AFAIK you can use the API w/o any auth for non security related access aka read only und non-sensitiv. To access the sensitive info and to edit something (e.g. disable filtering) you need to use the API key. But there is only one API key.
In case of a security breach you need to reset the key and alter all of the places where it was used. You cannot easy tell which instance was compromised or which instance went nuts via the API key.
The following changes will enhance this:
multiple API keys
detailed rights management for API keys (access to specific commands: deny, to, rw)
option to disable public API access
jfb
May 18, 2021, 2:27pm
2
This is a hash of the password you have set for the Pi-hole admin interface. There is one password, thus one key.
How many instances/applications are using your API key?
Perhaps I don't fully understand your feature request.
OK, that's simple.
Currently I do use two Apps on Android. In the future I do consider creating a toggle switch in my homeautomation (openHAB).
I fully understand that this request is not #1 prio, but you might consider it in the future. May when a rewrite of that section occurs
Yes, we'll keep this in mind. Thanks!
1 Like
Coro
May 19, 2021, 12:18pm
5
Pi-hole v6.0 is rewriting the API from scratch. However, a role-management system will surely make things a lot more complicated.
Your request is to
allow multiple passwords with different powers
allow fine-grained permissions for each of these passwords
allow to disable API access at all without password
right?
1 Like
Coro:
Your request is to
allow multiple passwords with different powers
allow fine-grained permissions for each of these passwords
allow to disable API access at all without password
right?
If the api keys are still a hash of a password, then you are right
I guess in the end it boils down to
I think it would be nice to allow granted access to the admin page for multiple users on the network to log in and have access to granted features. Obviously I do not want to just give everyone an account, but having multiple admin accounts and maybe guest accounts with view only access to the stats only or something. Mainly I would like more admin users so I can add my roommate to the admin console so he can block specific things from his kids.
If the api keys are still a hash of a password, then you are right too
system
Closed
November 18, 2021, 10:26am
12
This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.