One of the problems Ick currently has is that every user can see, and
modify, and delete, any project and any pipeline of any user. To fix
this, Ick needs to assign an owner to each such "resource", and only
allow authorized users to access the resource.
To begin with, "authorized" will mean "is owned by", but later this
will become more flexible: the owner will be able to specify for
various groups of users what they can do.
The first step is to introduce the concept of resource ownership. For
this, I intend to add a new component to Ick, which stores structured
data in the form of JSON objects. I've written a proof-of-concept
prototype of this, and it's called Muck. The code is at
<http://git.liw.fi/muck-poc>. A README has some documentation:
Muck stores JSON objects in memory, but persistently: they get written
to disk and loaded back into memory if the service is restarted.
Access is via a RESTful HTTP API, with authorization handled by signed
JWT access token provided by Qvisqve. In other words, exacly like the
controller and artifact store.
Unlike the controller and artifact store, however, each resource is
assigned an owner upon creation. The owner is taken from the "sub"
claim of the access token. For now, only the owner can see, update, or
delete the resource.
Each resource is assigned a random identifier by Muck. There is a way
to search for resources, based on metadata or resource content.
Muck exists. I will (slowly) start converting the controller and other
components, and API users, to use it. Once that is done, mortal
enemies will be able to share an Ick instance without having to fear
I want to build worthwhile things that might last. --joeyh