While the possibilities for access controls that can be encoded in a Caveat are virtually unlimited, the specific Caveats supported on the Tardigrade Platform today are as follows:
Specific Operations: Caveats can restrict whether an Access Grant can permit any of the following operations:
Bucket: Caveats can restrict whether an Access Grant can permit operations on one or more Buckets .
Path and path prefix: Caveats can restrict whether an Access Grant can permit operations on Objects within a specific path in the object hierarchy.
Time Window: Caveats can restrict when an Access Grant can permit operations on objects stored on the platform.
The code related to the supported Caveats (Link to specific) on the Satellite is available for review on GitHub. When the Uplink Client is used to share access to an object stored on the Tardigrade Platform, the Access Grant only addresses access to an object.
When an Uplink Client makes a request to a Satellite to perform an action on an object, the Satellite will evaluate the validity of the Access Grant and allow the action if the Access Grant is valid for the action and object.
In the case of sharing read access to an object, the Access Grant is used to allow an Uplink Client to download the pieces of a file and re-encode the pieces into a complete file, but the Uplink Client must also be able to decrypt the encrypted file for file sharing to be actually useful.