-
Notifications
You must be signed in to change notification settings - Fork 0
feat(auth): allow non-admin user role to use HTTP sink/IO nodes #634
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 2 commits
55ed4f1
00c19eb
b43d792
72ca68d
6e5d357
fd26e79
8455c91
4f8ebd0
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -483,10 +483,15 @@ allowed_samples = [ | |
| "user/*.yaml", | ||
| ] | ||
|
Comment on lines
488
to
489
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 📝 Info: Sample user role allowed_samples diverges slightly from code default The (Refers to lines 475-484) Was this helpful? React with 👍 or 👎 to provide feedback. Debug
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed: removed |
||
|
|
||
| # Users can use most nodes except potentially dangerous ones | ||
| # Users can use most nodes except potentially dangerous ones. | ||
| # Note: transport::http::fetcher is intentionally excluded (it fetches arbitrary | ||
| # URLs - SSRF risk). The safe HTTP sink/IO nodes are allowed instead. | ||
| allowed_nodes = [ | ||
| "audio::*", | ||
| "transport::*", | ||
| "transport::moq::*", | ||
|
staging-devin-ai-integration[bot] marked this conversation as resolved.
|
||
| "transport::http::mse", # serve live casts to the browser (MSE) | ||
| "streamkit::http_input", # oneshot request body | ||
| "streamkit::http_output", # oneshot response | ||
| "core::*", | ||
|
staging-devin-ai-integration[bot] marked this conversation as resolved.
Outdated
|
||
| "containers::*", | ||
| ] | ||
|
Comment on lines
487
to
514
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 📝 Info: User role node allowlist tightened from broad wildcards to explicit list The sample Was this helpful? React with 👍 or 👎 to provide feedback. Debug
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Good catch on the breakage surface. I checked the shipped pipelines: That's intentional and not a regression relative to the secure default: the built-in |
||
|
|
@@ -500,6 +505,37 @@ allowed_assets = [ | |
| "samples/audio/user/*", | ||
| ] | ||
|
|
||
| [permissions.roles.gateway] | ||
| # Least-privilege role for trusted intermediaries (e.g. the speech-gateway or | ||
| # web-capture examples) that build a small set of fixed pipelines. Avoids | ||
| # granting admin just to use HTTP-transport nodes. | ||
| create_sessions = true | ||
| destroy_sessions = true | ||
| list_sessions = true | ||
| modify_sessions = true | ||
| tune_nodes = true | ||
| load_plugins = false | ||
| delete_plugins = false | ||
| list_nodes = true | ||
| access_all_sessions = false # Only its own sessions | ||
| upload_assets = false | ||
| delete_assets = false | ||
|
|
||
| allowed_samples = [] | ||
|
|
||
| # Only the HTTP sink/IO nodes the gateway needs - no fetcher (SSRF risk). | ||
| allowed_nodes = [ | ||
| "transport::http::mse", # serve live casts to the browser (MSE) | ||
| "streamkit::http_input", # oneshot request body | ||
| "streamkit::http_output", # oneshot response | ||
| "core::*", | ||
| ] | ||
|
Comment on lines
+554
to
+562
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 📝 Info: Gateway role's The new Was this helpful? React with 👍 or 👎 to provide feedback. Debug
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed: the gateway example (sample config + docs) now grants only the safe core plumbing nodes ( |
||
|
|
||
| # Only the specific plugin(s) the gateway needs (example: servo for web-capture). | ||
| allowed_plugins = ["plugin::native::servo"] | ||
|
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🚩 Gateway example references plugin::native::servo Both the docs ( Was this helpful? React with 👍 or 👎 to provide feedback. Debug
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Confirmed valid —
Comment on lines
+554
to
+565
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 📝 Info: Plugin enforcement ordering relied upon by gateway role The gateway role lists Was this helpful? React with 👍 or 👎 to provide feedback. Debug
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Right — this ordering dependency ( |
||
|
|
||
| allowed_assets = [] | ||
|
|
||
| [permissions.roles.readonly] | ||
| # Read-only role - can only view, not modify | ||
| create_sessions = false | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
📝 Info: http_input/http_output are implicitly allowed for oneshot regardless of allowlist
Adding
streamkit::http_inputandstreamkit::http_outputto theuserrole'sallowed_nodesis harmless but redundant for the oneshot path:apps/skit/src/server/oneshot.rs:529-536explicitly skips these marker kinds, treating them as implicitly allowed whenever oneshot execution is permitted. The allowlist entries only have an effect at the otheris_node_allowedcall sites (sessions/websocket/mcp/validation), where these oneshot-only marker nodes would not normally appear. Net: the entries are safe and the documented gateway example is still correct, just over-specified for oneshot use.Was this helpful? React with 👍 or 👎 to provide feedback.
Debug
Playground
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks — agreed, info-only and correct. The oneshot path (
server/oneshot.rs) skips these marker kinds so they're implicitly allowed there; the allowlist entries only matter at the session/websocket/mcp/validationis_node_allowedcall sites. I'm keeping them for consistency with the documentedgatewayrole example (and the newsamples/skit.tomlrole) so the same allowlist works whether or not a node is gated — over-specified but not incorrect.