At the moment, users who have permissions have the ability to generate API tokens. They are specifically, and without any choice, set to expire in 3 months. We need longer lasting keys than that. These are to be used for things like RelEng that needs a token in their scripts for uploading symbols. It would be very unpractical if they have to create a new one every 3 months. We can either... 1) Change the form where you create an API token to allow you to specify expiration 1b) Make this choice depend on permissions or user roles you have (e.g. only superusers can create these) 2) Replicate much of the token creation stuff into the superuser-only admin area where you can create a token on behalf of another user (e.g. Ted creates one for firstname.lastname@example.org) with control on the expiration date. I'm happy to take this one but I'd love some feedback from you guys on the choice mentioned above.
I would be fine with the simplest thing you can make work right now, so that this doesn't block other work. If #2 means it'd work without actually having to log the user in that's appealing, since in this case we're not talking about an actual user but a role account.
#1 is easier but the 3month thing was put in there for a reason. #2 is more flexible but note, you can't create a token for email@example.com because it has to be a user who has at least 1 time signed in with Persona. I can do this quite quickly since the admin pages are easy to work on.
Remind me the reason for token expiration? I'm not sure that we need or want it anymore.
(In reply to Chris Lonnen :lonnen from comment #3) > Remind me the reason for token expiration? I'm not sure that we need or want > it anymore. https://github.com/mozilla/socorro/pull/1886/files#r9722878 I'm going to try to find the original thread about this.
Thanks Peter! Let's say a user generates a token and uses it in a script. The user's LDAP is revoked, so that they are no longer able to log into crash-stats. Does the token still work? My current understanding is that it would continue to work. If we could fix that, I'd be ok with removing explicit token generation.
(In reply to Chris Lonnen :lonnen from comment #5) > Thanks Peter! > > Let's say a user generates a token and uses it in a script. The user's LDAP > is revoked, so that they are no longer able to log into crash-stats. Does > the token still work? > Yes. There's no way LDAP is letting us know that user can no longer Persona in. > My current understanding is that it would continue to work. If we could fix > that, I'd be ok with removing explicit token generation. If we had mozldap deployed or something we'd be able to invalidate tokens belonging to users who longer exist.
I'd be very interested in a means of invalidating credentials quickly.
Lonnen, As a stepping stone solution, if we had more control over making tokens in the admin we could at least use that to break API tokens that belong to a user we (offline) know is no longer in LDAP.
Assignee: nobody → peterbe
Status: NEW → ASSIGNED
If we're going to implement that it makes more sense to remove the whole account, which must necessarily also be expired. That said, I'm not sure this solution is worthwhile. Superusers are no less prone to account removal than other users, and are probably higher risk since they implicitly have all privs.
Ok. We'll me it around the Users tab instead. Later. I've nevertheless added a Delete button for each token. What do you think about manual vs. automatic LDAP querying?
Commits pushed to master at https://github.com/mozilla/socorro https://github.com/mozilla/socorro/commit/d2a31aeedc8c60fb726948366dcab6119ec0c741 fixes bug 1119347 - Admin creation of API tokens https://github.com/mozilla/socorro/commit/9e8fec7d47fc23e51a28f07d4ee12c81c8a2d609 Merge pull request #2564 from peterbe/bug-1119347-admin-creation-of-api-tokens fixes bug 1119347 - Admin creation of API tokens
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Depends on: 1122711
You need to log in before you can comment on or make changes to this bug.