Make ActorRefs unforgeable

[drewhk]

This basically means adding a long-enough, cryptographically random piece of data at the end of an ActorRef (practically, make the UID longer and safer).

There are additional changes required to make this useful in practice:

• remove the old Identify feature so it is impossible to look up actors by name anymore, without knowing the secret part of the ActorRef. Receptionists/Service lookup actors should be used instead. The benefit is that now it can be tightly controlled which actors can access which other actors
• make it possible to create cheap proxy actors that can filter messages passed to their target. The benefit is that this way actors can hand out proxies to its own references with a reduced service, and for example hand it out remotely. Since the original ActorRef cannot be looked up, nor can be forged, this is a good building block for access control. Recipients of the "reduced-service" ActorRef can pass it around as a capability possibly filtering or transforming along the way to sub-services.

[rkuhn]

Indeed, this is very useful, and we have nearly everything in place in Akka Typed. In particular the cheap proxies exist already, take a look at akka.typed.internal.FunctionRef. One issue would be the breaking change to ActorPath to contain a Long instead of an Int, either we make a new ActorPath in akka.typed or we need to think hard how to pull this off.

[drewhk]

In particular the cheap proxies exist already, take a look at akka.typed.internal.FunctionRef

Yes,, streams are already using it :) It is just not exposed as a feature to the users.

One issue would be the breaking change to ActorPath to contain a Long instead of an Int, either we make a new ActorPath in akka.typed or we need to think hard how to pull this off.

We can postpone it until 3.0. Maybe there are compatible ways to pull this off though, but I haven't put much thought into it.