Enable RBAC support for public API endpoints #5211
Conversation
matiasb
added
pr:no public docs
| @@ -52,10 +52,8 @@ def authenticate(self, request): | |||
| auth = get_authorization_header(request).decode("utf-8") | |||
| user, auth_token = self.authenticate_credentials(auth) | |||
|
|
|||
| if not user.is_active or not user_is_authorized(user, [RBACPermission.Permissions.API_KEYS_WRITE]): | |||
There was a problem hiding this comment.
nice 👍 (this always felt like a hack)
Yeah, there will be more PRs coming (this is one first step from #5212); in practice this is still not really useful (because only admins can issue tokens for now). OTOH, not sure about deprecating our API keys, something to discuss probably (with these changes any user could have their own token, with limited perms, which could be still useful to perform user-related actions: ack, resolve, etc., while service accounts are not tied to a user). |
you don't need to be an Admin per se. You could have Viewer users that you assign some of these RBAC roles to be able to create service accounts + tokens (but right, I guess this doesn't apply to OSS where RBAC in Grafana isn't available). |
Related to grafana/oncall-private#2826 Continuing work started in #5211, this adds support for Grafana service accounts tokens for API authentication (except alert group actions which will still require a user behind). Next steps would be updating the go client and the terraform provider to allow service account token auth for OnCall resources. Following proposal 1.1 from [doc](https://docs.google.com/document/d/1I3nFbsUEkiNPphBXT-kWefIeramTY71qqZ1OA06Kmls/edit?usp=sharing).
Related to https://github.com/grafana/oncall-private/issues/2826