1290775 - Add ability to create lesser-privileged api keys

Status: NEW

(Bugzilla :: User Accounts, enhancement)

Description

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

If I pass an api key to Bugzilla to carry out some privileged operation, Bugzilla allows it to do anything I could do, including reading/writing from/to sec bugs. If someone managed to get that api key, they could do anything I could do.

I think it would be useful if I could generate an api key that I could revoke my sec bug access (or any other permission like editbugs, etc). Any actions attempted with this lower-privileged key would still identify as me, but it wouldn't be able to do things that are in the list of revoked permissions.

My initial use case would be for the Bugherder tool. At the moment, it doesn't even support accessing sec bugs (the list of bugs it identifies is generated as an unauthenticated search, and would need a significant re-write to let it authenticate first to maybe include sec bugs), so using my fully privileged api key on it could leak more access than it even needs.