Reduce Toil and Maintain Security With Zenoss Cloud APIs

Managing the infrastructure monitoring system in a large-scale IT environment can be incredibly tedious. I’d be willing to bet that you’ve run into at least one of these issues or something similar.

  • The networking team changed a subnet, and the IP address for a few dozen devices needs to change for data collection to continue.
  • You suddenly have to bulk update all the ServiceNow notifications to use a new proxy URL.
  • You need to change all the device titles from the old naming standard to the new naming standard.
  • A provisioning workflow needs to be extended so that newly added devices are automatically monitored and newly removed devices aren’t throwing “device down!” errors.

APIs exist because user interfaces can’t do everything, and we’re all very happy that they do!

Zenoss Cloud supports two APIs: a JSON API for bulk administration and a streaming data ingest API to allow a wide variety of devices to publish data directly.

The JSON API is designed to eliminate toil. Using our API can be as simple as calling it from curl. For example, here’s the call to add a new device.

curl -H “z-api-key: <your_api_key>”  -X POST -H “Content-Type: application/json” -d “[{\”action\”: \”DeviceRouter\”, \”method\”: \”addDevice\”, \”data\”: {\”deviceName\”: \”example.zenoss.com\”, \”deviceClass\”: \”/Server/Linux\”}, \”tid\”: 1}]” https://example.zenoss.io/cz0/zport/dmd/device_router

You can learn more about the API in the online help and join our community to explore it with other customers. 

Announcing New API Administration Functions

We’ve now made controlling and using the APIs much simpler with new API key administration functions. 

Two new Zenoss Cloud roles combined with supporting user interfaces give you secure control over who uses the APIs. The new roles are key administrator and key creator, and they can be assigned to groups or individual users. Groups are generally preferred as a target. In my experience, it’s easier to eliminate privilege accretion with group memberships.

Here’s how this works with the JSON API.

The Zenoss Cloud manager considers who can be trusted to write and run bulk administration scripts against the production system. Those people are given the key creator role. The API keys have exactly the same read/write/view limitations as the person they’ve been given to. If Bob can only see network devices but not acknowledge events, that’s all his API scripts can do, too.

Someone with the key creator role uses their new profile screen (sample screen below) to create a key. When a key is created, it is displayed on the screen where it can be copied to the clipboard and then embedded in a script. Zenoss Cloud doesn’t store the keys, so if a key creator forgets the key, another one can be created. Of course, keys can be deleted when they are no longer needed.

The manager can also give people the right to control API keys that other people have created or to control and create streaming data ingest keys. People with the key administrator role see a new API clients screen in the admin tab.  

If a key creator changes roles within the company, a key administrator can delete their keys. However, they can’t create a key for a JSON API user as that would be equivalent to setting a user’s password for them, a basic security no-no.

Secure, Flexible API Key Management

With the new key administration function, we’ve enabled Zenoss Cloud users to easily and securely manage API permissions. 

If you’d like to learn how Zenoss Cloud can help you eliminate administrative toil, get a demo today.

We’ll have another blog article soon to talk in depth about streaming data support. Probably more than one — it’s a big topic!