TAP: Implement access controls for results objects

Target release	DP1? - not urgent
Epic
Document status	DRAFT
Document owner	Gregory Dubois-Felsmann
Developers
Dependencies	Security architecture
Notes	FE - signoff on preventing scanning by sufficiently long token, deal as feature

Goals

Ensure that users' personal query results are not accessible by others
Implement existing requirements; avoid the use of security-by-obscurity

Background and strategic fit

Provide access control (e.g., requirement for authorization headers) for the results (and error) objects generated in TAP queries

Note that this is a more general problem for all Rubin UWS services that return results, and should probably be solved at that layer of the stack.

Whatever strategy is adopted will have to be shown to be workable with the required (Pyvo and Rubin Portal) and highly desirable (TOPCAT) supported clients.

Assumptions

Requirements

#	Title	User Story	Importance	Notes
1
2

User interaction and design

Questions

Below is a list of questions to be addressed as a result of this requirements document:

Question	Outcome

Not Doing

Space shortcuts

Page tree