For the first public RESTBase deployment, we need to lock down the public API to only allow GET and POST requests that don't inject user-supplied information into the database. This basically means that the majority of requests will be GETs. These might trigger an internal fetch to a service like Parsoid & a subsequent internal PUT of the content returned to storage. The main POST entry point we'll need to support for now would be Parsoid's html2wt mode (see T75955).
We still need to have a way to create buckets internally, which means PUTs. Ideas:
- hook into some specific MediaWiki access right verified through a call to an userCan MediaWiki API entry point
- set up a secret in config.yaml via the private hiera repository, and allow access from an internal IP range when supplying this secret