Introducing Access Control for Computing Unit Connections

Date: August 4, 2025
Assignee: Ali Risheh
Reviewer: Chen Li

This document outlines the implementation of the new Access Control Service, which introduces a mandatory authorization layer for all user connections to Computing Units (CUs). This update significantly enhances the security and integrity of the Texera platform.

Previous System Behavior

Previously, the system architecture allowed users to establish a direct WebSocket connection to a Computing Unit via the /wsapi endpoint. While a user-token was passed as a URL parameter, there was no explicit access control check to verify if the user was actually authorized to connect to the requested Computing Unit. This created a potential security vulnerability where any authenticated user could potentially access any CU if they knew its identifier.

New Architecture with Access Control Service

To address this, we have introduced a new Access Control Service. This service acts as a mandatory authorization gateway, managed by Envoy, for any connection request to a Computing Unit.

The new connection flow is as follows:

1. A user initiates an HTTP request to connect to a specific Computing Unit.
2. The request is routed through the Gateway to Envoy.
3. Envoy pauses the request and queries the Access Control Service for an authorization decision.
4. The Access Control Service parses the user's token, queries the PostgreSQL database to verify the user has the necessary permissions for the target Computing Unit.
5. If authorized, the service injects several HTTP headers (x-user-cu-access, x-user-id, x-user-name) into the request and sends an approval back to Envoy.
6. Envoy then forwards the approved request to the Computing Unit.
7. The connection is upgraded to a WebSocket, establishing the interactive session for the user.

If authorization fails at any step (e.g., invalid token, insufficient permissions), Envoy immediately denies the connection request, and the user is prevented from accessing the Computing Unit.

Key Changes & Implications

• Enhanced Security: All connections to Computing Units are now explicitly authorized. This prevents unauthorized users from accessing computational resources and user data.
• Centralized Authorization Logic: The Access Control Service provides a single, dedicated point for managing CU access rules, simplifying future policy updates and maintenance.
• No Performance Impact: The authorization check is performed on the initial HTTP handshake request before the connection is upgraded to a WebSocket. This ensures that once the connection is established, there is no additional latency for the user.