Calling APIs and licensing requirements
Hi all,
We are building an API that could be called by many people running local apps and processes. I understand API keys are the way to go. The issue I'm having is that my security team wants separate keys for every user and process - and a process for managing those keys. Another problem is there is no guarantee that a key meant for John Doe is not being used by Jane Doe. Most all of the callers are not licensed users. That is, we see no way to associate a key to an identity in the APIs code. My question is: Is this just the way it is and I need to deal with the management overhead, or am I missing something? I hope it's the latter and someone can point me to some resource I've missed.
Regards,
Mike
Best Answer
-
Turribeach Dataiku DSS Core Designer, Neuron, Dataiku DSS Adv Designer, Registered, Neuron 2023 Posts: 2,531 NeuronIf you are talking about Dataiku APIs that you plan to develop and deploy in the Dataiku API node then this just the way it is. The other API keys, the ones to use the Dataiku internal and external Dataiku APIs then those are used with "managed" API keys since they can be linked to a user. APIs developed with the API node are not meant to be used by humans, they are supposed to be integrated with other applications hence why this is not usually a problem.
Having said that nothing stops you from adding additional authentication or authorisation layers to your custom API. In fact you don't even need to use Dataiku API keys at all and you could handle the authentication/authorisation directly in the API itself. Your choice really.
Answers
-
Thank you Turribeach,
I assumed that it is what it is. I feel like I was throwing a hail mary by asking the question. My plan is to store generated keys in a key vault and use another app to manage them (create, retire, etc.) and then use a bit of code in my APIs to validate against the key vault.
Have a good day/night,
Mike