Public API Keys

All calls to the DSS public API, either performed using The REST API or Python must be authenticated using API keys.

There are three kinds of API keys for the DSS REST API:

  • Project-level API keys

  • Global API keys

  • Personal API keys

Note

When using the API through the Python client from within DSS, you don’t need an API key. You can obtain a Python client with dataiku.api_client(). This client will automatically inherit all your personal access rights. In essence, it will behave as is you had used a personal API key, but without needing to actually create one.

Personal API keys

Personal API keys are created by each user independently in Profile & Settings > API keys. They can be listed and deleted by admin, but can only be created by the end user.

A personal API key gives exactly the same permissions as the user who created it. For all purposes, a personal API key impersonates the user, and calls made using this personal API key behave as if they had been performed by the user. In timelines, Git log and audit log, calls performed using a personal API key will appear as having been performed by the user.

Some features in DSS are based on group-level security, and can thus only be performed by a personal API key, or a globally admin key (see below). This includes:

  • Creating datasets on connections that have restrictive access

  • Performing SQL queries on connections that have restrictive access

Project-level keys

These keys give privileges on the content of the project only. They cannot give access to anything which is not in their project. Project-level keys are exported when you export a project.

Project-level keys are configured in the project settings (Project Home > Security > API Keys). When you create a new API Key, the permissions JSON objects are prefilled with sample data.

A project-level key actually provides two kinds of privileges:

  • Project-wide privileges

  • Per-dataset privileges

Project-wide permissions

The following project-wide permissions types can be set on a project-level key. Each of these permissions mirror the project-level permissions defined in Main project permissions. The relations between these permissions are also mirror of the project-level permissions (things like: Write conf implies Read conf).

  • READ_CONF: Read the whole configuration of the objects in the project (but NOT the project itself)

  • WRITE_CONF: Write the whole configuration of the objects in the project

  • EXPORT_DATASETS_DATA

  • SHARE_TO_WORKSPACE

  • READ_DASHBOARDS

  • WRITE_DASHBOARDS

  • MODERATE_DASHBOARDS

  • RUN_SCENARIOS

  • MANAGE_DASHBOARD_AUTHORIZATIONS

  • MANAGE_EXPOSED_ELEMENTS

  • ADMIN: manage the whole project (get/set permissions and project metadata)

Dataset-specific permissions

In addition, on a project-level key, you can define some permissions that only apply to a set of datasets. This allows you to create very limited API keys that can only be used to read a small number of “published” datasets.

Note

The Webapp builder in DSS and its Javascript API use project-level API keys with dataset-specific permissions

The following permissions can be granted on a set of datasets:

  • READ_DATA

  • WRITE_DATA

  • READ_METADATA

  • WRITE_METADATA

  • READ_SCHEMA

  • WRITE_SCHEMA

Associated user

Unlike personal API keys, project-level API keys are not equivalent to a DSS user. API keys have their own access rights, and calls performed by a project-level API key will appear as having been performed by this key.

For the sole purpose of User Isolation Framework, it is possible to define an “associated user for impersonation” in the configuration of the API key. The identity of this user will be used to compute the impersonation rules for access to HDFS datasets. However, the key still needs to have proper permissions for the action to be granted.

Global API keys

Global API keys are keys that can encompass several projects. Global API keys can only be created and modified by DSS administrators.

Global API keys are defined in Administration > Security > Global API keys

Global API keys are not bound to a project and are not exported.

Project-level permissions

A global API key can define project-level permissions on any project in DSS. This way, you can for example create a key that has READ_CONF permissions on one project and READ_CONF + WRITE_CONF on another project.

Global admin

This special permission gives global admin rights to this key. A global admin key has all permissions and all projects. It can also perform global DSS administration tasks:

  • Manage users

  • Manage log files

  • Manage global variables

Associated user

Unlike personal API keys, project-level API keys are not equivalent to a DSS user. API keys have their own access rights, and calls performed by a project-level API key will appear as having been performed by this key.

For the sole purpose of User Isolation Framework, it is possible to define an “associated user for impersonation” in the configuration of the API key. The identity of this user will be used to compute the impersonation rules for access to HDFS datasets. However, the key still needs to have proper permissions for the action to be granted.