Skip to main content

Permission Modes

Shares created in zrok v0.4.26 and newer now include a choice of permission mode.

Shares created with zrok v0.4.25 and older were created using what is now called the open permission mode. Whether public or private, these shares can be accessed by any user of the zrok service instance, as long as they know the share token of the share. Effectively shares with the open permission mode are accessible by any user of the zrok service instance.

zrok now supports a closed permission mode, which allows for more fine-grained control over which zrok users are allowed to privately access your shares using zrok access private.

zrok defaults to continuing to create shares with the open permission mode. This will likely change in a future release. We're leaving the default behavior in place to allow users a period of time to get comfortable with the new permission modes.

Creating a Share with Closed Permission Mode

Adding the --closed flag to the zrok share or zrok reserve commands will create shares using the closed permission mode:

$ zrok share private --headless --closed -b web .
[   0.066]    INFO main.(*sharePrivateCommand).run: allow other to access your share with the following command:
zrok access private 0vzwzodf0c7g

By default any environment owned by the account that created the share is allowed to access the new share. But a user trying to access the share from an environment owned by a different account will enounter the following error message:

$ zrok access private 0vzwzodf0c7g
[ERROR]: unable to access ([POST /access][401] accessUnauthorized)

The zrok share and zrok reserve commands now include an --access-grant flag, which allows you to specify additional zrok accounts that are allowed to access your shares:

$ zrok share private --headless --closed --access-grant anotheruser@test.com -b web .
[   0.062]    INFO main.(*sharePrivateCommand).run: allow other to access your share with the following command:
zrok access private y6h4at5xvn6o

And now anotheruser@test.com will be allowed to access the share:

$ zrok access private --headless y6h4at5xvn6o
[   0.049]    INFO main.(*accessPrivateCommand).run: allocated frontend 'VyvrJihAOEHD'
[   0.051]    INFO main.(*accessPrivateCommand).run: access the zrok share at the following endpoint: http://127.0.0.1:9191

Adding and Removing Access Grants for Existing Shares

If you've created a share (either reserved or ephemeral) and you forgot to include an access grant, or want to remove an access grant that was mistakenly added, you can use the zrok modify share command to make the adjustments:

Create a share:

$ zrok share private --headless --closed -b web .
[   0.064]    INFO main.(*sharePrivateCommand).run: allow other to access your share with the following command:
zrok access private s4czjylwk7wa

In another shell in the same environment you can execute:

$ zrok modify share s4czjylwk7wa --add-access-grant anotheruser@test.com
updated

And to remove the grant:

$ zrok modify share s4czjylwk7wa --remove-access-grant anotheruser@test.com
updated

Limitations

As of v0.4.26 there is currently no way to list the current access grants. This will be addressed shortly in a subsequent update.