Admin creation of API tokens

RESOLVED FIXED

Status

Socorro
Webapp
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: peterbe, Assigned: peterbe)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Assignee)

Description

3 years ago
At the moment, users who have permissions have the ability to generate API tokens. They are specifically, and without any choice, set to expire in 3 months. 

We need longer lasting keys than that. These are to be used for things like RelEng that needs a token in their scripts for uploading symbols. It would be very unpractical if they have to create a new one every 3 months. 

We can either...
1) Change the form where you create an API token to allow you to specify expiration
1b) Make this choice depend on permissions or user roles you have (e.g. only superusers can create these)
2) Replicate much of the token creation stuff into the superuser-only admin area where you can create a token on behalf of another user (e.g. Ted creates one for releng@mozilla.com) with control on the expiration date. 

I'm happy to take this one but I'd love some feedback from you guys on the choice mentioned above.
I would be fine with the simplest thing you can make work right now, so that this doesn't block other work.

If #2 means it'd work without actually having to log the user in that's appealing, since in this case we're not talking about an actual user but a role account.
Blocks: 1119241
(Assignee)

Comment 2

3 years ago
#1 is easier but the 3month thing was put in there for a reason. 

#2 is more flexible but note, you can't create a token for releng@mozilla.com because it has to be a user who has at least 1 time signed in with Persona. I can do this quite quickly since the admin pages are easy to work on.

Comment 3

3 years ago
Remind me the reason for token expiration? I'm not sure that we need or want it anymore.
(Assignee)

Comment 4

3 years ago
(In reply to Chris Lonnen :lonnen from comment #3)
> Remind me the reason for token expiration? I'm not sure that we need or want
> it anymore.

https://github.com/mozilla/socorro/pull/1886/files#r9722878

I'm going to try to find the original thread about this.

Comment 5

3 years ago
Thanks Peter!

Let's say a user generates a token and uses it in a script. The user's LDAP is revoked, so that they are no longer able to log into crash-stats. Does the token still work?

My current understanding is that it would continue to work. If we could fix that, I'd be ok with removing explicit token generation.
(Assignee)

Comment 6

3 years ago
(In reply to Chris Lonnen :lonnen from comment #5)
> Thanks Peter!
> 
> Let's say a user generates a token and uses it in a script. The user's LDAP
> is revoked, so that they are no longer able to log into crash-stats. Does
> the token still work?
> 
Yes. There's no way LDAP is letting us know that user can no longer Persona in.

> My current understanding is that it would continue to work. If we could fix
> that, I'd be ok with removing explicit token generation.

If we had mozldap deployed or something we'd be able to invalidate tokens belonging to users who longer exist.

Comment 7

3 years ago
I'd be very interested in a means of invalidating credentials quickly.
(Assignee)

Comment 8

3 years ago
Lonnen, 
As a stepping stone solution, if we had more control over making tokens in the admin we could at least use that to break API tokens that belong to a user we (offline) know is no longer in LDAP.
Assignee: nobody → peterbe
Status: NEW → ASSIGNED

Comment 9

3 years ago
If we're going to implement that it makes more sense to remove the whole account, which must necessarily also be expired.

That said, I'm not sure this solution is worthwhile. Superusers are no less prone to account removal than other users, and are probably higher risk since they implicitly have all privs.
(Assignee)

Comment 10

3 years ago
Ok. We'll me it around the Users tab instead. Later. 
I've nevertheless added a Delete button for each token. 

What do you think about manual vs. automatic LDAP querying?

Comment 12

3 years ago
Commits pushed to master at https://github.com/mozilla/socorro

https://github.com/mozilla/socorro/commit/d2a31aeedc8c60fb726948366dcab6119ec0c741
fixes bug 1119347 - Admin creation of API tokens

https://github.com/mozilla/socorro/commit/9e8fec7d47fc23e51a28f07d4ee12c81c8a2d609
Merge pull request #2564 from peterbe/bug-1119347-admin-creation-of-api-tokens

fixes bug 1119347 - Admin creation of API tokens

Updated

3 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.