Hi All,
Is it possible to create a personal acces...
# advice-data-governancet
tall-butcher-30509
02/08/2023, 9:16 AMHi All,
Is it possible to create a personal access token on behalf of another user?
We would like to control the issuance of tokens centrally, rather than allowing users to do it directly in an uncontrolled manner.
✅ 1
b
better-orange-49102
02/08/2023, 12:51 PMIirc there is a platform privilege to manage tokens - the person granted that can create tokens on behalf of others. If you remove the platform privilege to create tokens then the user cannot create his/her own token
a
astonishing-answer-96712
02/08/2023, 5:55 PMHi @tall-butcher-30509, here’s a link: https://datahubproject.io/docs/authorization/roles/#role-privileges
t
tall-butcher-30509
02/09/2023, 12:01 AMThanks @better-orange-49102 and @astonishing-answer-96712
What is the correct way to implement this? I couldn’t find it in the GUI (0.9.2)
I tried to do it via curl as in the docs but it created the token for me instead of he target user.
Attempt 1
Copy code
curl -X POST '<https://domain/api/graphql>' \
--header 'Proxy-Authorization: Bearer <IAP token>' \
--header 'Authorization: Bearer <my personal access token>' \
--header 'Content-Type: application/json' \
--data-raw '{ "query":"mutation { createAccessToken(input: { type: PERSONAL, actorUrn: \"urn:li:corpuser:<target user>\", duration: ONE_HOUR, name: \"my personal token\" } ) { accessToken metadata { id name description} } }", "variables":{}} Copy code
curl -X POST '<https://domain/api/graphql>' \
--header 'Proxy-Authorization: Bearer <IAP token>' \
--header 'Authorization: Bearer <my personal access token>' \
--header 'X-DataHub-Actor: urn:li:corpuser:<target account>' \
--header 'Content-Type: application/json' \
--data-raw '{ "query":"mutation { createAccessToken(input: { type: PERSONAL, actorUrn: \"urn:li:corpuser:<target account>\", duration: ONE_HOUR, name: \"my personal token\" } ) { accessToken metadata { id name description} } }", "variables":{}}'b
better-orange-49102
02/09/2023, 12:03 AMThe token for target account is created in your list of tokens. That is what you want, no?
better-orange-49102
02/09/2023, 12:05 AMIf you use pyjwt to inspect, it will show the user in the payload
t
tall-butcher-30509
02/09/2023, 12:06 AMI was expecting it to nominally appear under the target’s account, but if this identifies correctly as the target use in the logs then I think we can work with it.
b
better-orange-49102
02/09/2023, 12:07 AMNah it will show up as a token that you created, and you'll have to pass the token to him somehow. You can revoke on his behalf though
t
tall-butcher-30509
02/09/2023, 12:08 AMWe use GCP so we can securely share the key to their service account via secret manager.
tall-butcher-30509
02/09/2023, 12:09 AMIn thsi case, we will probably create a “key admin” account in datahub to manage all the issued keys.
tall-butcher-30509
02/09/2023, 12:09 AMThanks for your help.
2 Views