Unsure about correct permissions/roles/orgs for API application calls

[andrewpatto]

Hi, we would like to create a service user for an external service to allow it to make periodic fetches of application details (i.e. via the API).

I haven't been able to get the permissions to work correctly - and was wondering if I could get some help.

The impression I got was that the 'reporter' role had full visibility across all applications - and so I have created a service user and granted them that role. I then made an API key and attached that user.

{"userid":"auth0|sdadadasdadadsa","name":"REMS ServiceBot","email":"rems+servicebot@host","roles":["reporter","logged-in"]}

I can make API calls to /api/catalogue and see results. However calls to /api/applications always return an empty array -and when I go to look at any specific application raw - it gets no access. It appears that the API user is not respecting the reporter role?

[andrewpatto]

One guess I had was that it was related to organisations - so I have attempted making the service bot an owner of all the organisations that have applications - but still get forbidden.

[andrewpatto]

Actually I think I have worked it out - whilst we can use "rems+servicebot@host" when adding users to the API key - doing so will never then pick up the actual roles from the user when that API key is used.

When I changed to using the direct user id "auth|asdadsada" in the "set-users" - the permissions are now fixed.

The documentation seemed to imply that other user attributes were interchangeable with the user id - is this a documentation misunderstanding or a bug?

[Macroz]

Yes, in most cases, by user identity, we mean the :userid attribute which in this case is "auth|asdadsada". The email is never interchangeable, but any of the identity attributes described in :oidc-userid-attributes config can be used in the API calls.

For the API key check, we will find the :userid based on the value given in the x-rems-user-id header, so what the API key has must be this value. But the values that are accepted are other identifying attributes, not just any attribute. I will check what the documentation says to make sure it is clear.

[Macroz]

The process is roughly:

• create user
• grant the user the reporter (or other role)
• create the api-key
• set the allowed user for the api-key to match the userid

With this setup I can get it to work. There is the further possibility to add certain paths to limit the allowed methods.