I was re-reading the zrok documentation, and had a small question about the private shares. Here’s the section I’m wondering about: The zrok access private wvszln4dyz9q command can be run by any zrok user, allowing them to create and bind a local HTTP listener, that allows for private access to your shared resources.
Does this mean that any other zrok user, even others not enabled with my same secret token, will be able to connect, if they have the right share token? Or, does that still require it to be one of the nodes that show up in my web console? My understanding is that only devices that show up in that graphical “web” on my account would be able to access a private share, but the wording in the docs is ambiguous enough that I want to be sure I’m understanding it correctly.
Hi @Logan_Rollins, Yes, any zrok.io enabled environment can access a private share if they have the private access token. That way, you can share privately with another party that is registered with zrok.io, and they can enable one or more environments of their own.
@qrkourier Thanks for clarifying. I have a followup question to this. What if I assign a --unique-name with zrok reserve private. This name will then be used as the token for the share which other users with other environments should be able to access once I activate the share with zrok share private.... How can this possibly work, the unique name I assign can be used by other users to reserve shares in other environments, right? Or perhaps I am misunderstanding something?
You understand correctly and it is because of the order in which zrok features were developed. I’ll provide some links too.
- private shares
- unique names (described in the context of
drive mode)
- permission modes
Now you can say:
zrok reserve private 80 --closed --unique-name=myclosedshare
This will reserve a vanity share token with the optional “closed” permission mode, which is available only to your zrok account by default. You may allow specific, additional zrok accounts with --access-grant alice@example.com.
Link to the OpenZiti forum
@kbingham Ok thanks a lot for the explanation! So it means that as soon as I assign a vanity token, the share will be closed by default and only me and others I allow specifically will be able to access, is that correct?