyup70KoVZAsNFrx9uPuJ7KCED2wkXf71hgi5KuYjXvI
JktUSoclZsil//th/0nkCDcPYy0W1imGcRndGxZb7sFMDihYXSGV6rccp6Q59xCB
bmRFAGM6sKXRAr6WV33Hy3broWl6ZvarA9biotmgj+Nm/OZXH1KFoJv8MXrbF8Wy
uy1SHNGUiifdamZ7+brqGnS36kNXuoTJF0GYn4pZJ0djtVoSeWOFt6SiYwRLvmnl
h2dLmaeumabMizE08CIRNXRunwd9cF7gd0taq5W2aHRs4PpNCdJOE1n7K3ZWlcjo
TGDMYVzIWY0Sbm4v63sx+Ao7NgO8WCTAptosKlWK20gpW0DWPZtkuteFu+SMIXCh
Xh8PvyVVFdQSkH2dR64mF3CWf2m2a7u2vPeRMRvKOkzy376m8x6T5yQu7fUioQhD
hNQ9HPmYcd2qmh/KSg8rtlHc5asLzIPSN5/fSlXZbMBU2LU5v3yPMZj43+0rOZYc
oYVashz3X+OJB2c2W6iChRY6VGHRNgYiSj17W5hJduYAiUytM7c=
=hHvB
-----END PGP SIGNATURE-----

--BwCQnh7xodEAoBMC--


--===============2330713778803060933==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ick-discuss mailing list
ick-discuss@ick.liw.fi
https://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/ick-discuss-ick.liw.fi

--===============2330713778803060933==--