Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Anonymous User Required For API Key Push?
-
I just setup ProGet for the first time and configured it to use LDAP and IIS. I want to use API keys for publishing packages to feeds, but it appears that granting the Anonymous user "Publish Packages" permissions is required. In this case, anyone can now upload packages to the feed via the web UI which is terrible! Is it not possible to set it up to only allow publish for those who have API keys? I don't understand...
http://inedo.com/support/kb/1112/api-keys-in-proget
Product: ProGet
Version: 4.0.9
-
We've tried to explain as much as we can in KB#1112 - API Keys in ProGet, but please note specifically:
In enterprise environments, the usage of API Keys doesn't quite translate.
Since you're already using LDAP, simply grant the users/groups the privileges you want them to have (such as publishing packages to a feed).
-
Thanks for the reply, I had read that article already. The reason for my confusion is that if someone wants to use an API key, it is required that Feeds_AddPackage/Publish Packages permission is granted to Anonymous user on the feed. The problem with this is that it opens up the feed to ANYONE via the ProGet web page so that adding/deleting packages on the feed doesn't require valid credentials/permissions or API key. To me, this mostly defeats the purpose of having an API key.
The article you linked says "To enable anyone to push packages so long as the API Key is correct, grant the Feeds_AddPackage privilege to the Anonymous User". That isn't true when accessing the feed from a browser however. A correct/valid key isn't required and I'd like to keep the feed secure so that only those with valid credentials and/or API keys are able to add/delete packages.
If this isn't expected behavior, is there something possibly misconfigured on my ProGet server that is allowing unauthenticated users to add/delete packages on a feed that have publish permissions granted to the Anonymous user? If this is expected behavior, then I suppose I shouldn't use an API key on feeds that I want to keep secure.
Hopefully this makes sense, but let me know if there is something different I can do or change to lock down the feed from all sources while also allowing the use of API keys.
Thanks!
-
Actually, reading your last sentence again, it sounds like I shouldn't use API keys in cases where I want to keep a feed secure. This is probably the best answer correct?
-
Actually, reading your last sentence again, it sounds like I shouldn't use API keys in cases where I want to keep a feed secure. This is probably the best answer correct?
Yes, pretty much.
I suppose you could think of it as two different sets of doors that could secure a feed --- the first door (LDAP) is quite secure and can be user/group controlled, whereas the second door (API Key) is quite weak and works a bit like a skeleton key that everyone shares.
There's zero point in requiring users to unlock two different doors, which is why we say using an API key doesn't make sense when you've enabled LDAP.
If you want to use only an API key, then you must bypass the first door by allowing anonymous. This is less secure and generally not recommended.