Non-normative proposal: Ephemeral action credentials #357
Comments
|
I think this is one of the more important things we need to do relatively soon. And go back to #337. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When running an action, the CNAB runtime needs to pass credentials into the invocation container. For actions that create, delete, or modify objects, these credentials must have privileges that allow doing so on the target platform. For installed applications that interact with the platform, one would expect a clear separation of concerns enforced by a separate set of less privileged credentials that the application uses.
Because of how the CNAB installation model works, it cannot enforce this separation of concerns and cannot guarantee that the installation credentials are not passed to the installed application or elsewhere. To mitigate this, runtimes could create ephemeral credentials that are invalidated shortly after action completion.
This has two benefits:
I see this as a complement to #337 and a candidate for the non-normative portion of the specification as it requires that the runtime tool understands the target installation platform.
The text was updated successfully, but these errors were encountered: