[tahoe-lafs-trac-stream] [Tahoe-LAFS] #2084: Commercial grids need an ability to disallow downloads without deleting data

Wed Jul 3 14:47:04 UTC 2019

#2084: Commercial grids need an ability to disallow downloads without deleting
data
-----------------------------+-----------------------------------
     Reporter:  esnyder      |      Owner:  daira
         Type:  enhancement  |     Status:  new
     Priority:  normal       |  Milestone:  undecided
    Component:  unknown      |    Version:  1.10.0
   Resolution:               |   Keywords:  accounting revocation
Launchpad Bug:               |
-----------------------------+-----------------------------------

Comment (by exarkun):

 So, trying to tie some of those thoughts back into this use-case...

 _If_ you have an access control system which can prevent arbitrary lease
 renewal then you can lean on lease expiration to disallow downloads.

 You don't even need to turn on the garbage collector in this case.  The
 shares will remain stored but unreadable.  You can authorize the renew
 lease operation based on your payment processing system to restore access
 to affected shares to users who pay their bill.

 If you _also_ want to be able to eventually garbage collect something then
 you do need some kind of two-tiered share expiration system.  You have
 some period of time when the share is retained and access is allowed.
 Then you have some period of time when the share is retained and access is
 denied.  Then you have a point in time when the share becomes fair game
 for garbage collection.

 You could define these periods in terms of intervals.  If a lease lasts 31
 days then perhaps a "storage grace period" extends for another 31 days
 beyond the end of the lease.  Then 62 days after a lease is taken on a
 share, the garbage collect may delete the data.

 Tahoe-LAFS already has a configuration option which can probably be
 (ab)used to provide part of what's required here:

 {{{
 [storage]
 expire.enabled = true
 expire.mode = age
 expire.override_lease_duration = 62days
 }}}

 With this configuration, a storage server will not consider garbage
 collecting shares until the associated lease is at least 62 days old.
 With an access control system (https://tahoe-lafs.org/trac/tahoe-
 lafs/milestone/storage%20economics%20plugins) that is separately
 configurable and enforces denial of operations (except for lease renewal)
 when the lease is older than some smaller age, the desired behavior is
 achieved.

 This might look like:

 {{{
 [storage]
 plugins = tahoelafs-simplepaymentsauthorizerexample-v1

 [storage.plugins.tahoelafs-simplepaymentsauthorizerexample-v1]
 expire.lease_duration_for_access = 31days
 }}}

 (https://tahoe-lafs.org/trac/tahoe-lafs/ticket/3053)

 Thus, access is allowed for 31 days after a lease is added or renewed but
 the share is retained for 62 days after a lease is added or renewed.

--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2084#comment:4>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage