Hi Ed, That sounds like a good plan to me, +1 :)
- Cynthia On Tue, Mar 17, 2020 at 6:01 PM Edward Shryane via db-wg <[email protected]> wrote: > > Dear Colleagues, > > I support this proposal, it's an improvement for RIPE DB users and also > benefits the DB team. > > I propose implementing the feature within an SSO account, as both the LIR > Portal and RIPE database (at least) can share the same feature, and we reduce > the implementation cost. > > We should not require an LIR Portal account for this feature, it should be > available to all users. > > If we associate the API key to an SSO account, then authentication is done as > that user. By contrast, an MD5 password is associated with a (possibly > shared) maintainer and is effectively anonymous. > > If we store the API key outside the RIPE database, we also reduce the disk of > a data breach of the RIPE database exposing user credentials. > > Finally, this approach avoids schema changes to the RIPE database itself, > which simplifies the implementation for the DB team. > > Regards > Ed Shryane > RIPE NCC > > > > On 21 Feb 2020, at 11:53, Tore Anderson via db-wg <[email protected]> wrote: > > > > Hi WG. > > > > In the LIR Portal, at https://lirportal.ripe.net/api/, it is possible to > > issue API keys for use with several different RIPE NCC services. > > > > However, it is unfortunately not possible to issue API keys for the two > > APIs that are used for database maintenance; Syncupdates and the RESTful > > API. The documentation implies that the only authorisation [sic] method for > > those APIs is MD5-PW. > > > > I propose that the API keys mechanism is extended to Syncupdates and the > > RESTful API. > > > > The already existing default maintainer concept could be leveraged to > > accomplish this (similar to how NWI-8 was implemented). That is, using > > Syncupdates or the RESTful API with API keys will simply authenticate the > > client as the LIR's default maintainer. > > > > Authorisation should remain handled by in-band mnt-* object attributes, as > > is currently the case. > > > > It would be an acceptable limitation that API keys for database maintenance > > are unavailable for LIRs without a default maintainer. > > > > Assuming the WG agrees that this is a good idea, I request an NWI. > > > > Tore > > >
