Data Asset Shard

PreviousData Service NextData Storage Shard

Last updated 1 month ago

Data Asset Shard

The Data Asset Shard is a specialized canister within the Data Asset Management System. Its primary function is to manage the descriptive information (metadata) and access permissions for individual data assets. It acts as the authoritative source for "who owns what" and "who can access what"

Key Responsibilities & Functionality:

Metadata Management:

Stores and manages essential metadata for each data asset. This includes:
Unique Asset ID
Owner's User ID
Creation and modification timestamps
Filename, description, tags, or other descriptive attributes.
Provides interfaces for the Data Asset Service to create, read, update, and delete these metadata records.

Access Control List (ACL) Management:

Maintains a detailed Access Control List for every data asset it manages.
The ACL specifies which user principals (or groups) have permissions to perform actions on the asset (e.g., read, update, delete, share).
Handles requests from the Data Asset Service to grant, revoke, or modify these access permissions.
Enforces time-limited access if specified in the ACL (e.g., access expires after a certain date/time).

Interaction with Data Asset Service:

Acts as a worker canister, primarily receiving instructions and queries from the central Data Asset Service.
It does not typically initiate actions independently but responds to requests for storing metadata, updating ACLs, or retrieving asset information and permissions.

VetKD Integration for Secure Sharing:

Can integrate with the vetkd_system_api (Verifiable Threshold Key Derivation).
This allows the shard to participate in generating encrypted symmetric keys specific to an asset and an authorized recipient.
Facilitates secure sharing mechanisms where decryption keys are derived on-demand for authorized users without exposing a master key, enhancing data confidentiality during sharing.

Internal Storage:

Internally, the Data Asset Shard typically uses stable data structures (B-Trees) to persistently store:
- The mapping of Asset IDs to their full metadata records.
- The mapping of Asset IDs to their respective Access Control Lists (which principals have what kind of access, and for how long).

PreviousData Service NextData Storage Shard

Last updated 1 month ago

Key Responsibilities & Functionality:

Metadata Management:

Stores and manages essential metadata for each data asset. This includes:
Unique Asset ID
Owner's User ID
Creation and modification timestamps
Filename, description, tags, or other descriptive attributes.
Provides interfaces for the Data Asset Service to create, read, update, and delete these metadata records.

Access Control List (ACL) Management:

Maintains a detailed Access Control List for every data asset it manages.
The ACL specifies which user principals (or groups) have permissions to perform actions on the asset (e.g., read, update, delete, share).
Handles requests from the Data Asset Service to grant, revoke, or modify these access permissions.
Enforces time-limited access if specified in the ACL (e.g., access expires after a certain date/time).

Interaction with Data Asset Service:

Acts as a worker canister, primarily receiving instructions and queries from the central Data Asset Service.
It does not typically initiate actions independently but responds to requests for storing metadata, updating ACLs, or retrieving asset information and permissions.

VetKD Integration for Secure Sharing:

Can integrate with the vetkd_system_api (Verifiable Threshold Key Derivation).
This allows the shard to participate in generating encrypted symmetric keys specific to an asset and an authorized recipient.
Facilitates secure sharing mechanisms where decryption keys are derived on-demand for authorized users without exposing a master key, enhancing data confidentiality during sharing.

Internal Storage:

Internally, the Data Asset Shard typically uses stable data structures (B-Trees) to persistently store:
- The mapping of Asset IDs to their full metadata records.
- The mapping of Asset IDs to their respective Access Control Lists (which principals have what kind of access, and for how long).