kraih wrote:
okurz wrote:
What do you see as benefit for temporary expiring tokens?
The requirements for the user workflow are currently very vague. Temporary expiring tokens give us the most freedom to figure out what exactly users want and modify the system based on feedback. Access control levels could be added/changed without the need for database migrations.
We should not be scared of database migrations. Not that we should necessarily design that we would always need database migrations to introduce more fine grained details for access control levels but to introduce the concept of a more fine grained control in general. Currently I see any access control levels going further than the current "unauthenticated/user/operator/admin" levels out of scope for the work to be planned here.
okurz wrote:
And what is the difference for user access tokens vs. apisecrets? They are also already created by users themselves
Good point. It really depends on what workflow we end up with. Reusing "$user:$key$secret" as access token could be enough if we are sure that level of access control is all we need. And would be the easiest solution for me to implement.
Yes, that is all that we currently need.
Here's a few question that need to be answered first though:
- Should access tokens always have the same level of access as the user that created them? GitHub has fine grained access levels to mitigate security risks (i've attached a screenshot as example).
I can see the screenshot. And I think github is a nice example but I do not see that we need that as openQA is not a "single closed-source service" but a server that we market to be installable by users even for single-person instances as well as have multi-user instances but with the limit of not needing more fine grained access levels. So in short: For now, yes, access tokens should always have the same level of access as the user that created them
- What additional information would we need to keep for API keys? At the very least a comment field to remember what automated service an API key has been created for comes to mind.
yes, an optional comment sounds good.
- How much flexibility do we need for future changes to the personal access token system? Changes to the key+secret system have a risk of interfering with micro service IPC and other existing
OpenQA::Client
uses. Which are much more important than user automation scripts.
I agree but I am confident that in the case we even would need such change we can get along with a migration and stringent inter-dependency of services key+secret API version.
- How much do we trust our users to not use one pair of key+secret for absolutely everything and ignore security risks completely? Do we care?
I am sure that the majority of users will use one pair for everything and some of them will leak the details in the web :D But we should not care.
- Is there no chance at all we might need a token access level below operator in he future? Perhaps for certain read-only endpoints?
Well, certainly there is a chance but what would that interfer with now? And another point: Right now an authenticated user can actually not do that much so from my experience existing users ask soon to become "operator", meaning that should give us some leeway to give "user" more permissions when we see good, limited new use cases for that.