Tykdash API user access key issues


#1

Imported Google Group message. Original thread at: https://groups.google.com/forum/#!topic/tyk-community-support/R_CaUQE6Wyw Import Date: 2016-01-19 21:21:40 +0000.
Sender:Senthil Muniswamy.
Date:Tuesday, 25 August 2015 18:44:25 UTC+1.

Hi Martin,

Issue 1:
Tykdash API access keys becomes invalid on Redis restart. Getting 401 error.

Issue 2:
Resetting an Inactive user’s api access key is valid even though the user is inactive.

Issue 3:
Existing api access key of an inactive user is not valid when the user is made active. Is this expected?

Can you confirm if Issue 1 is not a misconfiguration?

Thanks,
Senthil


#2

Imported Google Group message.
Sender:Martin Buhr.
Date:Tuesday, 25 August 2015 18:59:56 UTC+1.

Issue 1:
Tykdash API access keys becomes invalid on Redis restart. Getting 401 error.

A: Redis is an in-memory store, you will need to configure redis so that it either appends to disk (can cause ballooning disk) or have a read slave so you don’t lose data - this is a redis configuration issue, not Tyk AFAIK.

Issue 2:
Resetting an Inactive user’s api access key is valid even though the user is inactive.

A: Portal developers keys are just normal keys, if you reset them, they become active like any other key.

But this could be handled better, will put something in the roadmap.

Issue 3:
Existing api access key of an inactive user is not valid when the user is made active. Is this expected?

A: See above. Developers are just profiles with keys attached, disable the user you disable their login to the dashboard, you will need to reset their keys, switch them off or destroy them in order to stop a developers keys from working.

I just checked the code - if you delete the developer their keys are revoked.

Again I think this is something we could improve in future versions.

Can you confirm if Issue 1 is not a misconfiguration?

A: Issue 1 is a misconfiguration of redis, suggest you look at redis docs for advice.

Cheers,
Martin


#3

Imported Google Group message.
Sender:Senthil Muniswamy.
Date:Thursday, 27 August 2015 18:30:05 UTC+1.

Hi Martin,

I was trying to figure out what happened to the tyk admin api key. Seems like the key has been renamed.

Tyk Admin API Key name is always suffix with the access_key (fcdd741b85da444f7208173c7ca0174d). But, at some point the key name has been changed (tyk-admin-api-5ae6165f-8507-496c-7440-41a5b4845ec3) and also this key is set to expire. I suspect tykdash changed it. Can you explain when this would happen?

127.0.0.1:6379> GET “tyk-admin-api-5ae6165f-8507-496c-7440-41a5b4845ec3”
“{“UserData”:{“api_model”:{},“first_name”:“John”,“last_name”:“Smith”,“email_address”:“ad…@test.com”,“password”:”$2a$10$hWqbImZhaiOeLFdspfhpFOeek.TkMaaGp1Y17bicxij0jsYihye8q",“org_id”:“55ce17026dae54323c000001”,“active”:true,“id”:“55ce17022fa5c61a6f8cdfff”,“access_key”:“fcdd741b85da444f7208173c7ca0174d”}}"

127.0.0.1:6379> ttl “tyk-admin-api-5ae6165f-8507-496c-7440-41a5b4845ec3”
(integer) 32800

Thanks,
Senthil

On Tue, Aug 25, 2015 at 2:32 PM, Martin Buhr [email protected] wrote:
Regarding Issue 1, Since the api access key is stored in in mongo db collection (tyk_analytics_users) I also restarted tykdash and expected it to be loaded.

Oh I see! I thought you were talking about portal developer users :-/

The dashboard user keys are stored in Redis when created. There was a reason for this, ages back when we put it together, I think it was to avoid hitting Mongo all the time when using the dashboard, redis is just faster. But they don’t reload, which I admit is an oversight - we assumed you wouldn’t restart redis :wink:

Might be worth looking into changing - can you raise a ticket in our GitHub repo so we can track it?

Cheers,
Martin


#4

Imported Google Group message.
Sender:Martin Buhr.
Date:Thursday, 27 August 2015 18:49:41 UTC+1.

Hi Senthil,

There are two sessions - one is the api key, the other is the login session for the dashboard, the dashboard login session has a timeout. The access api key does not.

That would explain the rumour and the name change. It didn’t change, it’s a different object.

Thanks,
Martin

  • show quoted text -