Authentification with API Key

[tdugard]

Hello everyone,

I've recently begin to connect my studio tool to ftrack via the ftrack python API, but something is bothering me. I've generate an API key for the pipeline tool and i'm using it with a user account

Here is a part of my code

import ftrack_api
import os

os.environ['FTRACK_SERVER'] = 'https://myserver.ftrackapp.com'
# the generic API key
os.environ['FTRACK_API_KEY'] = 'my_api_key'

# the user name
session = ftrack_api.Session(api_user='the_user')


def get_project_id_by_name(project_name):
    project_id = session.query('select id from Project where name is "{0}"'.format(project_name)).first()
    return project_id


def get_shots_by_project(project_id=None):
    shots = session.query('Shot where project.id is "{0}" order by name asc'.format(project_id))
    return shots

project_id = get_project_id_by_name("project_name")
shots = get_shots_by_project(project_id)
for shot in shots:
    print(shot['name'])

The problem i'm facing is that everything returned by the querie is always the same for all users because of the API_key (all project, all task). Is there a way to restrict the result the the user scope (like the user can see in the we interface, only project he can see).

It may be because i'm not using user's API key, i really don't know how to manage to work with it. Because i haven't found a way to retreive this user's key with a user/pass function. If you have a clue ?

Do i really have to filter everything by the user (it will be my next step if i can't find another way) ? 

 

Thanks

[Lorenzo Angeli]

Hi @tdugard api are not supposed to return filtered results, unless these limits are bound to your user permissions level.
What you should do is to filter out the result for the user you are interested in during the query, something along these lines should work.

import ftrack_api
import os

project_name = 'myproject'

# login data is passed to the session through environments
session = ftrack_api.Session()
ftrack_user = session.query('User where username is {}'.format(session._api_user)).first()

tasks = session.query('Task where project.name is "{0}" and assignments.resource_id is "{1}" order by name asc'.format(project_name, ftrack_user['id']))

for task in tasks:
    print t

 

[tdugard]

Thanks for the quick reply, but the problem i see here is that a user with some coding skill can easily create a function using environment variables that can show the entire project list and can query everything ? Even if in webview he can't see all the projects..

The better solution is to use the user auth_key to connect to the session but i have no clue how to request it via user/password because actually i'm using a global API_key that i have created in Security > Api Keys

 

Like you said i need the result bounded to the user permissions. How can i acheive that ?

[Lorenzo Angeli]

Hi @tdugard, users query will respect the roles assigned, so they will have different result depending on what they have been set to, especially in regard of the private projects.
If you want to ensure these are maintained I'd suggest setting up different global API keys for different behaviours.

hope it helps.

L.

[tdugard]

That's the problem, i've tested my code with 2 differents users :

• me : I can see every project
• user2 : who can see only one project in his web browser 

And the result of the query 
 

Project where status is active

is the same for both user.

That's why i'm asking for help to know where is the problem.

Is it because i use the same global api_key i've created ?

Do i need to use user's api key ? if its the only way how can i get this key by code ?

[tdugard]

Hello, i've tried again but still stuck. If someone can help me with this problem My previous message explains everything. 

I can't find in the help file the way to use the user api key, so in the session creation i use a global one that I've created. But when i use it the queries aren't bounded to the user's permission

 

[Guest]

Hi Tony,

What's your use case exactly? As you've found, the global API keys are not limited by the role(s) assigned to the user's whose username you use to instantiate your session.

[tdugard]

I want the user to query the ftrack database using my python tool (listing projects, pick a shot, task, etc...) but i need this user to be bounded to his permissions.

The global API keys aren't limited to the user's role so i need to use the user's key but i don't know how to get it to set the environment variable. The best way in my opinion is to ask the user for his ftrack login/pass to request his API key. But maybe i'm wrong...

[Guest]

How's the user running this tool? Is there one persistent process running in a central location or is it more like a short-lived command invoked on the command line? Are you using ftrack Connect? Just the web UI? Depending on your use-case, either running your tool as a plugin in Connect, pulling the API key from the config file written by Connect, or using the method demonstrated by Connect to use an authenticated browser session to generate a new API key all sound like good options. If you're exposing this tool as a web page or widget itself, you could embed that in a dashboard and pull API credentials there too.

 

Also, and I don't necessarily suggest this, a global API key can have the permissions to manage User's API keys, so you could generate a new one for each of your users, store them, then create sessions as needed. Be careful not to revoke their existing keys as that will log them out of Connect.

[tdugard]

The user is just running the tool with a custom launcher written in python (so it's like running a command line) . I have a program called explorer which query ftrack to get all the projects/shot/task information for the user. Once he have choose a task the explorer launch the correct software with the correct context. I don't use ftrack connect. 

I have my own database for our projects, the goal is to work with the local DB and replicate the data in the ftrack one to use the Web UI to manage projects easily
 

[Guest]

Cool! Take a look at this if you don't want to hand out that highly-provisioned API key to everyone

https://bitbucket.org/ftrack/ftrack-connect/src/57ece813d21bff72621c1a6a58feb958cd0557cd/source/ftrack_connect/ui/login_tools.py?at=master#login_tools.py-12:13,75:76,84,87,92,95,100,103