API: more flexible authorization and administration

Bug #1531853 reported by John-Magne Bredal
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Network Administration Visualized
Fix Released
Wishlist
John-Magne Bredal

Bug Description

A summary of an initial discussion about this task follows:

Because the general authorization system is NAV is very basic and this
task is limited to the API, a token does not need to be connected to a
specific user. Knowing what user owns a token does not give any value
at the time of access. However, some way of connecting
meta-information to a token is necessary such as for instance comments
about what this token is for and who can be contacted regarding this
token.

The only way of providing more detailed authorization is by limiting
access by endpoints. There already exists a list of endpoints that is
displayed when visiting the API index, and this list may be used to
connect endpoints to tokens. If a token has access to an endpoint, no
further authorization is done (as in the web interface).

WEB INTERFACE

Token distribution is done by NAV admins. A web interface must be made
with the following specification:

- Located in "User administration" as a new tab "Token administration"

- Must list all active and revoked tokens with the following
  information
  - token, when created, when expires, comment, endpoints, revoked

- Must have a way of creating a new token. Interface has
  - token string created automatically
  - sane default for expiry, but possible to set custom date
  - dropdown list (multiple) to add endpoints (none default, option
    for all)
  - textfield to add comment
  - status set to active
- Must have a way of editing the comment
- Must have a way of editing the endpoints available
- Must have a way of refreshing the expiry with a custom date
- Must have a way of revoking tokens
- Must show when the token was last used to access the api

DATABASE CHANGES

The 'apitoken' table must be expanded with the following fields:
- created: timestamp not null
- comment: text
- revoked: boolean default false
- last_used: timestamp

A new table 'apitoken_endpoints' that connects tokens and endpoints:
- token_id: integer not null references apitoken (id)
- endpoint_id: integer not null references api_endpoint (id)

A new table 'api_endpoint' listing all api endpoints available. This
should also be used to populate the api index
- id: serial primary key
- name: varchar(50) not null
- version: varchar(10)
- url: varchar(100) not null

Models for all tables must be created aswell.

tags: added: navref
Changed in nav:
importance: Undecided → Wishlist
description: updated
description: updated
description: updated
Changed in nav:
milestone: none → 4.5.0
Changed in nav:
status: New → Fix Committed
Changed in nav:
assignee: nobody → John-Magne Bredal (john-m-bredal)
Changed in nav:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers