Page MenuHomeVyOS Platform
Create Task
Maniphest T3758

HTTP-API: per-key command restrictions
Open, WishlistPublic
Actions

Description

It would be ideal if we could restrict the commands that a specific API key has access to.

Similar to TACACS command authorization, the addition of this feature would allow us to harden the API and the router.

E.g., limit a given API key to only show commands, or even specific configuration commands.

Possible configuration syntax:

# limit key to show commands only
set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY
set service https api keys id MY-HTTPS-API-ID endpoint show op show
# limit key to specific set/delete config commands
set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY
set service https api keys id MY-HTTPS-API-ID endpoint configure op delete path protocols bgp neighbor * description *
set service https api keys id MY-HTTPS-API-ID endpoint configure op delete path protocols bgp neighbor * shutdown
set service https api keys id MY-HTTPS-API-ID endpoint configure op set path protocols bgp neighbor * description *
set service https api keys id MY-HTTPS-API-ID endpoint configure op set path protocols bgp neighbor * shutdown

Details

Difficulty level
Unknown (require assessment)
Version
1.4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects

Event Timeline

etedor created this task.Aug 16 2021, 12:19 AM
etedor triaged this task as Wishlist priority.
etedor created this object in space S1 VyOS Public.
jestabro claimed this task.Aug 16 2021, 1:20 AM
pasik subscribed.Aug 16 2021, 8:26 AM
Viacheslav subscribed.Aug 16 2021, 9:23 AM

Not sure that it is a good idea for this format.
The syntax between versions (1.3/1.4 bgd/isisd) is changed. With every syntax change you should also change and section "service https API ... bgp"
My point API must have a full access to all configuration options.

jestabro mentioned this in T1610: Support operator mode commands via REST API.Mar 22 2022, 3:01 PM
dmbaturin removed jestabro as the assignee of this task.Tue, Jul 2, 6:28 PM
dmbaturin set Issue type to Unspecified (please specify).
dmbaturin added a subscriber: jestabro.