launchpad-reviewers team mailing list archive

[Robert Collins <robertc@xxxxxxxxxxxxxxxxx>]

The proposal to merge lp:~lifeless/launchpad/private-librarian into lp:launchpad has been updated.

Description changed to:

The basic idea is to have an https librarian that uses an access token for a time limited period, rather than proxying on the appservers which is terrible in several ways that aren't all that relevant except to say its hard to improve and incompatible with our peformance goals.

So in this model, we hand out a token when someone (including wget) accesses a private attachment on launchpad, and issue a temporary redirect (over ssl) to https://iLFAID.launchpadlibrarian.net/...file?token=xxxxx

The token goes in the session DB, the garbo cleans that up, and we all are happy happy happy.

Oh, and the librarian rejects requests without a token for private files.

We can't use OAuth because then the OAuth token would be attackable by content in the private librarian.

RT 41202 contains the request for wildcard DNS keys.

The remaining work to make this fully reviewable is to:
 - provide a migration method so that we can deploy this code in advance of the ssl certs being ready etc. I suspect a config option is best for now because feature-flags in the librarian is untested as yet.; alternatively having the librarian work either-way would allow a feature flag in the appservers.
 - when enabled issue the redirect - thats in place now for objects using the right view; I don't know whats required to glue the view in.
 - profit

Folk wanting to test or collaborate on this branch should:
 - dropdb session_dev
 - dropdb session_ftest
 - pull the branch
 - run 'make schema' which will create the timelimitedtoken table in your session dbs.


-- 
https://code.launchpad.net/~lifeless/launchpad/private-librarian/+merge/31020
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~lifeless/launchpad/private-librarian into lp:launchpad.