Page MenuHomeVyOS Platform

HTTP-API: per-key command restrictions
Open, WishlistPublic

Description

It would be ideal if we could restrict the commands that a specific API key has access to.

Similar to TACACS command authorization, the addition of this feature would allow us to harden the API and the router.

E.g., limit a given API key to only show commands, or even specific configuration commands.

Possible configuration syntax:

# limit key to show commands only
set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY
set service https api keys id MY-HTTPS-API-ID endpoint show op show
# limit key to specific set/delete config commands
set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY
set service https api keys id MY-HTTPS-API-ID endpoint configure op delete path protocols bgp neighbor * description *
set service https api keys id MY-HTTPS-API-ID endpoint configure op delete path protocols bgp neighbor * shutdown
set service https api keys id MY-HTTPS-API-ID endpoint configure op set path protocols bgp neighbor * description *
set service https api keys id MY-HTTPS-API-ID endpoint configure op set path protocols bgp neighbor * shutdown

Details

Difficulty level
Unknown (require assessment)
Version
1.4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

etedor triaged this task as Wishlist priority.
etedor created this object in space S1 VyOS Public.

Not sure that it is a good idea for this format.
The syntax between versions (1.3/1.4 bgd/isisd) is changed. With every syntax change you should also change and section "service https API ... bgp"
My point API must have a full access to all configuration options.

dmbaturin set Issue type to Unspecified (please specify).
dmbaturin added a subscriber: jestabro.