Jump to content

Catalyst/API Keys

From Wikitech

Catalyst API Key Policies

  1. API tokens shall be given to WMF staff and volunteers who have a use-case that cannot be addressed using the Patchdemo UI.
    1. Exactly one API token shall be created for each person who has access to the API (i.e. no key sharing).
    2. Access to the Catalyst API shall be requested as a ticket on Phabricator in Catalyst Backlog, with the following information about the human for whom access is requested:
      1. phabricator username
      2. Meta-Wiki username
      3. Wikimedia IDM/IDP username
      4. Reason/need for access
      5. 1password account e-mail or public key
  2. API tokens shall be given to teams with a need to use the Catalyst API in CI
    1. exactly one API token shall be create for each team with a CI use-case
    2. Access to the Catalyst API shall be requested as a ticket on Phabricator in Catalyst Backlog, with the following information about the human for whom access is requested:
      1. Team name
      2. Team email (preferably a group email not tied to a single human)
      3. Team or team member 1password account
      4. Reason/need for access
  3. API tokens must never be delivered or shared in plain text.
    1. New API tokens shall be delivered or shared via (in order of preference):
      1. https://wikimedia.1password.com/ which can be used to deliver the key:
        1. to a WMF staff member, shared with their WMF 1password account, or
        2. to a volunteer, shared with their personal 1password account
      2. encrypted using the requester's public key
        1. this method should only be used for volunteers who prefer not to use 1password
  4. API keys MAY be revoked if unused for a period of six months
    1. Catalyst administrators SHOULD make an attempt to contact the user before revocation. Contact may either take the form of a direct message or a Phabricator task. If no contact information is available for a user, then this step MAY be skipped.
    2. In the case that there is no contact information available, or there is no reply to a contact attempt within two weeks, or, after contact, the user confirms there is no ongoing need for their API token then the token SHOULD be revoked.
    3. Users MAY re-request a new token after it has been revoked, following the process outlined on this page. Tokens MAY not be re-issued.

Issuing API Key Instructions

AS a Catalyst or Test Platform team member, substituting "YOUR_USER" and "HUMAN NAME AND TEAM NAME" 

ssh YOUR_USER@k3s.catalyst.eqiad1.wikimedia.cloud

kubectl exec deploy/catalyst-api-deployment -n control-plane -- /bin/bash -c 'curl -s -H "Authorization: ApiToken $ADMIN_TOKEN" -X POST -d \'{"description": "HUMAN NAME AND TEAM NAME"}\' "http://catalyst-api-service/api/apiTokens"'

Copy the value of "token". This will only be displayed once. Create a new "secure message" in 1password. Paste the API key and share with the token owner's e-mail.

Retrieved from "https://wikitech.wikimedia.org/w/index.php?title=Catalyst/API_Keys&oldid=2359265"