Cannot create admin-level AuthTokens and general clunkiness

[vaizki]

When using the API to create new Aliases (to automatically add/remove Kubernetes Pods with sip-ports in the alias table), I discovered that you cannot from the GUI create an AuthToken that has admin privileges to do so.

When an AuthToken is created, it includes a dummy user object which is used in place of a real user object for API access. This user object is always the AgentObjectforAuthToken defined in the schema as:

var AgentObjectforAuthToken = json.RawMessage(`{
   "username": "test",
   "firstname": "Tester",
   "lastname": "Tester",
   "email": "[email protected]",
   "usergroup": "user",
   "id": 1000,
   "partid": 10
  }`)

.. which seems a bit hack-ish. Especially since the usergroup is fixed to user and the only way to change it was to go and manually UPDATE the whole JSON in the DB.

Two proposals:

1. patch it, allowing setting of usergroup (and editing?) in the included dummy user object (and change all the "Tester" stuff to "API" ..); OR
2. rewrite it, allowing creation of API-only users (can't login) and instead of embedding the user object into the AuthToken just have the token point to the real API-only user.

Of course I would prefer option 2 as it would also allow setting of any user properties with the normal editor and not having to special-case every attribute that needs changing.

[adubovikov]

I think the first way is more flexible, but more dangerous from security view. Another proposal, can we put this like a settings to the homer-app application and replace it ? Similar like: "token-user", "token-group", or just add the full object inside ?