Hi Tore, WG,

I really do not see any benefits or reasons why we should change the API key system for the DB.

Maybe I am missing something that you can elaborate on.

Additionally if this was to replace the existing system it would just make it unavailable for non-LIRs (such as orgs with PI resources) without any real reason.

- Cynthia

On Fri, Feb 21, 2020 at 11:54 AM Tore Anderson via db-wg <db-wg@ripe.net> wrote:

Hi WG.

In the LIR Portal, at https://lirportal.ripe.net/api/, it is possible to issue API keys for use with several different RIPE NCC services.

However, it is unfortunately not possible to issue API keys for the two APIs that are used for database maintenance; Syncupdates and the RESTful API. The documentation implies that the only authorisation [sic] method for those APIs is MD5-PW.

I propose that the API keys mechanism is extended to Syncupdates and the RESTful API.

The already existing default maintainer concept could be leveraged to accomplish this (similar to how NWI-8 was implemented). That is, using Syncupdates or the RESTful API with API keys will simply authenticate the client as the LIR's default maintainer.

Authorisation should remain handled by in-band mnt-* object attributes, as is currently the case.

It would be an acceptable limitation that API keys for database maintenance are unavailable for LIRs without a default maintainer.

Assuming the WG agrees that this is a good idea, I request an NWI.

Tore