Authorization tokens¶
Authorization tokens can be created by users and administrators to provide fine-grained access control to resources (channels) or scopes when using the API or CLI. These tokens can be used in place of username-based authentication, particularly for third-party applications or automation tools.
This topic provides guidance on the following actions:
- Understanding tokens
- Understanding scopes
- Listing the available authorization scopes
- Listing the user authorization tokens
- Create a new user authorization token
- Removing a user authorization token
Understanding tokens¶
Scope-based¶
Scope-based tokens give the token holder permission to take specific actions. It is possible to create private tokens with a specific set of scopes.
Resource-based¶
Resource-based tokens provide access to specific resources. Channel group permissions granted by the token will determine what actions the user is allowed to take.
Understanding scopes¶
In our model, scopes are represented as a concatenated string, like so:
Resource:Action
Note
Some features in the table below may contain “(by user with manage permissions)”, like in the feature associated with channel:edit in the third row down, for example. This means the token has a role with a corresponding permission level (in this case, manage) for a specific resource (in this case, channel).
| Resource | Action | Scope (Resource + Action) | Feature | Default Roles |
|---|---|---|---|---|
| channel | create | channel:create | Create a channel (at least by authenticated user) | author, admin |
| view | channel:view | View a channel (public) | everyone, author, admin | |
| edit | channel:edit | Edit a channel information (by user with manage permissions) | admin | |
| delete | channel:delete | Delete a channel (by user with manage permission) | admin | |
| history | channel:history | See channel history (by user with manage permissions) | admin | |
| view-artifacts | channel:view-artifacts | View channel artifacts (public) | everyone, author, admin | |
| channel.default-channel | edit | channel.default-channel:edit | Edit default channel (user with manage permissions) | admin |
| channel.group | edit | channel.group:edit | Edit channel group (user with manage permissions) | admin |
| channel.mirror | view | channel.mirror:view | View channel mirror configuration | admin-only |
| edit | channel.mirror:edit | Edit channel mirror configuration | admin-only | |
| subchannel | create | subchannel:create | Create subchannel (user with write permission) to the parent channel | admin |
| view | subchannel:view | View subchannel (public) | everyone, author, admin | |
| edit | subchannel:edit | Edit subchannel information (user with manage permission) | admin | |
| delete | subchannel:delete | Edit subchannel information (user with manage permission) | admin | |
| history | subchannel:history | View subchannel history (user with manage permission) | admin | |
| view-artifacts | subchannel:view-artifacts | View subchannel artifacts (public) | everyone, author, admin | |
| subchannel.group | edit | subchannel.group:edit | View subchannel groups (user with manage permissions) | admin* |
| subchannel.mirror | view | subchannel.mirror:view | View subchannel mirror configuration | admin-only |
| edit | subchannel.mirror:edit | Edit subchannel mirror configuration | admin-only | |
| artifact | create | artifact:create | Upload artifact (user with write permission to parent resource which is channel or subchannel) | author, admin |
| view | artifact:view | View artifact (public) | everyone author, admin | |
| edit | artifact:edit | Edit artifact (user with manage permission to parent resource) | author, admin | |
| download | artifact:download | Download artifact (public) | everyone author, admin | |
| delete | artifact:delete | Delete artifact (user with manage permission to parent resource) | author, admin | |
| cve | view | cve:view | View CVE | admin-only |
| role | view | role:view | View custom roles | admin-only |
| edit | role:edit | Edit custom roles | admin-only | |
| system.license | view, edit | system.license:view system.license:edit | View / Edit licenses | |
| system.blobs ? | delete | system.blobs:delete | Delete orphan blobs | |
| system | View system history | |||
| system | View system stats |
Italicized items in table are under development.
Listing the available authorization scopes¶
Via the API:¶
GET /api/system/tokens
Via the CLI:¶
conda repo auth --list-scopes
Listing the user authorization tokens¶
Via the API:¶
GET /api/account/token
Via the CLI:¶
conda repo auth --list