Tokens in LogScale

LogScale supports a variety of different tokens that are used to provide API access to the different components of the system. Tokens use a randomly generated sequence of characters that identify the authority of a system or service to use a particular aspect of the LogScale instance.

Performing different actions, particularly through the API, is controlled through the API token and it is a combination of the type of API token, and the individual permissions granted to it, that allow or restrict access.

For example, to perform Organization level administration an Organization API token must be used. Having an Ingest Token or Repository API Token does not grant privileges to manage the organization. Conversely, data cannot be read or accessed using an Organization API Token, as these are only for managing your LogScale installation.

The basic model for the API Tokens and security architecture is shown in Figure 39, “API Token Architecture in LogScale”.

%%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% graph LR; PT[Personal Token] IT[Ingest Token] subgraph Management Tokens RT[Repo Token] ST[System Token] OT[Organization Token] end subgraph Permissions SP[System Permission] OP[Organization Permission] RP[Repo Permissions] end subgraph Resource RR[Repository] RO[Organization] RC[Cluster] end subgraph Roles RlR[Repository] RlO[Organization] RlC[Cluster] end PT-->Roles SP<-->RlC RP<-->RlR OP<-->RlO RR<-->RP RO<-->OP RC<-->SP IT--Ingestion Only-->RR RT-->RR PT-->RR ST-->RC OT-->RO

Figure 39. API Token Architecture in LogScale

Listed below are the different types of token used within LogScale:

Ingest Token
tokenType type ingest
Ingest tokens are long-living token strings that you can use to set up your ingestion pipeline in Falcon LogScale Collector or other log shippers. Ingest tokens are used to identify the repository, parser and authority to send data for ingestion into LogScale. They do not allow access to the API or to query data stored in repositories.
For more information, see Ingest Tokens.
Personal API Token
tokenType type user
Used to access the APIs within LogScale, Personal API tokens inherit the permissions of their user based on the user role. For example, if a user has a role with system permissions then they will be able to perform system operations for permissions that role has been given.
System API Token
tokenType type system
System API tokens grant cluster administration permissions and the most dangerous actions, for example changing feature flags or changing usernames. They do not provide access to an organization or to the data stored in any repository.
Ephemeral User Token
tokenType type ephemeralUserToken
The ephermalUserToken is used when running a query or operation using an Organization Owned Query.
Organization API Token
tokenType type organization
Organization level tokens allow management and configuration to systems within within an organization, including creating users and repositories, but do not allow access to data.
Repository and View API Token
tokenType type repository
API tokens at the repository and view level enable API-level access for reading data, managing the repository, packages, triggers and integrations. A Repository and view API token is strictly limited to accessing or managing only the Repository or View that the token was created for. You cannot use the same Repository and view API token to access the data from multiple repositories. API tokens are limited to a single view within the UI but can be created through the GraphQL API to cover multiple views and repositories.

Table: Token Comparison

Use Case	Ingest Tokens	Personal API Token	System API Token	Organization API Token	Repository Token
Allows Ingesting Data	Yes	Yes	Yes	Yes	No
Ingest Target	Specific Repository	Any repository the user has permissions to access	Any	Any	N/A
Query/Read Data	No	Yes, for any repository the user has access to	No	No	Yes, each token is specific to a single repository or view
Create API Tokens	No	No	Yes	Yes	No

Each API token, with the exception of Ingest and Personal API tokens, has the following parameters:

API Token name
The name of the token used to identify the token.
API Token domain
There are specific API tokens for different areas of LogScale functionality, including system-level administration, organization level administration, views and repositories.
Permissions
Depending on the domain, API tokens will have one or more permissions which can be explicitly granted. These only apply to the generated API token, and limit the ability of the token to that functionality. For more information on permissions, see Repository & View Permissions.
IP Filter
An IP filter can be applied to limit incoming connections to specific IP addresses or networks. For more information, see IP Filters.
Expiry
A token can be configured to automatically expire on a set time and date.

API tokens are governed by Security Policies.

Self-Hosted Overview

Installing LogScale

Instance Administration

Organization Essentials

Configuring Security

Authentication & Identity Providers

Users & permissions

Cluster Management

Configuration Settings

Ingesting Data

LogScale Configuration Parameters

LogScale URLs & Endpoints

Limits & Standards

Data Analysis Overview

LogScale User Interface

Repositories & Views

Parsing Data

Searching Data

Writing Queries

Query Language Syntax

Query Joins and Lookups

Query Functions

Dashboards & Widgets

Automation

Template Language

Keyboard Shortcuts

Tokens in LogScale

Enter search term