Tokens in LogScale

LogScale supports a variety of different tokens that are used to provide API access to the different components of the system. Tokens use a randomly generated sequence of characters that identify the authority of a system or service to use a particular aspect of the LogScale instance.

Performing different actions, particularly through the API, is controlled through the API token and it is a combination of the type of API token, and the individual permissions granted to it, that allow or restrict access.

For example, to perform Organization level administration an Organization API token must be used. Having an Ingest Token or Repository API Token does not grant privileges to manage the organization. Conversely, data cannot be read or accessed using an Organization API Token, as these are only for managing your LogScale installation.

The basic model for the API Tokens and security architecture is shown in Figure 39, “API Token Architecture in LogScale”.

%%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% graph LR; PT[Personal Token] IT[Ingest Token] subgraph Management Tokens RT[Repo Token] ST[System Token] OT[Organization Token] end subgraph Permissions SP[System Permission] OP[Organization Permission] RP[Repo Permissions] end subgraph Resource RR[Repository] RO[Organization] RC[Cluster] end subgraph Roles RlR[Repository] RlO[Organization] RlC[Cluster] end PT-->Roles SP<-->RlC RP<-->RlR OP<-->RlO RR<-->RP RO<-->OP RC<-->SP IT--Ingestion Only-->RR RT-->RR PT-->RR ST-->RC OT-->RO

Figure 39. API Token Architecture in LogScale

Below is a list of the different types of Token used within LogScale:

  • Ingest Token

    Ingest tokens are long-living token strings that you can use to set up your ingestion pipeline in Falcon LogScale Collector or other log shippers. Ingest tokens are used to identify the repository, parser and authority to send data for ingestion into LogScale. They do not allow access to the API or to query data stored in repositories.

    For more information, see Ingest Tokens.

  • Personal API Token

    Used to access the APIs within LogScale, Personal API tokens inherit the permissions of their user based on the user role. For example, if a user has a role with system permissions then they will be able to perform system operations for permissions that role has been given.

  • System API Token

    System API tokens grant cluster administration permissions and the most dangerous actions, for example changing feature flags or changing usernames. They do not provide access to an organization or to the data stored in any repository.

  • Organization API Token

    Organization level tokens allow management and configuration to systems within within an organization, including creating users and repositories, but do not allow access to data.

  • Repository and View API Token

    API tokens at the repository and view level enable API-level access for reading data, managing the repository, packages, triggers and integrations. A Repository and view API token is strictly limited to accessing or managing only the Repository or View that the token was created for. You cannot use the same Repository and view API token to access the data from multiple repositories. API tokens are limited to a single view within the UI but can be created through the GraphQL API to cover multiple views and repositories.

Table: Token Comparison

Use Case Ingest Tokens Personal API Token System API Token Organization API Token Repository Token
Allows Ingesting Data Yes Yes Yes Yes No
Ingest Target Specific Repository Any repository the user has permissions to access Any Any N/A
Query/Read Data No Yes, for any repository the user has access to No No Yes, each token is specific to a single repository or view
Create API Tokens No No Yes Yes No

Each API token, with the exception of Ingest and Personal API tokens, has the following parameters:

  • API Token name

    The name of the token used to identify the token.

  • API Token domain

    There are specific API tokens for different areas of LogScale functionality, including system-level administration, organization level administration, views and repositories.

  • Permissions

    Depending on the domain, API tokens will have one or more permissions which can be explicitly granted. These only apply to the generated API token, and limit the ability of the token to that functionality. For more information on permissions, see Repository & View Permissions.

  • IP Filter

    An IP filter can be applied to limit incoming connections to specific IP addresses or networks. For more information, see IP Filters.

  • Expiry

    A token can be configured to automatically expire on a set time and date.

API tokens are governed by Security Policies.