Details
-
Improvement
-
Resolution: Unresolved
-
Major
-
None
-
Professional Edition
-
$ svn info
Path: .
Working Copy Root Path: /opt/observium
URL: http://svn.observium.org/svn/observium/trunk
Repository Root: http://svn.observium.org/svn
Repository UUID: 61d68cd4-352d-0410-923a-c4978735b2b8
Revision: 10084
Node Kind: directory
Schedule: normal
Last Changed Author: mike
Last Changed Rev: 10084
Last Changed Date: 2019-10-08 02:54:10 +1000 (Tue, 08 Oct 2019)
$$ svn info Path: . Working Copy Root Path: /opt/observium URL: http://svn.observium.org/svn/observium/trunk Repository Root: http://svn.observium.org/svn Repository UUID: 61d68cd4-352d-0410-923a-c4978735b2b8 Revision: 10084 Node Kind: directory Schedule: normal Last Changed Author: mike Last Changed Rev: 10084 Last Changed Date: 2019-10-08 02:54:10 +1000 (Tue, 08 Oct 2019) $
Description
Relying on the webUI's auth mechanism for API auth is painful, particularly so when using LDAP or RADIUS external modules, which can cause long delays/timeouts with auth, impacting software integrations against Observium. It also means that some kind of service account needs to be defined in the external authentication store, which opens a can of worms in terms of compliance and security policy with respect to password expiration and enforced changes over time.
Attached .sql defines a new table for SQL schema, 'api_tokens'. API tokens are intended to be tied to a mysql defined user in order to perform RBAC based on user levels in API if implemented.
Attached .diff adds code to support 'api_token' as an auth mechanism for requests beginning with the URI '/api/'
Authentication for webUI is not impacted.
Default for API auth mechanism inherits from top level auth mechanism to avoid impacting existing API auth methods by users.