Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Proget Feature request - API key admin per user
-
Hey Guys,
Hoping to submit a feature request here.
In Proget you should provide the ability for a user to manage their own API keys via the web interface.
At the minute API keys need to be setup by an administrator and assigned to a user via the impersonate user field.
It would be nice if the user was able to create their own API key via the user menu here:
Use case:
Access to proget is setup using AD authentication and assigning an AD group (not ad user) with the correct privilege's.
The user then needs an API key to use with CI/CD tools on the users workstation.
Today:
Administrator needs to login to admin portal, add the ad user with the correct "security", then generate an API key and "impersonate" the user that has just been setup.
Required state:
User logs into the web portal and generates their own key that inherits the users current permission set.
Thanks
Simon
-
Hi @scroak_6473
Thanks for the feature request - we've had a few "informal, unofficial" requests for this over the years, but the discussions didn't develop, and there was never a clear reason why it would help - but this seems much clearer. And it might be an opportunity for improving the API keys in the upcoming ProGet v6.
Can you expand upon a few things?
The user then needs an API key to use with CI/CD tools on the users workstation.
What tools, specifically? What permissions does this API key have?
Administrator needs to login to admin portal, add the ad user with the correct "security", then generate an API key and "impersonate" the user that has just been setup.
How often does this happen?
If you impersonate an AD username, I would expect it to "just work" like logging in? Meaning, you don't need to set-up special privileges - just give the group? Is this not the case (maybe this is a bug)?
Can you give a specific case?
-
Hi @stevedennis
The user then needs an API key to use with CI/CD tools on the users workstation.
What tools, specifically? What permissions does this API key have?
Things like docker desktop, to connect to a proget docker feed you need to use Docker login proget.somehost.com which stores your credentials as a secret. These credentials are then used everytime you do docker pull proget.somehost.com/feed/containername:latest
You can use your AD credentials for this however if your password changes (which you're required to do every 60 days) you'll need to constantly update your docker login credentials. Or worse, your could have an automated deployment using these docker login credentials that is constantly locking out your ad account (as the stored password is now wrong)
The same thing can happen with the nuget package manger that is part of Visual Studio, inputing API credentials here in the below screenshot would make more sense:
Administrator needs to login to admin portal, add the ad user with the correct "security", then generate an API key and "impersonate" the user that has just been setup.
How often does this happen?
Everytime we have a new developer come on board that needs access to the Nuget feed.
If you impersonate an AD username, I would expect it to "just work" like logging in? Meaning, you don't need to set-up special privileges - just give the group? Is this not the case (maybe this is a bug)?
Can you give a specific case?
Apologies after more testing "impersonating" a user specified in an AD group works. However it does take an proget administrator to generate each api key for each user.
Thanks
Simon
-
thanks @scroak_6473 , I think I'm understanding better now. So how about an idea like this?
We make a new page ("Manage My Feed API Keys" or something) that lists the API keys in ProGet that...
- have only the Feed API permission
- Impersonate User = <current logged in user>
The <current logged in user> could delete any of these keys, or create a new key using a new page ("Create New Feed API Key" or something). There'd be only a single editable field on that modal page ("Description"), and behind the scenes, it would create keys like this:
Think that would do the trick?
-
Yes that is exactly what I was thinking except I would make it a 'user' level function vs 'feed'. I.E we don't want users creating different API keys for each feed that they manage.
We want one API key that gives them all the same access as their user account.
For example as a developer I have access to a nuget feed as well as a container image feed, I want to use a single API key to access both these feeds.
Simon
-
@scroak_6473 ah yes for sure -- actually it really could only be a user-level function with this proposal. Basically, this is just a page that allows non-admins to manage a subset of API keys (i.e. ones with only "Feed API" and with their name in the impersonate field) -- we proposing to change how API work, etc.
Let's make sure to definitely clarify this in the UI & documentation. I think you have a lot more experience working with "regular" ProGet users (i.e. non-admins) than we do, so I'm hoping you give some advice on how to best communicate how this all works to regular users, as to means to reduce the administrative work you do.
User Drop Down (from your screenshot)
- Add "Personal API Keys" link above "Change Password"
- Show link only to Authenticated users (i.e. Anonymous can't see it)
- Link navigates to
/my/api-keys
View Package Page
- should we also link to Personal API Keys? Where to mention this?
Personal API Keys (new page)
- Show InfoBox based on user type (see below)
- Show table with three columns: Api Key, Description, and delete button (
) - Clicking on API Key opens a modal that allows editing the description
- "Create API Key" Button works as above (only description allowed)
Messages For Admins
This page shows only API keys with "Feed API" permissions that impersonate your username ({username}), and is intended for non-administrators to manage their own API keys. Because you haveAdmin_ConfigureProGetpermission, you can [manage all API Keys in ProGet].Messages For Non-Admins
Something about <user>:<password>? This page allows you to manage API Keys that ...?cc/ @harald-somnes-hanssen_2204 I remember you had some other "regular user" suggestions as well (but unfortunately they didn't make the 5.3 release)
-
Hi @apxltd
Your description sounds perfect. Look forward to seeing this in a future version.
Also your software products rock! Keep up the great work!
Thanks
Simon
-
Thanks Simon! Much appreciated.
This will officially be our first "v6 preview feature" --- figuring out the general direction of v6 has been on my list, so thanks for helping out on that ;D
I can't imagine it will change between now and v6, but this allows us to work on documentation, etc. in the meantime. No ETA yet (I'll let the team take it from here as PG-1945), but probably in near upcoming maintence releases.
-
@scroak_6473 ooh I forgot to mention, but this feature was released a little while ago. It's a preview feature, and you can enable it by going to [User Icon] > Personal API Keys > Enable.
LMK your thoughts!
