|
4 | 4 |
|
5 | 5 | This document explains how xyOps protects user accounts, secrets, API access, job execution, and server-to-server communication. |
6 | 6 |
|
7 | | -xyOps is designed around a few core ideas around security: |
| 7 | +xyOps is designed around a few core ideas with regard to security: |
8 | 8 |
|
9 | 9 | - Keep sensitive data out of the browser unless it is truly needed. |
10 | 10 | - Encrypt secrets at rest and decrypt them only at the moment of use. |
@@ -82,7 +82,7 @@ xyOps protects these in different ways depending on the asset. Some are hashed, |
82 | 82 | | API key | Salted SHA-256 hash only | Plaintext shown once at creation | Stored hash is based on the key plus the key ID. | |
83 | 83 | | Secret Vault values | AES-256-GCM encrypted record | No, unless an admin explicitly decrypts a secret | Decrypted only in memory when needed. | |
84 | 84 | | `secret_key` | Config override file with owner-only permissions | No | Also excluded from config APIs. | |
85 | | -| Satellite auth token | Derived token based on server ID and secret key | Not to ordinary browser users | Used by xySat to authenticate to the conductor. | |
| 85 | +| Satellite auth token | Derived token based on server ID and secret key | No | Used by xySat to authenticate to the conductor. | |
86 | 86 |
|
87 | 87 |
|
88 | 88 | ## Accounts and Sessions |
@@ -185,6 +185,8 @@ API keys in xyOps are designed for services and automation, not human browser se |
185 | 185 | - The plaintext key is generated once and shown once. |
186 | 186 | - xyOps stores only a salted SHA-256 hash of the key, not the plaintext. |
187 | 187 | - A masked version is stored for display convenience. |
| 188 | +- Each key can have an optional expiration date, after which it auto-disables. |
| 189 | +- You can set a max req/sec for each key, for throttling. |
188 | 190 |
|
189 | 191 | The stored hash is: |
190 | 192 |
|
@@ -324,7 +326,7 @@ xyOps includes an orchestrated secret-key rotation flow for administrators. The |
324 | 326 | - active jobs are aborted and allowed to drain |
325 | 327 | - all encrypted secrets are re-encrypted with the new key |
326 | 328 | - connected servers are re-issued fresh auth tokens |
327 | | -- peer conductors are updated via config overrides |
| 329 | +- peer conductors are sent the new secret, fully encrypted using the old one |
328 | 330 |
|
329 | 331 | This is much safer than manually changing a key and hoping all dependent systems catch up. |
330 | 332 |
|
@@ -389,7 +391,7 @@ It is also possible to install and run xySat manually as a non-root user. That c |
389 | 391 | - self-upgrade may fail unless the user owns the install directory and restart path |
390 | 392 | - on POSIX systems, the process cannot switch child jobs to a different UID or GID unless the OS grants it that privilege |
391 | 393 |
|
392 | | -On Windows, there is no native UID/GID model like POSIX, so process identity isolation must be handled differently. |
| 394 | +On Windows, there is no native UID/GID model like POSIX, so process identity isolation [must be handled differently](https://docs.xyops.io/#Docs/scaling/plugin-credentials). |
393 | 395 |
|
394 | 396 | ### Job Execution |
395 | 397 |
|
@@ -505,7 +507,7 @@ Each xySat instance maintains a persistent WebSocket to the conductor for: |
505 | 507 | - monitoring samples |
506 | 508 | - monitor plugin test results |
507 | 509 |
|
508 | | -The default auth model uses an auth token derived from: |
| 510 | +The default auth model uses a SHA-256 auth token derived from: |
509 | 511 |
|
510 | 512 | - `server_id + secret_key` |
511 | 513 |
|
|
0 commit comments