Dear Colleagues, I support this proposal, it's an improvement for RIPE DB users and also benefits the DB team.
I propose implementing the feature within an SSO account, as both the LIR Portal and RIPE database (at least) can share the same feature, and we reduce the implementation cost. We should not require an LIR Portal account for this feature, it should be available to all users. If we associate the API key to an SSO account, then authentication is done as that user. By contrast, an MD5 password is associated with a (possibly shared) maintainer and is effectively anonymous. If we store the API key outside the RIPE database, we also reduce the disk of a data breach of the RIPE database exposing user credentials. Finally, this approach avoids schema changes to the RIPE database itself, which simplifies the implementation for the DB team. Regards Ed Shryane RIPE NCC > On 21 Feb 2020, at 11:53, Tore Anderson via db-wg <[email protected]> wrote: > > Hi WG. > > In the LIR Portal, at https://lirportal.ripe.net/api/, it is possible to > issue API keys for use with several different RIPE NCC services. > > However, it is unfortunately not possible to issue API keys for the two APIs > that are used for database maintenance; Syncupdates and the RESTful API. The > documentation implies that the only authorisation [sic] method for those APIs > is MD5-PW. > > I propose that the API keys mechanism is extended to Syncupdates and the > RESTful API. > > The already existing default maintainer concept could be leveraged to > accomplish this (similar to how NWI-8 was implemented). That is, using > Syncupdates or the RESTful API with API keys will simply authenticate the > client as the LIR's default maintainer. > > Authorisation should remain handled by in-band mnt-* object attributes, as is > currently the case. > > It would be an acceptable limitation that API keys for database maintenance > are unavailable for LIRs without a default maintainer. > > Assuming the WG agrees that this is a good idea, I request an NWI. > > Tore >
smime.p7s
Description: S/MIME cryptographic signature
