It says the hardware sync may leak the admin API token.
Is it possible to implement JWT? So a machine-slug (machine-id) specific key will be generated and can only be used to manipulate specific API (update machine hardware info).
Hi @maasuser1
That sentence might be a bit misleading. Currently, each machine has its own API key.
MAAS hardware sync may leak the MAAS admin API token.
When hardware sync was introduced, we accidentally included the admin API key in a template generated for each machine. This issue was fixed in version 3.2.7. If you are interested in the fix, here is the corresponding commit.
Thank you for the explanation!
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.