User story #9792
closed
Cannot limit API Keys' permissions
Description
Managing systems with Rudder basically means giving an OOB-Agent complete access over all systems.
Currently there is a working acces control for the users with a quite complex set of permissions one can get, so you can define roles and responsibilities.
OTOH there are all-mighty API Keys, which are only limited by the available functionality of the API itself, it cannot be used outside of systems that you put on the same security-level as the OS of Rudder itself (which is one of the highest).
This basically means you have to make very extra setup if you'd want to ensure the same functional differentiation on the users that need have access to anything that's backed by the API (like a CLI Tool).
A very ugly hacky workaround it to limit functionality of the API on apache level with restrictions to the URL, and probably also the source IP allowed to use it, but as the API grows, this will end up in a very unmaintainable set of rules.
So please think about how to introduce an access control for the API Keys, where you can limit them to specific actions/objects (maybe also source IPs?)
Updated by Janos Mattyasovszky over 7 years ago
- Related to User story #8827: Per-user API keys added
Updated by Janos Mattyasovszky over 7 years ago
- Subject changed from Cannot limit API Keys' access to Cannot limit API Keys' permissions
Updated by Benoît PECCATTE about 7 years ago
- Category set to Security
- Target version set to 4.2.0~beta1
Updated by Benoît PECCATTE about 7 years ago
- Tracker changed from Bug to User story
Updated by Alexis Mousset almost 7 years ago
- Target version changed from 4.2.0~beta1 to 4.2.0~beta2
Updated by Vincent MEMBRÉ almost 7 years ago
- Target version changed from 4.2.0~beta2 to 4.2.0~beta3
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.0~beta3 to 4.2.0~rc1
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.0~rc1 to 4.2.0~rc2
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.0~rc2 to 4.2.0
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.0 to 4.2.1
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.1 to 4.2.2
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.2 to 4.2.3
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.3 to 4.2.4
Updated by Benoît PECCATTE about 6 years ago
- Target version changed from 4.2.4 to Ideas (not version specific)
Updated by Alexis Mousset over 5 years ago
Rudder 5.0 provides finer grained control over API tokens:
- A general read/write authorization system
- A token expiration mechanism
- Through the dedicated plugin (https://docs.rudder.io/reference/5.0/plugins/api-authorizations.html):
- A token by user, with the same authorizations
- Token with authorizations by request type
Closing this one for now, feel free open other issues for other authorization use cases.