Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NAS-133012 / 25.04 / Fix API keys for restricted admins #15288

Merged
merged 1 commit into from
Dec 31, 2024
Merged

NAS-133012 / 25.04 / Fix API keys for restricted admins #15288

merged 1 commit into from
Dec 31, 2024

Conversation

anodos325
Copy link
Contributor

The API key CRUD interface returns the plain-text of the key to be used for authentication in the following scenarios:

  1. api_key.create (new api key created)
  2. api_key.update (with option specified to renew the key)

Users who do not have the API_KEY_WRITE privilege, but do have general API_KEY_READ access are allowed to create API keys for their own account. This means that the returned plain-text key must not be marked as secret otherwise it will be redacted and not usable. This is not a security concern since plain-text keys are not stored on TrueNAS (they are only returned to account that will be using the key in this case).

This PR also fixes a broken test that should have caught the redacted key value, and also fixes a bug in pam_tdb generation.

@anodos325
Fix API keys for restricted admins
14c678a 
The API key CRUD interface returns the plain-text of the key to
be used for authentication in the following scenarios:

1. api_key.create (new api key created)
2. api_key.update (with option specified to renew the key)

Users who do not have the API_KEY_WRITE privilege, but do have
general API_KEY_READ access are allowed to create API keys for
their own account. This means that the returned plain-text key
must not be marked as secret otherwise it will be redacted and
not usable. This is not a security concern since plain-text keys
are not stored on TrueNAS (they are only returned to account that
will be using the key in this case).

This PR also fixes a broken test that should have caught the
redacted key value, and also fixes a bug in pam_tdb generation.
@bugclerk bugclerk changed the title Fix API keys for restricted admins NAS-133012 / 25.04 / Fix API keys for restricted admins Dec 31, 2024
@bugclerk
Copy link
Contributor

Jira URL: https://ixsystems.atlassian.net/browse/NAS-133012

@anodos325 anodos325 requested review from yocalebo and a team December 31, 2024 13:12
@anodos325 anodos325 merged commit 5b92565 into master Dec 31, 2024
2 checks passed
@anodos325 anodos325 deleted the NAS-133012 branch December 31, 2024 13:53
@bugclerk
Copy link
Contributor

This PR has been merged and conversations have been locked.
If you would like to discuss more about this issue please use our forums or raise a Jira ticket.

@truenas truenas locked as resolved and limited conversation to collaborators Dec 31, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@yocalebo yocalebo yocalebo approved these changes

Assignees
No one assigned
Labels
no-time-tracked
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@anodos325 @bugclerk @yocalebo