Skip to content
This repository has been archived by the owner on Jul 4, 2024. It is now read-only.

Getting more then one API key and having multi users #258

Open
nmarjanovic opened this issue Jul 17, 2018 · 9 comments
Open

Getting more then one API key and having multi users #258

nmarjanovic opened this issue Jul 17, 2018 · 9 comments

Comments

@nmarjanovic
Copy link

nmarjanovic commented Jul 17, 2018

Hi,

I ask about this, because let say you have dev infra, pre-prod and production. For good security practice you will never use same API key.

Will this be possible with API v5?

We have API like AWS, where you can create group of user with special permissions, like, just get info about some resources, but user can't delete something from production, or change any values.

Thanks

@nmarjanovic nmarjanovic changed the title Getting more then on API key Getting more then one API key Jul 17, 2018
@nmarjanovic nmarjanovic changed the title Getting more then one API key Getting more then one API key and having multi users Jul 17, 2018
@aegiap
Copy link
Contributor

aegiap commented Jul 17, 2018

This is not possible at the moment. The scoping of methods with API key should be in the feature list down the line.

@nmarjanovic
Copy link
Author

Ok, thanks for info and I hope to see this soon, because it's important in many levels of any cloud and app infrastructure.

@aegiap
Copy link
Contributor

aegiap commented Jul 17, 2018

@nmarjanovic but you can create teams in your organization in our v5 website for each of your platform and assign user to each group (a user could be in only one teams per organization).

For now the only API v5 available is for our LiveDNS product. Other product will be supported later.

@nmarjanovic
Copy link
Author

Thanks @aegiap, I will check team settings and see what type of permissions we can set on that level, but guess it's basic, but good for start.

@yanndinendal
Copy link
Member

@nmarjanovic : We welcome suggestions of more specific permission scopes that you would find useful. :)

@nmarjanovic
Copy link
Author

nmarjanovic commented Jul 19, 2018

Where to start:) In any case, if organization have one or 100 domain names, in some point you will need more then one users and you will need few levels of permissions for different company services and solutions.

Ex. 1 (Gandi)

Speaking first about how modern IT teams are build /dev/qa/ops/infra. Do we want this teams to have same levels of permissions? I don't think so. If we look on Gandi side, I see we can add teams, and that is cool, we can restrict few things, but already in this level, you don't have domain/zones separation. If you want to create dev team, and give them permission to use only one zone, Gandi don't provide this type of isolation right now.

Ex. 2 (API)

Case, when you need even more strict API ...OPS team will integrate some type of statistics monitoring, to calculate how many new clients they got last month, and share that board with other company team. This is done in case when every new client on your application use integrated Gandi API to create sub-domain. To see output in monitoring application, you need read only API permission, to get information about number of CNAME, A etc . entries. API can be managed by groups and users .., like Linux permissions system, all big companies use that logic.

Today in many cases, people moving infrastructure to cloud, domain providers need to adjust. Of course that is my opinion. AWS did great job on this level, GCloud and even Azure is working a lot to provide good API.

AWS API user don't even need to have account, and admin can create API key for groups and users, ex., QA team authorization with their own API key, just to start i stop instance in allowed regions. But sure, this system is very big and small companies need more time to have full integration of something like this.

@ZEROF
Copy link

ZEROF commented Jan 28, 2019

It's 2019 :), as we can see, any updates on this?

@lazynooblet
Copy link

Can this year get any worse? First Coronavirus, and now Gandi don't implement API scoping. 😭

We want to implement LetsEncrypt DNS API but we want the API key to only be able to make changes to a single DNS record.

@voltagex
Copy link

ping - looking into implementing https://github.com/joohoi/acme-dns/ as a workaround.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants