Tokens in LogScale
LogScale supports a variety of different tokens that are used to provide API access to the different components of the system. Tokens use a randomly generated sequence of characters that identify the authority of a system or service to use a particular aspect of the LogScale instance.
Performing different actions, particularly through the API, is controlled through the API token and it is a combination of the type of API token, and the individual permissions granted to it, that allow or restrict access.
For example, to perform Organization level administration an Organization API token must be used. Having an Ingest Token or Repository API Token does not grant privileges to manage the organization. Conversely, data cannot be read or accessed using an Organization API Token, as these are only for managing your LogScale installation.
The basic model for the API Tokens and security architecture is shown in Figure 45, “API Token Architecture in LogScale”.
Figure 45. API Token Architecture in LogScale
Listed below are the different types of token used within LogScale:
tokenType type
ingest
Ingest tokens are long-living token strings that you can use to set up your ingestion pipeline in Falcon LogScale Collector or other log shippers. Ingest tokens are used to identify the repository, parser and authority to send data for ingestion into LogScale. They do not allow access to the API or to query data stored in repositories.
For more information, see Ingest Tokens.
Personal API Token
tokenType type user
Used to access the APIs within LogScale, Personal API tokens inherit the permissions of their user based on the user role. For example, if a user has a role with system permissions then they will be able to perform system operations for permissions that role has been given.
tokenType type system
System API tokens grant cluster administration permissions and the most dangerous actions, for example changing feature flags or changing usernames. They do not provide access to an organization or to the data stored in any repository.
Ephemeral User Token
tokenType type ephemeralUserToken
The ephermalUserToken is used when running a query or operation using an Organization Owned Query.
tokenType type organization
Organization level tokens allow management and configuration to systems within within an organization, including creating users and repositories, but do not allow access to data.
tokenType type repository
API tokens at the repository and view level enable API-level access for reading data, managing the repository, packages, triggers and integrations. A Repository and view API token is strictly limited to accessing or managing only the Repository or View that the token was created for. You cannot use the same Repository and view API token to access the data from multiple repositories. API tokens are limited to a single view within the UI but can be created through the GraphQL API to cover multiple views and repositories.
Table: Token Comparison
Use Case | Ingest Tokens | Personal API Token | System API Token | Organization API Token | Repository Token |
---|---|---|---|---|---|
Allows Ingesting Data | Yes | Yes | Yes | Yes | No |
Ingest Target | Specific Repository | Any repository the user has permissions to access | Any | Any | N/A |
Query/Read Data | No | Yes, for any repository the user has access to | No | No | Yes, each token is specific to a single repository or view |
Create API Tokens | No | No | Yes | Yes | No |
Each API token, with the exception of Ingest and Personal API tokens, has the following parameters:
API Token name
The name of the token used to identify the token.
API Token domain
There are specific API tokens for different areas of LogScale functionality, including system-level administration, organization level administration, views and repositories.
Permissions
Depending on the domain, API tokens will have one or more permissions which can be explicitly granted. These only apply to the generated API token, and limit the ability of the token to that functionality. For more information on permissions, see Repository & View Permissions.
IP Filter
An IP filter can be applied to limit incoming connections to specific IP addresses or networks. For more information, see IP Filters.
Expiry
A token can be configured to automatically expire on a set time and date.
API tokens are governed by Security Policies.