S3 proxy ensuring authentication and authorization layer based on Axone.
The S3 proxy is a service that exposes files stored on an S3 server to the Axone protocol. It acts as an authentication and authorization layer, ensuring that access requests comply with the decentralized governance rules established on-chain.
flowchart LR
actor@{ shape: circle, label: "🧑" }
s3Proxy@{ shape: lin-cyl, label: "S3 Proxy" }
s3@{shape: lin-cyl, label: "S3<br>server"}
files@{ shape: docs, label: "files" }
axone@{ shape: das, label: "Axone chain" }
s3 --> files
actor -- access --> s3Proxy
s3Proxy ~~~
s3Proxy -. ① check .-> axone
s3Proxy -. ② access .-> s3
make build
⚠️ The following example may be outdated.
Hereafter is presented an example using this proxy locally, providing all the needed elements to feed a local dataverse and interact with it.
Through this example, we'll have a Minio instance declared as a digital storage service with an attached governance allowing usage in a specific zone. And a dataset representing a single file with a governance allowing the same zone and a specific orchestration service, the dataset will use the minio as storage service.
We'll see how we can submit an execution order to set the file accessible through the proxy by being authenticated as the orchestration service.
Some tools are needed in order to run the example:
The local chain must be running with our contracts stored.
The local configuration of axoned in $AXONED_HOME/config/client.toml shall be self-sufficient to sign and broadcast transaction without additional command flags (e.g. --chain-id, --keyring-backend, etc..)
For each contract instantiation, keep the contract addresses, as they will be required for future interactions. You can inspect the transaction hash generated by the broadcasting process with axoned query tx $TX_HASH and look for the events section.
Let's begin with the objectarium:
axoned tx wasm instantiate $OBJECTARIUM_CODE_ID \
--label "my-prologtarium" \
--from $MY_WALLET_ADDR \
--admin $MY_WALLET_ADDR \
--gas 1000000 \
'{"bucket":"my-prologtarium"}'Now let's create the law-stones containing the minio & dataset prolog governance codes:
axoned tx wasm instantiate $LAW_STONE_CODE_ID \
--label "minio-gov" \
--from local \
--admin local \
--gas 100000000 \
"{\"program\":\"$(cat example/s3-gov.pl | base64)\", \"storage_address\": \"$OBJECTARIUM_ADDR\"}"
axoned tx wasm instantiate 2 \
--label "data-gov" \
--from local \
--admin local \
--gas 100000000 \
"{\"program\":\"$(cat example/data-gov.pl | base64)\", \"storage_address\": \"$OBJECTARIUM_ADDR\"}"Finally, the dataverse:
axoned tx wasm instantiate $DATAVERSE_CODE_ID \
--label "my-local-dataverse" \
--from $MY_WALLET_ADDR \
--admin $MY_WALLET_ADDR \
--gas 1000000 \
"{\"name\":\"my-local-dataverse\",\"triplestore_config\":{\"code_id\":\"$COGNITARIUM_CODE_ID\",\"limits\":{}}}"Now let's declare the storage service and the dataset in the dataverse: we'll have for each one two verifiable credentials, one for the description and one referencing the governance. Then, another one will be needed to express that the dataset is served by our minio storage service, providing its protected proxy URL. Those verifiable credentials are available here:
- example/vc-s3-desc.jsonld
- example/vc-s3-gov.jsonld
- example/vc-data-desc.jsonld
- example/vc-data-gov.jsonld
- example/vc-publish.jsonld
Before submitting them we need to update the law stone addresses related to the governances in the example/vc-s3-gov.jsonld and example/vc-data-gov.jsonld credentials.
Those VCs are not signed. For that we'll need to have some cryptographic keys to act as the issuers of those verifiable credentials. To facilitate this, we provide a keyring located at example/keyring-test.
You can list the keys with axoned --keyring-backend test --keyring-dir example keys list if needed.
To sign and submit the verifiable credentials we have a simple script that you can use:
./scripts/setup.sh $MY_WALLET_ADDR $DATAVERSE_ADDRHere we need to run the minio and deploy our dataset on it. For that, we provide a docker-compose.yml: it will run a MinIO instance accessible at http://localhost:9000.For demonstration purposes, this setup will make the README file of this project available as part of the dataset at http://localhost:9000/test/README.md.
You can start the compose with:
docker compose upNow we'll run the proxy through which we'll connect to the dataverse with:
./target/dist/s3-auth-proxy start --listen-addr 0.0.0.0:8080 \
--jwt-secret-key 1d5be173d43385b984ef8c73fe4fb9e5ca5a31466f20bf8a250d06eec5f3079b \
--s3-endpoint localhost:9000 \
--s3-access-key minioadmin \
--s3-secret-key minioadmin \
--s3-insecure \
--grpc-no-tls \
--dataverse-addr $DATAVERSE_ADDR \
--svc-id did:key:zQ3shbn6v6Mwtc6nSe5LnBmBY44seFqdRKXtf5eH8tQknZCcwFor this step, we'll act ourselves as the initiator of the execution order, and the orchestration service that'll fulfill the order, to demonstrate the interactions with the proxy.
Let's create the execution order, and the execution containing the status and the parameters:
./scripts/order-exec.sh $MY_WALLET_ADDR $DATAVERSE_ADDRAt this point, submitting an authentication verifiable credential signed with the orchestration service keys we should be able to access the dataset, let's forge this credential:
./scripts/issue-auth-cred.sh > vc-auth.jsonldAnd then issue an authentication request to obtain an access token:
curl -s -X POST -T ./vc-auth.jsonld http://localhost:8080/authNow we should be able to get through the proxy authorization layer with our access token:
curl -s -H "Authorization: Bearer $TOKEN" http://localhost:8080/test/README.mdWe just need to submit a credential expressing an execution status of delivered:
./scripts/end-exec.sh $MY_WALLET_ADDR $DATAVERSE_ADDRAt this point we're not anymore capable to access the dataset.