Summary
Processing service API key generation and revocation should be gated by object-level permissions rather than the current is_staff check. Currently any staff user can rotate the API key for any processing service in any project.
Current state
ProcessingServiceViewSet uses IsActiveStaffOrReadOnly — any staff user can create PS, generate keys, etc.- No object-level (guardian) permission checks on ProcessingService
- API key generation (
generate_key action) has no project-scoping
Proposed changes
Once #1110 lands (model-level permissions framework), add:
- A new permission:
manage_apikey_processingservice — "Can generate and revoke API keys for a processing service"
- Add it to the appropriate role(s) in the permissions framework (e.g., project managers/admins)
- Gate
generate_key and a new revoke_key endpoint behind this permission
- Ensure the permission check is project-scoped — the user must have the permission on at least one project the PS belongs to
Context
- Processing services authenticate with Antenna using API keys (added in the API key auth feature branch)
- Key rotation revokes all existing keys, so it's a destructive operation that affects running workers
- A
revoke_key endpoint should also be added (currently revocation is admin-only)
Depends on
Summary
Processing service API key generation and revocation should be gated by object-level permissions rather than the current
is_staffcheck. Currently any staff user can rotate the API key for any processing service in any project.Current state
ProcessingServiceViewSetusesIsActiveStaffOrReadOnly— any staff user can create PS, generate keys, etc.generate_keyaction) has no project-scopingProposed changes
Once #1110 lands (model-level permissions framework), add:
manage_apikey_processingservice— "Can generate and revoke API keys for a processing service"generate_keyand a newrevoke_keyendpoint behind this permissionContext
revoke_keyendpoint should also be added (currently revocation is admin-only)Depends on