Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    Anonymous User Required For API Key Push?

    Scheduled Pinned Locked Moved Support
    proget
    5 Posts 1 Posters 14 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ? This user is from outside of this forum
      Guest
      last edited by

      I just setup ProGet for the first time and configured it to use LDAP and IIS. I want to use API keys for publishing packages to feeds, but it appears that granting the Anonymous user "Publish Packages" permissions is required. In this case, anyone can now upload packages to the feed via the web UI which is terrible! Is it not possible to set it up to only allow publish for those who have API keys? I don't understand...

      http://inedo.com/support/kb/1112/api-keys-in-proget

      Product: ProGet
      Version: 4.0.9

      1 Reply Last reply Reply Quote 0
      • ? This user is from outside of this forum
        Guest
        last edited by

        We've tried to explain as much as we can in KB#1112 - API Keys in ProGet, but please note specifically:

        In enterprise environments, the usage of API Keys doesn't quite translate.

        Since you're already using LDAP, simply grant the users/groups the privileges you want them to have (such as publishing packages to a feed).

        1 Reply Last reply Reply Quote 0
        • ? This user is from outside of this forum
          Guest
          last edited by

          Thanks for the reply, I had read that article already. The reason for my confusion is that if someone wants to use an API key, it is required that Feeds_AddPackage/Publish Packages permission is granted to Anonymous user on the feed. The problem with this is that it opens up the feed to ANYONE via the ProGet web page so that adding/deleting packages on the feed doesn't require valid credentials/permissions or API key. To me, this mostly defeats the purpose of having an API key.

          The article you linked says "To enable anyone to push packages so long as the API Key is correct, grant the Feeds_AddPackage privilege to the Anonymous User". That isn't true when accessing the feed from a browser however. A correct/valid key isn't required and I'd like to keep the feed secure so that only those with valid credentials and/or API keys are able to add/delete packages.

          If this isn't expected behavior, is there something possibly misconfigured on my ProGet server that is allowing unauthenticated users to add/delete packages on a feed that have publish permissions granted to the Anonymous user? If this is expected behavior, then I suppose I shouldn't use an API key on feeds that I want to keep secure.

          Hopefully this makes sense, but let me know if there is something different I can do or change to lock down the feed from all sources while also allowing the use of API keys.

          Thanks!

          1 Reply Last reply Reply Quote 0
          • ? This user is from outside of this forum
            Guest
            last edited by

            Actually, reading your last sentence again, it sounds like I shouldn't use API keys in cases where I want to keep a feed secure. This is probably the best answer correct?

            1 Reply Last reply Reply Quote 0
            • ? This user is from outside of this forum
              Guest
              last edited by

              Actually, reading your last sentence again, it sounds like I shouldn't use API keys in cases where I want to keep a feed secure. This is probably the best answer correct?

              Yes, pretty much.

              I suppose you could think of it as two different sets of doors that could secure a feed --- the first door (LDAP) is quite secure and can be user/group controlled, whereas the second door (API Key) is quite weak and works a bit like a skeleton key that everyone shares.

              There's zero point in requiring users to unlock two different doors, which is why we say using an API key doesn't make sense when you've enabled LDAP.

              If you want to use only an API key, then you must bypass the first door by allowing anonymous. This is less secure and generally not recommended.

              1 Reply Last reply Reply Quote 0

              Hello! It looks like you're interested in this conversation, but you don't have an account yet.

              Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

              With your input, this post could be even better 💗

              Register Login
              • 1 / 1
              • First post
                Last post
              Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation