Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce Service Accounts #1217

Open
2 tasks
vviers opened this issue Sep 23, 2024 · 4 comments
Open
2 tasks

Introduce Service Accounts #1217

vviers opened this issue Sep 23, 2024 · 4 comments
Labels
anct enhancement New feature or request

Comments

@vviers
Copy link
Collaborator

vviers commented Sep 23, 2024

Describe the problem to be solved

Following up on #579, @paulfitz @hexaltation @jonathanperret and I sat down to outline a solution to the more granular API keys feature request. Here is what we discussed :

Describe the solution you would like

We offer to introduce the concept of "Service accounts", partly inspired by what GCP is doing

At a high level, a service account is just like a regular user in Grist -- it can be added to any number of documents, workspaces, or orgs. ACL apply to this user and it has its own API key.

Service account lifecycle

  • Lyfecycle of a Service account follows the same rules as that of a user
    • The owner of a document can CRUD a Service account and add it to that document (note : technically, the user then becomes a "Guest" in the document's org/team site)
    • The owner of a workspace can CRUD a Service account at the workspace level
    • The owner of a team site can CRUD a Service account at the team site level
    • other roles (EDITOR or VIEWER) cannot CRUD a service account
  • There should be an admin panel at the team site level where all service accounts in the org can be listed (along with the documents they have access to) and managed centrally by team site owners
  • The Service account's API Key can only be accessed by the creator of the Service account (important : Owners of the team site should not be able to get the API key of Service accounts via the admin panel)

UI/UX considerations

  • The creation panel for a Service account could be a separate panel in the "Manage users" menu
  • There should be a way to describe what the service account will be used for (e.g. "Connect Grist to Mattermost", "Integrate with our marketing ETL pipeline", ...)
  • The UI should make clear that Service account are robots
  • The UI should show who created the service account in the first place
  • The new Service account admin panel should make it easy to provision, audit and delete Service accounts
  • (maybe) There should be a UI to re-generate a Service account API key (or maybe deleting the Service account and creating a new one would be enough ?)

Technical considerations

  • Service account key is shown at creation time only. If you need to read it again, you should regenerate it.
  • There should be a boolean column in the users table to differentiate Service accounts from regular accounts
  • Service accounts don't necessarily need to have an email address, especially if Using OIDC, the email is used to identify the user instead of the 'sub' claim #759 is implemented. If they do, they could look like sa-{team-site}-{uuid}@getgrist.com

Here are the concrete next steps we agreed on :

@dsagal
Copy link
Member

dsagal commented Oct 12, 2024

Question about regenerating keys. Firstly, creating a new service account + deleting old is not equivalent to regenerating, because the existing account could have been manually added to certain documents, or mentioned in certain access rules.

If we support regenerating the secret key and associating it with the existing service account, should we support a grace period when both keys work? For example, Stripe offers this option. Stripe calls it "Rolling API Key", it's documented here: https://docs.stripe.com/keys#rolling-keys. At the time of regenerating a new key, you get to specify expiration for the previous one, which could be "Now" or after a certain time.

Asking this now, because if we need to support two secret keys for the same service account, this may affect the schema.

@lusebille
Copy link
Collaborator

lusebille commented Oct 15, 2024

Just let you know mocks are linked to the ticket #1218 ( style work in progress) but close to the final version https://www.figma.com/design/wcpetFt6aOKzTszcvPPWLQ/%5B05%2F24%5D-Grist-Design?node-id=2353-78236&t=HI191FPx7W2TTbxS-1

@hexaltation
Copy link
Collaborator

I got a recursive question while implementing the #1219 POC.
Can a service-account CRUD for service-account?
If so, is its owner the CRUDing service account or the owner of the CRUDing service-account?

@dsagal @vviers @paulfitz do you have some opinion on that point?

@vviers
Copy link
Collaborator Author

vviers commented Nov 21, 2024

Can a service-account CRUD for service-account?

I would say no, especially since SCIM (#1199) will provide a nicer way for another app or service to CRUD users progamatically ?

But I haven't thought about it too hard so I am interested in hearing what others think

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
anct enhancement New feature or request
Projects
Status: Todo
Development

No branches or pull requests

4 participants