RUDDER 4.3 – Focus on the ‘API rights’ feature

Since RUDDER 2.7 (Almost 5 years ago!), we provide an API that gives you access to almost all data and features from RUDDER so you can build your own scripts and integration and make RUDDER more integrated in your IT environment (more details about the API here: https://www.rudder-project.org/rudder-api-doc/), there was one flaw in our design: all API accounts had full access to the API so anyone with a token can do anything. With RUDDER 4.3, this time is over. We defined an authorization system for API accounts that allows to control which part of the endpoints the account can access. We also added a TTL to accounts, so a token won’t have access forever to RUDDER API anymore.

Directly in your RUDDER 4.3

There are currently four levels of authorization defined in RUDDER:

  • No Access: Almost like a disabled state, no endpoints can be reached.
  • Read-only: You can only fetch data from RUDDER (access to all GET endpoints) and no modifications endpoint.
  • Full: Like before, access to full API, (existing accounts will have that level).
  • Custom ACLs: Choose between all API endpoints which one are available.

To keep it simple, only the 3 first levels can be used in RUDDER, Custom ACLs are enabled with a new plugin, the rudder-api-authorisation plugin. I’ll get back to this later with more details about the plugin possibilities.

API account table, with new data, and a little UI update!

API account table, with new data, and a little UI update!

Expiration date (TTL of an account) can either be undefined (will never expire), or a specific date. If an account is used after expiration date, il will be forbidden access to all endpoints, like an account with “No access”.

Expiration date and access level can be defined for every account in a dedicated popup:

image3

rudder-api-authorizations plugin

The rudder-api-authorizations plugin gives you access to two features:

  • Custom ACLs
  • User tokens

Customs ACLs allow you to define precise rights for any API accounts, so you can restrict an API account to have access to Nodes API only, or whatever you want!

image1

The plugin allows you to have a token for every user of RUDDER, the token will have access to all API corresponding to the user’s authorisation (i.e. a read only user will only have access to read only API, a “node” user will have access to Node API…).

You can generate your API token by clicking on the user menu in the top right corner.

image4

What’s next?

RUDDER 4.3 brings the last consolidations on the features that version 4.0 brought. Feedbacks received allowed us to enrich and perfect them over 3 versions while working on the big novelties to appear soon in RUDDER 5.

Indeed, the next version is going to be a major release, which will bring many changes both inside and outside Rudder, including :

  • a reporting plugin to extract historical compliance reports
  • numerous integrations with other tools:
    • Centreon
    • Slack
    • iTop
    • and so on

Because of the new regulation about personal data, we invite you to subscribe to our anglophone newsletter .
To join the francophone newsletter, click here instead: http://eepurl.com/b-_wK9

If you already signed up in the past long ago, fill up and submit the form once again to confirm you want to be kept informed about RUDDER news. If you don’t there is a chance for you to be removed from our database because of the new data retention period legislation.