Core: Ombi integration does not implement user name and password auth always connects with unlimited rights

Hey there @larssont, mind taking a look at this issue as its been labeled with a integration (ombi) you are listed as a codeowner for? Thanks!

I decided to use the API key for authentication since most people that monitor an Ombi instance would probably also administer it. I'll start working on an update for the pyombi package that will use JWT Bearer authentication instead 👍

I wrote a plugin for flexget a while ago that setup both.. Only issue might be that some of the advanced features you have implemented need to fail gracefully if they don't have permission.. For example the request services. Might be worth testing with a user account with no permissions and check that each fails nicely.

Also another reason it is good to NOT give the automation account full access is the approval process on ombi.. When I was testing my integration automation occasionally would request a boat load of incorrect stuff at once, which is nice to have the extra approval step in place which you do not get with the API key having full rights to everything.

FYI given the fact you have implemented the services I am now tempted to find a way to use voice dictation in my HA config to request things.. This would be amazing!

Thanks for writing this plugin.

@bagobones I think everything should be fixed now, I'll do a pull request if everything seems fine later.

I decided to implement another config option for a password but still allow people to use the api_key option. If neither the api_key nor the password is supplied, the setup will obviously terminate. If both are supplied, the api_key will take precedence. If the user in question does not have the right permissions for requesting media, an error message will be shown (in a similiar fashion to when a search returns nothing).

Do you think this solution would be sufficient? I'd be happy to modify it if you have any additional thoughts.

I think supporting both is the best idea.. I personally don't like using the API key but it is a valid option. In my setup I will probably limit the user slightly but the nice thing is the HA user can have its own name and own approval settings etc this way.