Netbox API Tokens Permissions #11821
-
|
Hello there! I'm trying to create custom permissions to the action of creating/deleting/updating/viewing API Tokens, but it seems that even a new user with no permissions at all can have all access of token creation. I tried disabling the token permissions, added constraints to the token permissions, but none works, what I'm missing here? Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 4 replies
-
|
If you mean creating tokens for your own user in the UI, then that is not something you can turn off. The API token has the same access as the user has in the UI. |
Beta Was this translation helpful? Give feedback.
-
|
Ah, that explain the issue! I was trying to disable the access in the UI. Thanks for the response! |
Beta Was this translation helpful? Give feedback.
-
|
Out of curiosity why do you want to disable access for users to create API tokens? They don't provide any additional access, so I'm having a hard time coming up with a good reason. |
Beta Was this translation helpful? Give feedback.
-
|
We wanted to restrict it so that only one user can generate API tokens to centralize management and know where the tokens are being used. |
Beta Was this translation helpful? Give feedback.
-
|
Even if they don't provide additional access, leaking an API token is incredibly easy. We can control user auth with SAML but can't do that for APi keys. |
Beta Was this translation helpful? Give feedback.
-
|
While this may not solve your problem the way you were planning, there is an API endpoint which can see user tokens /api/users/tokens/, so you can audit who has tokens and report on changes or DELETE tokens if necessary. The URL for token management /user/api-tokens/ could also be blocked at the http proxy level if need be, or restricted based on group if you are doing auth in the webserver, right?
—
Mark Tinberg ***@***.***>
Division of Information Technology-Network Services
University of Wisconsin-Madison
…________________________________
From: Leo-scs ***@***.***>
Sent: Friday, February 24, 2023 10:16 AM
To: netbox-community/netbox ***@***.***>
Cc: Subscribed ***@***.***>
Subject: Re: [netbox-community/netbox] Netbox API Tokens Permissions (Discussion #11821)
We wanted to restrict it so that only one user can generate API tokens to centralize management and know where the tokens are being used.
—
Reply to this email directly, view it on GitHub<#11821 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAS7UMYP62PP6IDDVN77QOTWZDNHXANCNFSM6AAAAAAVHAVTRU>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
If you mean creating tokens for your own user in the UI, then that is not something you can turn off. The API token has the same access as the user has in the UI.