Unable to opt-out of DataExport token scope

[fradaschin]

Is your feature request related to a problem? Please describe.
Our customers are trying to update the Dynatrace-operator and they are receiving the following message:
token 'apiToken' is missing the following scopes: [ DataExport ]

We are a Service Provider for Dynatrace and cannot hand over tokens with all the permissions specified in the official public documentation.

One of our colleagues has proposed this PR #670 a while ago , but we see the latest version of the code reveals this was reverted/removed.

Describe the solution you'd like
Is there any possibility to add this back?

[chrismuellner]

This token scope is now always required since the feature flag to disable host requests was removed with v1.0.0.

We're working on additional changes to make these scopes no longer needed in the future, but we don't have an ETA at this time.

[fradaschin]

Hi @chrismuellner,

Thank you very much for your reply.

[ernstvonoelsen]

Hi @chrismuellner

I'd like to return to this topic, since I think I figured out a feasible path to a least-privilege approach:

we currently have to provide an apiToken to all of our users with the following permissions:

• PaaS - Installer (Installer download)
• Access problem and event feed, metrics, and topology (API v1 - DataExport)
• Read settings (API v2 - settings.read)
• Write settings (API v2 - settings.write)
• Read entities (API v2 - entities.read)

Lacking the officially required Create ActiveGate token (API v2 - activeGateTokenManagement.create) permission is actually not an issue as long as no activeGate section is provided in the dynakube.yaml file.

Checking from the source code which endpoints are predefined, I find the following inside pkg/clients/dynatrace/endpoints.go:

• /v1/deployment
• /v1/events
• /v1/entity/infrastructure/hosts

Apart from /v1/deployment, all of those endpoints are marked as deprecated, and all of them have a replacement on the /api/v2/ side; the replacements furthermore support the usage of Personal Access Tokens.

This yields the idea to implement the following changes:
Replace all /v1/ endpoint calls (except for /v1/deployment/) with their /v2/ counterparts (including the processing of the response, of course).
Those changes in place, we would be able to provide our users with a paasToken only, and the apiToken can be provided by them using a PAT.

This approach automatically limits the entities.read, settings.read and settings.write operations to the personal scope of the PAT owner.

In case that this approach looks promising to you, I would be more than happy to provide a feature PR.

[chrismuellner]

We've deprecated the "Mark for termination" event with v1.4.0 (release notes) and will remove it in a future release of the Operator. Since Oneagent 301 the shutdown information is directly sent by the Host agent (release notes).

When the Operator no longer sends this event the following token scopes and endpoints will no longer be used:

• Access problem and event feed, metrics, and topology (API v1 - DataExport)
  • /v1/events
  • /v1/entity/infrastructure/hosts

[ernstvonoelsen]

Thank you for this update @chrismuellner .

[wb-ts]

I have the same issue and would like to get solved as correct.