This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[db-wg] API keys for database maintenance

Previous message (by thread): [db-wg] API keys for database maintenance
Next message (by thread): [db-wg] API keys for database maintenance

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Cynthia Revström me at cynthia.re
Tue Mar 17 20:11:00 CET 2020

Hi Ed,

That sounds like a good plan to me, +1 :)

- Cynthia

On Tue, Mar 17, 2020 at 6:01 PM Edward Shryane via db-wg <db-wg at ripe.net> wrote:
>
> Dear Colleagues,
>
> I support this proposal, it's an improvement for RIPE DB users and also benefits the DB team.
>
> I propose implementing the feature within an SSO account, as both the LIR Portal and RIPE database (at least) can share the same feature, and we reduce the implementation cost.
>
> We should not require an LIR Portal account for this feature, it should be available to all users.
>
> If we associate the API key to an SSO account, then authentication is done as that user. By contrast, an MD5 password is associated with a (possibly shared) maintainer and is effectively anonymous.
>
> If we store the API key outside the RIPE database, we also reduce the disk of a data breach of the RIPE database exposing user credentials.
>
> Finally, this approach avoids schema changes to the RIPE database itself, which simplifies the implementation for the DB team.
>
> Regards
> Ed Shryane
> RIPE NCC
>
>
> > On 21 Feb 2020, at 11:53, Tore Anderson via db-wg <db-wg at ripe.net> wrote:
> >
> > Hi WG.
> >
> > In the LIR Portal, at https://lirportal.ripe.net/api/, it is possible to issue API keys for use with several different RIPE NCC services.
> >
> > However, it is unfortunately not possible to issue API keys for the two APIs that are used for database maintenance; Syncupdates and the RESTful API. The documentation implies that the only authorisation [sic] method for those APIs is MD5-PW.
> >
> > I propose that the API keys mechanism is extended to Syncupdates and the RESTful API.
> >
> > The already existing default maintainer concept could be leveraged to accomplish this (similar to how NWI-8 was implemented). That is, using Syncupdates or the RESTful API with API keys will simply authenticate the client as the LIR's default maintainer.
> >
> > Authorisation should remain handled by in-band mnt-* object attributes, as is currently the case.
> >
> > It would be an acceptable limitation that API keys for database maintenance are unavailable for LIRs without a default maintainer.
> >
> > Assuming the WG agrees that this is a good idea, I request an NWI.
> >
> > Tore
> >
>

Previous message (by thread): [db-wg] API keys for database maintenance
Next message (by thread): [db-wg] API keys for database maintenance

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ db-wg Archives ]