-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Node connection requesting access to a private network #781
Comments
I'm going to consolidate this and #780 REF ENG-371 together into this issue. They are two parts of the same problem. |
@amydevs we'll need to go over this to expand it out and tie it into #784 work. Some notes about the spec so far. The structure of these claims is being addressed in #779 . so this issue focuses on addressing the logic for issuing the So we'll need to update the spec to focus solely on the issuing of these claims and how to authenticate that. |
This issue seems like it's better suited to be in the PKE repo? If it has information on proprietary details of PKE, it should be in PKE. Plus PK shouldn't be special casing any particular PKE behaviour here. |
This issue focuses on how the nodes interact to request access. PKE only really ties into how we authenticate that request. |
Specification
According to #779, there needs to be a way for nodes to bootstrap into a network via obtaining a
ClaimNetworkAccess
token.There are 2 RPC calls that should implement this:
SignClaimNetworkAccessInitial
- An RPC call from a node to a seednode that requests a half-signedClaimNetworkAccess
token to be fully signed by the seednode.SignClaimNetworkAccessFinal
- An RPC call from a seednode to a node that contains the fully signedClaimNetworkAccess
token designated to the node.There is a reason that these 2 calls are separate unary calls rather than a single unary call. That being that in order to implement a CSR-like mechanism for
ClaimNetworkAccess
token signing, we may want for a human in the loop to manually approve or deny requests for individual nodes to join a network. Hence, we want for the node to receive the token from the seednode whenever the node is online to accept, even after a long response time from the seednode.When Node A attempts to join a network:
SignClaimNetworkAccessInitial
call to seed node B.SignClaimNetworkAccessFinal
call to node A.By implementing this, we have several flows we can end up implementing:
Additional context
#779
Tasks
The text was updated successfully, but these errors were encountered: