Overview
The Warp 10 platform provides several building blocks to integrate it into your authentication system. Access control for updating and reading data is achieved through the use of cryptographic tokens.
Tokens:
- are cryptographically sealed serialized Thrift structure & Ident
- are used for authorizing access to the Warp 10 Storage Engine
- grants access for WRITE (and DELETE) or READ operations
- embeds notions for data sharing
- embeds flexible attributes for extensibility
Tokens are delivered with the TOKENGEN command. Roles (owner, producer and application) are used to define the right level of data access.
Data is produced by a producer for an owner by an application. Owner and Producer are 128 bits UUIDs* HHHHHHHH-HHHH-HHHH-HHHH-HHHHHHHHHHHH. Application is a STRING. Data is consumed by an owner within an application. The consuming owner is sometimes identified as the "billed user". There are special labels in Geo Time Series: .producer, .owner and .app.
The Producer/Owner/Application trio allows data sharing. A data owner can allow a third party to access its data. Such sharing is done via the creation of tokens with specific values. It's possible to track data consumption via Sensision metrics and issue billing.
Thrift definition file
-
Thrift IDL: token/src/main/thrift/io_warp10_quasar_token_thrift_data.thrift
-
Generated Java Classes
io.warp10.quasar.token.thrift.data.{ReadToken,WriteToken}
struct WriteToken {
1:required i64 issuanceTimestamp,
2:required i64 expiryTimestamp,
3:required TokenType tokenType,
5:required binary producerId,
6:required binary ownerId,
7:required string appName,
9:optional map<string,string> labels,
10:optional map<string,string> attributes,
}
struct ReadToken {
1:required i64 issuanceTimestamp,
2:required i64 expiryTimestamp,
3:required TokenType tokenType,
7:optional string appName,
8:required list<string> apps,
9:required list<binary> owners,
10:required list<binary> producers,
11:required binary billedId,
13:optional map<string,string> attributes,
14:optional map<string,string> labels,
}
enum TokenType {
READ = 1,
WRITE = 2,
}
Labels
io.warp10.quasar.token.thrift.data.ReadToken.labelsio.warp10.quasar.token.thrift.data.WriteToken.labels
Token labels are label selectors (text, =text, ~regexp) for READ tokens. Those selectors override the selection criteria of /fetch and FETCH. It is possible:
- to restrict the scope of data retrievable by a given token.
For WRITE tokens, labels override the labels of the Geo Time Series (see Ingress).
- to force values of certain labels.
Attributes
io.warp10.quasar.token.thrift.data.ReadToken.attributesio.warp10.quasar.token.thrift.data.WriteToken.attributes
Token attributes is a key/value map. They are a placeholder for adding special characteristics to tokens:
- Limit queryable timestamps
- Limit updateable timestamps to a window around current time
- Modify stack limits
- ...
They bring flexibility to the token system.
Encoded format
It uses OPB64(AESWRAP(TokenIdent[64 bits BigEndian] ⊕ SerializedThrift))
Keys and hashes are configured in /path/to/warp10/etc/conf.d/00-secrets.conf:
- AES Wrapping Key configured via
warp.aes.tokenin (128-256 bits) - SipHash key for TokenIdent set via
warp.hash.token(128 bits)
A Warp 10 Storage Engine instance will only accept a token if its AES Wrapping Key can decode it. It is possible to restrict access to ingress/egress by using different keys.
How to generate 128 bits hex strings
$ dd if=/dev/urandom | hexdump -Cvor
$ cat /proc/sys/kernel/random/uuid | hexdump -Cvor
$ date | md5sum
Lifecycle - Life and death of tokens
Tokens are created at a given issuanceTimestamp (ms since epoch). Tokens are valid until an expiryTimestamp (ms since epoch). Tokens can be revoked via TRLs (Token Revocation Lists)