Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DEPR]: EDX_API_KEY #34039

Open
robrap opened this issue Jan 10, 2024 · 1 comment
Open

[DEPR]: EDX_API_KEY #34039

robrap opened this issue Jan 10, 2024 · 1 comment
Labels
depr Proposal for deprecation & removal per OEP-21

Comments

@robrap
Copy link
Contributor

robrap commented Jan 10, 2024

Proposal Date

2024-01-10

Target Ticket Acceptance Date

2024-01-24

Earliest Open edX Named Release Without This Functionality

Redwood - 2024-04

Rationale

Historical context:

  • In 2016-Oct, some security concerns were noted about this key. Specifically, that this symmetric shared secret, which is a pattern we wish to move away from. Related, it is difficult to rotate.
  • Class ApiKeyHeaderPermission was marked deprecated in 2020-Feb.
    • This was done as part of a larger PR, and doesn't have any useful comments.
    • It does add some observability for usage.
  • The ticket https://openedx.atlassian.net/browse/ARCHBOM-1077 from 2022-Mar was to "Deprecate and remove ApiKeyHeaderPermission". This was closed without finishing simply due to it not bubbling up in priority.
    • This decision does not seem to be mentioned outside of these tickets, which were meant to document this.

Removal

To be removed:

Replacement

From ARCHBOM-1077:

The preferred way of granting this type of permission is by using the OAuth2 client credentials grant <https://tools.ietf.org/html/rfc6749#section-4.4>__. The ecommerce-worker would be granted the permissions of a user allowed to enroll any other user in any course.

The newer OEP-66: User Authorization could also be referenced.

Deprecation

No plans, but we could add additional comments to the shared classes.

Migration

TBD

Additional Info

Additional notes from the closed/unfinished ticket (ARCHBOM-1077):

  • In one particular case, the ecommerce-worker application needs the permissions to be able to enroll any user in any course and to modify course pricing metadata by hitting both the "enrollment" and "commerce" LMS APIs. This privileged permission is granted via an API key header, where the API key is essentially a shared secret between the LMS and the worker. The permission is granted outside the context of any particular user.
  • The forums IDA <https://github.com/edx/cs_comments_service>__ also use the API key header. The actual header name is: X-Edx-Api-Key.
@github-actions github-actions bot added the depr Proposal for deprecation & removal per OEP-21 label Jan 10, 2024
@robrap robrap moved this from Proposed to Communicated in DEPR: Deprecation & Removal Jan 10, 2024
@robrap
Copy link
Contributor Author

robrap commented Jan 11, 2024

Note: Once accepted, a quick win would be if someone wants to add a comment to all the utility classes with a docstring comment like:

Deprecated: See DEPR for details:
https://github.com/openedx/edx-platform/issues/34039

@asadali145 asadali145 mentioned this issue Jan 22, 2024
Closed
2 tasks
This was referenced Feb 14, 2024
Closed
Closed
@dianakhuang dianakhuang moved this from Communicated to Proposed in DEPR: Deprecation & Removal Apr 4, 2024
This was referenced May 14, 2024
Merged
Merged
@mudassir-hafeez mudassir-hafeez mentioned this issue May 21, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
depr Proposal for deprecation & removal per OEP-21
Projects
DEPR: Deprecation & Removal
Status: Proposed
Milestone
No milestone
Development

No branches or pull requests
1 participant
@robrap