Skip to content

Commit 3124d5c

Browse files
committed
Security Overview Doc: Made a few minor corrections and wording adjustments.
1 parent f4ba4f7 commit 3124d5c

1 file changed

Lines changed: 7 additions & 5 deletions

File tree

SECURITY_OVERVIEW.md

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44

55
This document explains how xyOps protects user accounts, secrets, API access, job execution, and server-to-server communication.
66

7-
xyOps is designed around a few core ideas around security:
7+
xyOps is designed around a few core ideas with regard to security:
88

99
- Keep sensitive data out of the browser unless it is truly needed.
1010
- Encrypt secrets at rest and decrypt them only at the moment of use.
@@ -82,7 +82,7 @@ xyOps protects these in different ways depending on the asset. Some are hashed,
8282
| API key | Salted SHA-256 hash only | Plaintext shown once at creation | Stored hash is based on the key plus the key ID. |
8383
| Secret Vault values | AES-256-GCM encrypted record | No, unless an admin explicitly decrypts a secret | Decrypted only in memory when needed. |
8484
| `secret_key` | Config override file with owner-only permissions | No | Also excluded from config APIs. |
85-
| Satellite auth token | Derived token based on server ID and secret key | Not to ordinary browser users | Used by xySat to authenticate to the conductor. |
85+
| Satellite auth token | Derived token based on server ID and secret key | No | Used by xySat to authenticate to the conductor. |
8686

8787

8888
## Accounts and Sessions
@@ -185,6 +185,8 @@ API keys in xyOps are designed for services and automation, not human browser se
185185
- The plaintext key is generated once and shown once.
186186
- xyOps stores only a salted SHA-256 hash of the key, not the plaintext.
187187
- A masked version is stored for display convenience.
188+
- Each key can have an optional expiration date, after which it auto-disables.
189+
- You can set a max req/sec for each key, for throttling.
188190

189191
The stored hash is:
190192

@@ -324,7 +326,7 @@ xyOps includes an orchestrated secret-key rotation flow for administrators. The
324326
- active jobs are aborted and allowed to drain
325327
- all encrypted secrets are re-encrypted with the new key
326328
- connected servers are re-issued fresh auth tokens
327-
- peer conductors are updated via config overrides
329+
- peer conductors are sent the new secret, fully encrypted using the old one
328330

329331
This is much safer than manually changing a key and hoping all dependent systems catch up.
330332

@@ -389,7 +391,7 @@ It is also possible to install and run xySat manually as a non-root user. That c
389391
- self-upgrade may fail unless the user owns the install directory and restart path
390392
- on POSIX systems, the process cannot switch child jobs to a different UID or GID unless the OS grants it that privilege
391393

392-
On Windows, there is no native UID/GID model like POSIX, so process identity isolation must be handled differently.
394+
On Windows, there is no native UID/GID model like POSIX, so process identity isolation [must be handled differently](https://docs.xyops.io/#Docs/scaling/plugin-credentials).
393395

394396
### Job Execution
395397

@@ -505,7 +507,7 @@ Each xySat instance maintains a persistent WebSocket to the conductor for:
505507
- monitoring samples
506508
- monitor plugin test results
507509

508-
The default auth model uses an auth token derived from:
510+
The default auth model uses a SHA-256 auth token derived from:
509511

510512
- `server_id + secret_key`
511513

0 commit comments

Comments
 (0)