zerotier / ZeroTierOne

A Smart Ethernet Switch for Earth
https://zerotier.com
Other
14.65k stars 1.71k forks source link

API permissions #663

Closed tabascoterrier closed 6 years ago

tabascoterrier commented 6 years ago

Feature request: I'd love to see some more control on API permissions. As I understand it, currently an API key has access to all operations.

My use case is using the API to periodically build a zone file which plugs into my internal DNS recursor, so I only need to call one GET operation (/api/network/{networkId}/member), and in keeping with the principle of least privilege that script really shouldn't have absolute power over the network.

I appreciate that permissions systems can potentially be very complex, but even having the ability to restrict an API key to GET operations would be very useful.

laduke commented 6 years ago

Hi! good point and yes permissions stuff gets tricky quickly.

This is an extra step, but you could make another account, and give that read only access to a network.

tabascoterrier commented 6 years ago

This is an extra step, but you could make another account, and give that read only access to a network.

Ah, I'd not considered that - yes, that'll work just fine for me here, many thanks for the idea @laduke!

I didn't realise there were read / authorize / modify / delete permissions on shared users - if that paradigm could be extended to apply to API keys, that would be a useful thing.

adamierymenko commented 6 years ago

The right answer to this is to put something in front of the API such as a small web or dbus service. Fine grained permissions in the control API is beyond its scope. ZeroTier Central provides this for controllers by putting a whole fat web app in front of the API.