[db-wg] API keys for database maintenance
- Previous message (by thread): [db-wg] API keys for database maintenance
- Next message (by thread): [db-wg] API keys for database maintenance
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Cynthia Revström
me at cynthia.re
Tue Mar 17 20:11:00 CET 2020
Hi Ed, That sounds like a good plan to me, +1 :) - Cynthia On Tue, Mar 17, 2020 at 6:01 PM Edward Shryane via db-wg <db-wg at ripe.net> wrote: > > Dear Colleagues, > > I support this proposal, it's an improvement for RIPE DB users and also benefits the DB team. > > I propose implementing the feature within an SSO account, as both the LIR Portal and RIPE database (at least) can share the same feature, and we reduce the implementation cost. > > We should not require an LIR Portal account for this feature, it should be available to all users. > > If we associate the API key to an SSO account, then authentication is done as that user. By contrast, an MD5 password is associated with a (possibly shared) maintainer and is effectively anonymous. > > If we store the API key outside the RIPE database, we also reduce the disk of a data breach of the RIPE database exposing user credentials. > > Finally, this approach avoids schema changes to the RIPE database itself, which simplifies the implementation for the DB team. > > Regards > Ed Shryane > RIPE NCC > > > > On 21 Feb 2020, at 11:53, Tore Anderson via db-wg <db-wg at ripe.net> wrote: > > > > Hi WG. > > > > In the LIR Portal, at https://lirportal.ripe.net/api/, it is possible to issue API keys for use with several different RIPE NCC services. > > > > However, it is unfortunately not possible to issue API keys for the two APIs that are used for database maintenance; Syncupdates and the RESTful API. The documentation implies that the only authorisation [sic] method for those APIs is MD5-PW. > > > > I propose that the API keys mechanism is extended to Syncupdates and the RESTful API. > > > > The already existing default maintainer concept could be leveraged to accomplish this (similar to how NWI-8 was implemented). That is, using Syncupdates or the RESTful API with API keys will simply authenticate the client as the LIR's default maintainer. > > > > Authorisation should remain handled by in-band mnt-* object attributes, as is currently the case. > > > > It would be an acceptable limitation that API keys for database maintenance are unavailable for LIRs without a default maintainer. > > > > Assuming the WG agrees that this is a good idea, I request an NWI. > > > > Tore > > >
- Previous message (by thread): [db-wg] API keys for database maintenance
- Next message (by thread): [db-wg] API keys for database maintenance
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]