Not possible to use superuser with the API

[max-wittig]

Important Details

How are you running Sentry?

• [x] On-Premise docker [Version 10.0.0]
• [ ] Saas (sentry.io)
• [ ] Other [briefly describe your environment]

Description

Some API endpoints require superuser permissions (e.g. https://sentry-instance.com/api/0/internal/stats/, but even when I create a superuser on the commandline and use the Auth Token from this user, I just get this message:

{
  "detail": {
    "message": "You need to re-authenticate for superuser.",
    "code": "superuser-required",
    "extra": {}
  }
}

How do I re-authenticate? I've checked all the boxes in the API menu

Steps to Reproduce

1. Host sentry on premise
2. Create superuser

   root@ec1c9b02cea0:/usr/src/sentry# sentry createuser
   16:02:23 [WARNING] sentry.utils.geo: settings.GEOIP_PATH_MMDB not configured.
   16:02:27 [INFO] sentry.plugins.github: apps-not-configured
   Email: max@localhost
   Password: 
   Repeat for confirmation: 
   Should this user be a superuser? [y/N]: y
   User created: max@localhost
   root@ec1c9b02cea0:/usr/src/sentry# 

3. Create token with superuser and try to call the api/0/internal/stats/ endpoint

What you expected to happen

I should work and grant the superuser permission to the endpoint

Possible Solution

[If you have an idea on how this could be solved include that detail here.]

[getsantry[bot]]

Assigning to @getsentry/support for routing ⏲️

[max-wittig]

Okay seems like you need to re-authenticate to get superuser, even though the token is already a superuser token. How do you re-authenticate?

The API docs are really outdated. Is there a plan to modernize those at some point?

[dcramer]

If I were to sit down and say the way I hoped this worked (based on our design) - you will not be able to query any superuser endpoints via a non-session token.

Superuser has escalated permissions, has an idle timeout, maximum session length, and requires re-auth to re-enable. This is entirely managed via the session and shouldnt be achievable via the API (though I wouldnt make that promise).

[dcramer]

I will keep this ticket open as we should improve our documentation around how superuser works, though I dont think we should directly mention much about this in the API docs (other than maybe how our session-based tokens work).

[github-actions[bot]]

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Accepted, I will leave it alone ... forever!

---

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

[max-wittig]

I will keep this ticket open as we should improve our documentation around how superuser works

[BYK]

@max-wittig yup, reopened. Just us getting used to our new bot overlords.

[max-wittig]

🧎‍♂️

[max-wittig]

I will keep this ticket open as we should improve our documentation around how superuser works

[chadwhitacre]

More bot thrashing, sorry @max-wittig, this one's on me. 😞

[max-wittig]

No problem

[getsentry-release]

Routing to @getsentry/ecosystem for triage. ⏲️

[getsentry-release]

Routing to @getsentry/enterprise for triage. ⏲️

[getsantry[bot]]

Routing to @getsentry/product-owners-apis for triage ⏲️

[chadwhitacre]

Moving to docs repo, I think this is a sentence or two on https://docs.sentry.io/api/auth/, yes?

You will not be able to query any superuser endpoints via a non-session token. Superuser has escalated permissions, has an idle timeout, maximum session length, and requires re-auth to re-enable. This is entirely managed via the session and shouldn't be achievable via the API (though that's not a promise).

Something like that?

[vivianyentran]

@sentaur-athena What are your thoughts on this issue? Is this still relevant or can we close this?

[vivianyentran]

apis for self-hosted aren't documented in sentry-docs so we'll close for this for and bring this up with the owners for self-hosted sentry