admin api key

[WillemDH]

Yes, however the URL may be found in log files unencrypted so you should POST the data like so

curl -XPOST --data "apikey=blablaapikey8t&pretty=1" "http://nagiosserver/nagiosxi/api/v1/system/applyconfig

Isn't the Help menu a bit dangerous then. The examples in the help section all list the actual user api key. There is even a link which opens the URL in a new tab of the browser. As we have multiple admins, this seems quite dangerous to let hem play with.
Some thoughts (open for discussion):
- Disable creation of admin users with REST API
- Add an extra security setting for admin users => 'Can access REST API' => As we have about 12 admin users, but I'm probably the only one who would use the REST api this would reduce the risk a lot.
- Update the help section examples with 'fake' api keys or <your-api-key-here> and warn users of the dangers of using an admin api key in an url
- Admins should be able to reset others users api key.
- Update the help section with curl examples which separate the data as in your above example

Grtz

[tmcdonald]

As we have multiple admins, this seems quite dangerous to let hem play with.

Potentially. Anyone who can log in as an admin can already do quite a bit with the system. We could add some restrictions to who can do what though, and I'll address specifics below:

- Disable creation of admin users with REST API
- Add an extra security setting for admin users => 'Can access REST API' =>

That or have a toggle for usage.

- Update the help section examples with 'fake' api keys or <your-api-key-here> and warn users of the dangers of using an admin api key in an url

A warning definitely, but one of the goals of the Help page was to give real working examples.

- Admins should be able to reset others users api key.

I disagree. *Certain* admins should be able to.

- Update the help section with curl examples which separate the data as in your above example

Can you elaborate on this?

[WillemDH]

Like you seem to suggest, it might be a good idea to split the admin users up. The reason we have so many admins is because these users need access to the CCM. As far as I know it is not possible to give users access to the CCM without having admin status? (Please correct me if i'm wrong)
It could be useful to create a separate role for CCM editors?

Im not sure what the difference is between

Add an extra security setting for admin users => 'Can access REST API'

and

That or have a toggle for usage.

A warning definitely, but one of the goals of the Help page was to give real working examples.

Just checked for a normal users and there only the object reference ie GET is visible so that's a good thing. My concern for admin users is that by using the working examples their admin api key is passed in the browser and as such in the browsing history and other log files, as Scott suggested:

Yes, however the URL may be found in log files unencrypted so you should POST the data like so

If Scott suggests we should POST the data like so:

curl -XPOST --data "apikey=blablaapikey8t&pretty=1" "http://nagiosserver/nagiosxi/api/v1/system/applyconfig

But the examples are :

Code: Select all

curl -XGET "https://nagiosserver/nagiosxi/api/v1/system/applyconfig?apikey=blabla&pretty=1"

This is kind of ambiguous? We are told we should use this, but in the docs it says something else? That's what I mean with:

Code: Select all

Update the help section with curl examples which separate the data as in your above example

Grtz

[tmcdonald]

I think I was more reiterating my "Separation of duties" message with those first two items.

In regards to GET vs POST, from a security standpoint a POST is less logged than a GET, but semantically speaking a GET is used to retrieve information and a POST is used to submit information. I can't speak for the developers as to why they chose to give examples a certain way.

[WillemDH]

Wel Trevor, What do you think of a feature request to have the developers have a close look at tightning the security of the REST API including documentation and maybe one more to have a new user role 'CCM-editor'?

[tmcdonald]

I think it's a good idea, and I'll put in those requests. Bear in mind the API is still pretty new and has some functional, design, and security growing pains to endure.

[WillemDH]

Trevor, Ok. Please post thr fr numbers and you may close this thread. Thanks for your time!

[rkennedy]

I have put in both of these feature requests, ID 7171 for the improving of the REST API.

The second one is ID 7172, for a new user role that allows editing the CCM.