[db-wg] API keys for database maintenance

Hey,I think that if we get x509 client certificate authentication for the API working, it might even be easier.All the UI to add certs and auth them on mntners is already there, the web services just need endpoints that request and use client provided certs.https://github.com/RIPE-NCC/whois/issues/534-----Original Message-----From: db-wg <db-wg-bounces at ripe.net> On Behalf Of Edward Shryane via db-wgSent: 2020-03-17 17:01To: Tore Anderson <tore at fud.no>Cc: db-wg <db-wg at ripe.net>Subject: Re: [db-wg] API keys for database maintenanceDear Colleagues,I support this proposal, it's an improvement for RIPE DB users and also benefits the DB team.I propose implementing the feature within an SSO account, as both the LIR Portal and RIPE database (at least) can share the same feature, and we reduce the implementation cost. We should not require an LIR Portal account for this feature, it should be available to all users.If we associate the API key to an SSO account, then authentication is done as that user. By contrast, an MD5 password is associated with a (possibly shared) maintainer and is effectively anonymous.If we store the API key outside the RIPE database, we also reduce the disk of a data breach of the RIPE database exposing user credentials.Finally, this approach avoids schema changes to the RIPE database itself, which simplifies the implementation for the DB team.RegardsEd ShryaneRIPE NCC> On 21 Feb 2020, at 11:53, Tore Anderson via db-wg <db-wg at ripe.net> wrote:> > Hi WG.> > In the LIR Portal, at https://lirportal.ripe.net/api/, it is possible to issue API keys for use with several different RIPE NCC services.> > However, it is unfortunately not possible to issue API keys for the two APIs that are used for database maintenance; Syncupdates and the RESTful API. The documentation implies that the only authorisation [sic] method for those APIs is MD5-PW.> > I propose that the API keys mechanism is extended to Syncupdates and the RESTful API.> > The already existing default maintainer concept could be leveraged to accomplish this (similar to how NWI-8 was implemented). That is, using Syncupdates or the RESTful API with API keys will simply authenticate the client as the LIR's default maintainer.> > Authorisation should remain handled by in-band mnt-* object attributes, as is currently the case.> > It would be an acceptable limitation that API keys for database maintenance are unavailable for LIRs without a default maintainer.> > Assuming the WG agrees that this is a good idea, I request an NWI.> > Tore>