Project

General

Profile

Actions

User story #9792

closed

Cannot limit API Keys' permissions

Added by Janos Mattyasovszky about 8 years ago. Updated about 6 years ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
Security
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:

Description

Managing systems with Rudder basically means giving an OOB-Agent complete access over all systems.
Currently there is a working acces control for the users with a quite complex set of permissions one can get, so you can define roles and responsibilities.

OTOH there are all-mighty API Keys, which are only limited by the available functionality of the API itself, it cannot be used outside of systems that you put on the same security-level as the OS of Rudder itself (which is one of the highest).

This basically means you have to make very extra setup if you'd want to ensure the same functional differentiation on the users that need have access to anything that's backed by the API (like a CLI Tool).

A very ugly hacky workaround it to limit functionality of the API on apache level with restrictions to the URL, and probably also the source IP allowed to use it, but as the API grows, this will end up in a very unmaintainable set of rules.

So please think about how to introduce an access control for the API Keys, where you can limit them to specific actions/objects (maybe also source IPs?)


Related issues 1 (0 open1 closed)

Related to Rudder - User story #8827: Per-user API keysRejectedActions
Actions #1

Updated by Janos Mattyasovszky about 8 years ago

Actions #2

Updated by Janos Mattyasovszky about 8 years ago

  • Subject changed from Cannot limit API Keys' access to Cannot limit API Keys' permissions
Actions #3

Updated by Benoît PECCATTE almost 8 years ago

  • Category set to Security
  • Target version set to 4.2.0~beta1
Actions #4

Updated by Benoît PECCATTE almost 8 years ago

  • Tracker changed from Bug to User story
Actions #5

Updated by Alexis Mousset over 7 years ago

  • Target version changed from 4.2.0~beta1 to 4.2.0~beta2
Actions #6

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 4.2.0~beta2 to 4.2.0~beta3
Actions #7

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 4.2.0~beta3 to 4.2.0~rc1
Actions #8

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 4.2.0~rc1 to 4.2.0~rc2
Actions #9

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 4.2.0~rc2 to 4.2.0
Actions #10

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 4.2.0 to 4.2.1
Actions #11

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 4.2.1 to 4.2.2
Actions #12

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 4.2.2 to 4.2.3
Actions #13

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 4.2.3 to 4.2.4
Actions #14

Updated by Benoît PECCATTE almost 7 years ago

  • Target version changed from 4.2.4 to Ideas (not version specific)
Actions #15

Updated by Alexis Mousset about 6 years ago

Rudder 5.0 provides finer grained control over API tokens:

Closing this one for now, feel free open other issues for other authorization use cases.

Actions #16

Updated by Alexis Mousset about 6 years ago

  • Status changed from New to Rejected
Actions

Also available in: Atom PDF