gregfenton
commented
6 months ago The purpose of the CLI is to administer the application isn't it?
Closed JonasBa closed 5 months ago
gregfenton
commented
6 months ago The purpose of the CLI is to administer the application isn't it?
poida
commented
5 months ago @gregfenton IMO this is violating the security principle of least privilege.
E.g. If I'm not ever going use the cli tool to delete an index, I should be able to use a key that doesn't have delete index permissions.
It worsens the impact if one of the keys was to leak, and using shared credentials are bad for a number of reasons.
It looks like work has already been done to enable profiles without an admin key, could this be looked at? https://github.com/algolia/cli/pull/139
poida
commented
5 months ago @JonasBa note you can use the algolia cli without an admin api key, if you use it without setting up a profile.
You can pass a non-admin credentials to the particular command with --admin-api-key $NON_ADMIN_KEY --application-id $APP_ID.
JonasBa
commented
5 months ago Thank you finding the right words for me @poida :)
@gregfenton, there are usually plenty of teams or individuals in the company with various levels of permissions. Forcing, or indicating to them that the correct way to use a tool like a CLI is to share a single admin key with root level permissions is security issue nightmare waiting to happen (I doubt any sane security process would allow this).
My take is that to use a tool like the CLI wrapper, which is just a convenient way of executing commands, a key with a min set of permissions to execute the action should be required. If what @poida is saying about bypassing the profile generation is true, then that contradict the notion of administering the application, as it sounds like the key permissions are not properly validated.
gregfenton
commented
5 months ago @gregfenton IMO this is violating the security principle of least privilege.
E.g. If I'm not ever going use the cli tool to delete an index, I should be able to use a key that doesn't have delete index permissions.
I fully agree. I was commenting that my read of the docs is that the CLI is intended to be for "configuring and administering applications". Though I see value in having the CLI commands available to lesser-enabled users, I didn't read that intent from the docs. To me it read like an admin tool similar to what you get from many PaaS systems.
I am very glad to see work is underway to add more granularity to the functionality...though that PR is a huge change!
clemfromspace
commented
5 months ago
When installing the CLI and attempting to use it, the first thing the docs reference after installing the cli is to run
algolia profile addwhich prompts for an admin api key (it seems excessive for a CLI tool to require an admin key). Since I'm not the application owner and do not have access to the admin key I tried to just use a write API key with hopes that I could still do operations for which the key has proper acl permissions. Tldr,algolia profile add requiresthe actual admin api key and the command fails with unauthorized key error.This makes the experience seem like only application admins (or whoever can get their hands onto the admin api key) can use the CLI which contradicts what the docs say here
So as as user, I tried to run
algolia --helpto try and understand if there are other ways I can use the CLI, but the only listed flags areIf it is true that the CLI requires and admin api key then the docs should be updated to reflect that. Imo asking for an admin api key is an overkill and encourages bad practices of sharing the admin api key. I did not end up using the CLI, but I would prefer if there was a way for me to run
algolia ...commands --api-key=<whatever key>and have the key permissions checked by the engine for each operation that my CLI command is doing (which is assume is already the case anyways).