-
Notifications
You must be signed in to change notification settings - Fork 610
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow restricting API token to publish a subset of crates #849
Comments
This would be fantastic for things like publishing automatically in CI builds. |
There is a workaround for this issue which we applied in RustAudio/cpal#337 :
The crates.io token of the |
@est31 While this approach works, the GitHub terms don't allow more than one free account per individual person, so we can't really make this an official recommendation. Eventually we will need a better permissions model. |
I didn't know about that rule but looking it up, it exempts machine accounts: https://help.github.com/en/github/site-policy/github-terms-of-service#3-account-requirements
Anyways, I do agree with you that this issue shouldn't be closed or ignored because the workaround exists. There should be a proper feature for it right in crates.io. |
Also note that you may only have up to one free machine account (same sections of Github terms as linked above):
So this limits the number of gratis crates.io tokens per person to 2. |
I'm willing to do the backend work to implement this, and @locks should be available to then hook the changes in the frontend. What I'd like to implement here is two things: endpoint scopes to limit which things a crate can do, and crate scopes to limit which crates the token is allowed to act on. A mockup of the UI I'd love to see is: Endpoint scopesDuring token creation the user will be allowed to choose whether to allow the token access to all the API endpoints (the current behavior) or to select which permissions the token has. The initial set of scopes will cover all endpoints accessible through
New scopes might be added in the future to cover more API endpoints. All existing tokens will default to allowing access to all the API endpoints, to maintain backward compatibility. Note that once we define the set of endpoints a token is allowed to create adding more endpoints to them might be considered a breaking change for existing tokens, as we would allow the token to do things the owner might not want. The set of endpoints covered by the initial set of scopes is:
Crate scopesDuring token creation the user will be allowed to choose whether to allow the token access to all the crates they own or just a subset of them. This setting will only apply to endpoints handling crates: other endpoints will continue to work even with crate-scoped tokens. To select which crates the token is allowed to operate on the user will have to insert a pattern we will match on every request. The pattern will be a simplified regex, only allowing
I think this approach is better that letting the user tick checkboxes for each crate they want to allow. Checkboxes benefit accounts with a small amount of crates, while the pattern benefits large projects with tons of crates, and I believe big projects are the ones more likely to scope down which crates a token is allowed to access. All existing tokens will allow access to any crate, to maintain backward compatibility. |
Note that with the implementation I have in mind adding more scopes should be trivial impl wise, so if anyone watching this issue has other needs let's discuss them! |
Important to keep in mind that full owners privilege includes also ability to remove owners of a crate. |
Thanks @est31! Updated the comment to reflect that. |
Thanks a lot for taking this work on! I've got a few comments. High-level commentsIn the long run, I would like to have some kind of permissions model for crate owners as well. Currently we have two access levels: Individual owners have all permissions, and team owners can do everything except managing owners. This model is rather inflexible. I would like to have the ability to add individual owners with only a limited set of permissions. One idea that comes to mind would be to introduce the concept of a "role" which can have certain permissions. Both tokens and owners could be assigned a role that defines what they are allowed to do. I haven't thought this through, and I only mention it to clarify my point above. I appreciate that we don't need to solve all problems at once. It is worthwhile to think about future directions anyway since this may make our life easier once we get there. Specific commentsI would de-emphasize the "access to all API endpoints" somehow. Tokens should by default only have access to the endpoints used by cargo, and it should be very rare for someone to need more than that.
It's not quite clear what you are saying here. Does "existing tokens" refer to tokens existing right now, or to existing tokens when we add further scopes? Because in the former case I agree with you, while in the latter case I think we don't want to add new permissions to tokens with limited permissions.
That's exactly the reason why I think we shouldn't do that.
Hmm, that doesn't really sound like a simplified regex, but more like a hybrid using the the When is the star pattern resolved? The desciption makes it sound like it's just to avoid having to check lots of crate names. However, if the pattern is not immediately resolved, but stored as is and checked everytime an operation is performed, it will apply to all new crates matching the pattern – something that would never be possible with just checkboxes. |
Turns out I also have questions about my proposal now 😅. I'll turn this into a proper RFC soon. |
Posted an RFC: rust-lang/rfcs#2947 |
I'd love to see this - I have write access to some N crates, but some of them are published to by repositories with shared admin access : while the admins should be able to publish to that repositories crates, not my other ones. Creating a service account rather than delegating access through a scoped token is a bit tedious. |
closing this now in favor of #5443 :) |
Now that #688 is available, it would be great to be able to generate a token that is only able to publish a single/limited subset of crates. (A subset to account for things like
proc-macro
crates commonly being published as a pair of relatively tightly coupled crates).I'm not sure exactly where the UI for creating these tokens should go, one idea I have had so far:
I feel that would not be great for a user that has access to many many crates though.
Alternative idea I had was to somehow do it via the crate page instead. I don't see any nice to allow adding additional crates to the token that doesn't basically end up with a massive list like above.
Probably worth doing a survey of if any other package repositories support something similar. Closest parallel I can think of is GitHub repository scoped API tokens, but as far as I'm aware they don't allow for accessing a selection of repositories; you either have a token that can access all repositories you have access to, or a token that can access a single repository. I'll try and take a look soon and update here.
The text was updated successfully, but these errors were encountered: