-
New Feature Request
-
Resolution: Fixed
-
Major
-
None
-
None
-
Sprint 68 (Sep 2020), Sprint 69 (Oct 2020), Sprint 70 (Nov 2020), Sprint 71 (Dec 2020), Sprint 72 (Jan 2021), Sprint 73 (Feb 2021)
-
4
Summary
Currently Zabbix does not provide a way of generating and managing standalone API Auth tokens. Any 3rd party application that uses API must call 'user.login', it is not good for the following reasons:
- user name and clear text password must be stored on client side
- no Auth token management, it is impossible to see full list of active tokens, also no way to revoke a token
Аcceptance
- Any Zabbix user having enough permissions may create one or more API Auth tokens
-
- User settings and user editing forms will have access to a list of tokens assigned to this user
- Each token will have the following attributes:
- Creation time: date and time when the token was created
- Expiration time: optional expiration date and time. Token cannot be used after expiration time
- Creator: user who created this token
- Name: non-unique short name of the token
- Description: longer description of the token (optional)
- User: to whom this Auth token is assigned, the user to borrow permissions from
- Status: active, disabled
- Token: value of the API Auth token, visible only when a token is generated
- Token must be a randomly generated 32 byte string represented as 64 character HEX value
- User roles will be extended to support another allowed action (role): Create and edit API tokens
- List of all tokens will be available to super-administrators under Administration->General→Auth tokens
- Therefore super-administrators can create new, update and delete tokens created by any user
- Only if super-admins has permissions to "Create and edit API tokens"
- Therefore super-administrators can create new, update and delete tokens created by any user
- The following operation will be supported for tokens:
- Create, Delete, Disable, Enable
- Update: only name, description and status
- Zabbix API will be extended to support operations with tokens
- Same restrictions for operations as in the UI
- Token value is only returned on create, 'get' must not return token value
- Access to Zabbix API methods will be possible:
- using user name and password authentication (as it is now)
- using Auth token given in the "Auth" field
Nonfunctional requirements
- N/A
Use cases
- I want to generate and share Zabbix API token having expiration date and limited permissions with some 3rd party
- I do not want to share user name and password!
Decisions made
- No read only tokens for now. It should probably be implemented on user role level
- Besides Zabbix 5.2 support filtering for API methods, which is even more flexible
- API token values are write-only
There are no Sub-Tasks for this issue.