1

Question about security for POST method of HTTP:

I made a user called "MyAPP":

 {
    "userdef": [
        "view",
        "create"
    ],
    "api_key": "dzn8k7hj2sdgddlvymfmefh1k2ddjl05",
    "user_id": "MyAPP",
    "name": "MyAPP",
    "creator": "admin",
    "edit": [],
    "dbdef": [
        "view",
        "create"
    ],
    "querydef": [
        "view",
        "create"
    ],
    "databases": {
        "Gaming": {
            "dbuser": "mydbuser_here",
            "dbpass": "mypass_here"
        }
    },
    "password": 

"$6$rounds=665736$x/Xp0k6Nj.5qzuM5$G.3w6Py1s.xZ83RHDU55qonNMpJe4Le8nD8PqjYKoOtgbab7T22knJPqwHspoT6BQxp.5gieLFuD0SdD9dyvi/",
        "email": "",
        "view": []
}

Then I wanted to issue a POST in order to execute a SQL Pass-thru such as this:

http:///query/InsertBestScore/Score/99/ScreenName/GollyGolly.xml?apikey=dzn8k7hj2sdgddlvymfmefh1k2ddjl05

Where I built a query and named it "InsertBestScore": insert into Gaming.Leaderboard (ScreenName, Score) values (:ScreenName, :Score);

If I run this via POSTMAN using the POST method: ... then I get an access, 403 :

<?xml version="1.0" encoding="utf-8"?>
<SlashDB>
    <http_code>403</http_code>
    <description>Access was denied to this resource. Please log in with your username/password or resend your request with a valid API key.</description>
    <url_template>/query/InsertBestScore/Score/{Score}/ScreenName/{ScreenName}.xml</url_template>
</SlashDB>

Also, I would be calling this POST (or PUT) request from an application, in my case a Python program running from within a AWS Lambda Function.

Now, I came across this in the documentation:

Two parameters API key SlashDB also allows a two parameters credentials in this authentication method - app id and api key. This may come handy when integrating with API management systems like 3Scale. By default header and query string argument would be:

•   appid - identifies certain application
•   apikey - secret for the application
Request with API key in header - Access granted

... however in the example above, I don't see where the appid comes into play. Can you tell me how one would call the SlashDB endpoint and pass a APIkey and assure that the userid is known as MyAPP.

So, to sum up, the Documentation mentions: • Another application utilizes an API key to authenticate, which is sent with every request. The application is recognized as SlashDB user App2, which uses database login db_admin. Effectively this application can SELECT, UPDATE, INSERT and DELETE data.

So I want to actually, do just what is in that bullet: Identify myself as the user (instead of App2, I'm user MyAPP), and then use the dbuser and dbpass that was assigned to access that "Gaming" database.

Idea?

ElliotB
  • 153
  • 2
  • 8

2 Answers2

1

Make sure you've given user MyAPP permission to execute the query. To do so:

  • login as admin,
  • go to Configure -> Queries,
  • open your query definition,
  • update field Execute. It accepts comma separated user ids.

enter image description here

mdob
  • 2,224
  • 3
  • 22
  • 25
0

OK, there are really two questions here:

  1. Why was access denied?
  2. What is the appid and how to use it.

Ad. 1: There are two authorization barriers that the request has to clear.

The first one is imposed by SlashDB in that the user executing the query must be listed in the Execute field on the query definition screen. This is done under Configure -> Queries -> "edit" button on your query.

The second barrier is imposed by the database. The SlashDB user who is executing your POST request must be mapped to a physical database user with INSERT privileges to the Gaming.Leaderboard table. It goes without saying that this database user must be associated with the database schema in which the table exists.

Ad. 2. To enable the appid the user api key must be composed out of two parts separated by colon ":". The first part will be interpreted as the appid and the second will be the apikey.

To do that, use Configuration -> Users -> 'edit' button for the user in question. Then simply add a colon at the beginning of the API key and type in your desired appid to the left of the colon. The app will have to supply both keys to execute the request. Note that the names of those keys (i.e. appid) are configurable in /etc/slashdb/slashdb.ini.

The reasoning behind this feature is to facilitate API Management platforms, which can help with key management, especially when API will be exposed to third party developers.

Victor Olex
  • 1,458
  • 1
  • 13
  • 28