Authentication keys for Collection Zone API clients
A Collection Zone API client is any customized application or integration that uses the Collection Zone API to update a Collection Zone. Users with the Key Creator role or a more privileged role create authentication keys for Collection Zone API clients. (Zenoss Cloud collectors use a different authentication system.)
Users create keys on their Account Settings page.
When an individual creates keys for Collection Zone API clients, the user and key metadata are also displayed on the ADMIN > API Clients page.
Once created, keys cannot be retrieved. If a key is lost, the only recourse is to delete it and generate a new one.
Keys for Collection Zone API clients only grant the permissions of the creating user's Collection Zone roles. For example, if a user has the ZenOperator role, Zenoss Cloud enforces ZenOperator permissions on all clients that present the user's key.
If a user's roles change, the permissions associated with the key change as well, after a delay.
The name of the user who created a key is included in audit logs when Collection Zone API clients update a Collection Zone.
Keys are not revoked when the Key Creator role is withdrawn. Keys must be revoked (deleted) manually. That is, if a user has the Key Creator role and creates keys, and then the role is taken away, the keys remain valid.
Users can always delete the keys they create.
- Users delete the keys they create from their Account Settings page.
- Users with the Key Administrator role or the Manager role can delete any key on the ADMIN > API Clients page.
- When a key is deleted, clients using the key are denied access within 60 seconds.
When a user account is removed, application clients using keys created by the user are denied access.
- If the user account is managed by the native identity management feature, access is denied within 60 seconds.
- If the user account is managed by an external identity manager such as LDAP, access is denied within 10 hours.
Use this procedure to create Zenoss Cloud authentication keys for Collection Zone API clients. To perform it, your account must have the Key Creator role or a more privileged role.
In Zenoss Cloud, click on your user name, in the upper-right corner of the screen.
Click Account Settings, and then click Collection Zone API Keys.
Click ADD KEY.
(Optional) Provide a description for the key.
Click GENERATE KEY.
Zenoss Cloud prompts you to confirm your credentials, and then generates a key.
When the key appears, copy it, and then save the key in a secure storage location or service.
API keys cannot be retrieved. If a key is lost, the only recourse is to delete the key and generate a new one.
For more information about using Collection Zone clients, see Collection Zone APIs.
The list of keys on the Account Settings > Collection Zone API Keys page is updated with the new key.
Use this procedure to delete your own Zenoss Cloud authentication keys for Collection Zone API clients. For information about deleting keys created by other users, see the Zenoss API key deletion procedure.
- In Zenoss Cloud, click on your user name, in the upper-right corner of the screen.
- Click Account Settings, and then click Collection Zone API Keys.
In the list of keys, place your pointer over the key to delete.
If your account does not include the Key Creator role or a more privileged role, the ADD KEY button is grey.
Click the trash can icon.
In the Delete key dialog box, click DELETE.