Actions
Bug #5724
closed[API] Advertise BlobSignatureTTL in discovery doc. Fix name/comments on default_trash_lifetime.
Start date:
04/30/2015
Due date:
% Done:
100%
Estimated time:
(Total: 1.25 h)
Story points:
0.5
Description
The default_trash_lifetime config setting (and the defaultTrashLifetime discovery doc key) are currently unused and were intended to control the default interval after pushing the "trash" button on an object in Workbench (or doing a similar action) during which the object could be rescued/undeleted. This is achieved by setting expires_at=now()+defaultTrashLifetime on an object. Note:
- This is not the same kind of "trash" as unreferenced data blocks in Keep.
- This is only a default: a client can also choose to set expires_at to now()+1h or now()+8y.
- A larger value makes it more likely a user can recover accidentally deleted data.
- A smaller value conserves disk space.
- This is not a security feature.
- Whether the collection's expires_at is now+1h, now+8y, or null, the signature TTL is the same (default is 2 weeks).
- This is a security feature. It prevents a client from stockpiling signatures over time and reading data which it had permission to read 8 years ago (but doesn't now).
- This limits the time a client can take to build a collection.
- Like the API server's ttl, this TTL is visible to clients (the expiry time part is easy to parse out of the blob signature) so clients can be expected to make decisions on this basis ("the block signature will expire soon, so I'd better create a collection to get a fresh one"). Therefore, a keepstore that has provided a signature expiring on January 15 must not delete the corresponding data before January 15 merely because that block hasn't appeared in any collections yet.
- keepstore should (but currently doesn't) advertise its blob_signing_ttl to clients explicitly. Currently, clients can figure it out by writing a block and subtracting now() from the resulting signature expiry time.
Actions