Hey,I think that if we get x509 client certificate authentication for the API working, it might even be easier.All the UI to add certs and auth them on mntners is already there, the web services just need endpoints that request and use client provided certs.https://github.com/RIPE-NCC/whois/issues/534-----Original Message-----From: db-wg <[email protected]> On Behalf Of Edward Shryane via db-wgSent: 2020-03-17 17:01To: Tore Anderson <[email protected]>Cc: db-wg <[email protected]>Subject: Re: [db-wg] API keys for database maintenanceDear Colleagues,I support this proposal, it's an improvement for RIPE DB users and also benefits the DB team.I propose implementing the feature within an SSO account, as both the LIR Portal and RIPE database (at least) can share the same feature, and we reduce the implementation cost. We should not require an LIR Portal account for this feature, it should be available to all users.If we associate the API key to an SSO account, then authentication is done as that user. By contrast, an MD5 password is associated with a (possibly shared) maintainer and is effectively anonymous.If we store the API key outside the RIPE database, we also reduce the disk of a data breach of the RIPE database exposing user credentials.Finally, this approach avoids schema changes to the RIPE database itself, which simplifies the implementation for the DB team.RegardsEd ShryaneRIPE NCC> On 21 Feb 2020, at 11:53, Tore Anderson via db-wg <[email protected]> wrote:> > Hi WG.> > In the LIR Portal, at https://lirportal.ripe.net/api/, it is possible to issue API keys for use with several different RIPE NCC services.> > However, it is unfortunately not possible to issue API keys for the two APIs that are used for database maintenance; Syncupdates and the RESTful API. The documentation implies that the only authorisation [sic] method for those APIs is MD5-PW.> > I propose that the API keys mechanism is extended to Syncupdates and the RESTful API.> > The already existing default maintainer concept could be leveraged to accomplish this (similar to how NWI-8 was implemented). That is, using Syncupdates or the RESTful API with API keys will simply authenticate the client as the LIR's default maintainer.> > Authorisation should remain handled by in-band mnt-* object attributes, as is currently the case.> > It would be an acceptable limitation that API keys for database maintenance are unavailable for LIRs without a default maintainer.> > Assuming the WG agrees that this is a good idea, I request an NWI.> > Tore>
Re: [db-wg] API keys for database maintenance
Gunnar Guðvarðarson via db-wg Wed, 18 Mar 2020 02:01:41 -0700
- Re: [db-wg] API keys for database mainten... Cynthia Revström via db-wg
- Re: [db-wg] API keys for database ma... Tore Anderson via db-wg
- Re: [db-wg] API keys for databas... Cynthia Revström via db-wg
- Re: [db-wg] API keys for dat... Tore Anderson via db-wg
- Re: [db-wg] API keys for... Cynthia Revström via db-wg
- Re: [db-wg] API keys for database mainten... Sebastian Wiesinger via db-wg
- Re: [db-wg] API keys for database ma... Kirilo Vasiļiskovs via db-wg
- Re: [db-wg] API keys for databas... Cynthia Revström via db-wg
- Re: [db-wg] API keys for database mainten... Edward Shryane via db-wg
- Re: [db-wg] API keys for database ma... Cynthia Revström via db-wg
- Re: [db-wg] API keys for database ma... Gunnar Guðvarðarson via db-wg
- Re: [db-wg] API keys for databas... Edward Shryane via db-wg
- Re: [db-wg] API keys for database mainten... Gunnar Guðvarðarson via db-wg
- Re: [db-wg] API keys for database ma... Tore Anderson via db-wg
- Re: [db-wg] API keys for databas... Theodoros Polychniatis via db-wg
