Libraries and services for access control on the M-Lab platform.
The m-lab/access
package support JWK keys generated by jwk-keygen
.
Create a signing key pair:
go get gopkg.in/square/go-jose.v2/jwk-keygen
~/bin/jwk-keygen --use=sig --alg=EdDSA --kid=1
For new services, we want to balance access to the platform with protecting platform integrity and measurement quality.
Until a service supports access control natively, the "access envelope" service accepts access tokens, validates them, and upon acceptance, adds an iptables rule granting the client IP time to run a measurement before removing the rule again after a timeout.