> Several questions regarding the "registerUserKeys" API: > > 1. Only the ROOT admin have access to it. In a public cloud, it does not > make sense for the ROOT admin to create keys for every user in every > domain. The responsibility should go to domain admins. Is there a plan to > give domain admin access to the API?
I agree. Once an admin has created an account for a tenant he/she should be able to alter the keys for his/her account. These keys are necessarily resources belonging to a user and less to do with the admin of the cloud/domain-admin of the domain. Perhaps we should make the API user level. > 2. The API simply takes user id as parameter. It does not take into account > whether the user already has a key or not. User's key will be overwritten > if he/she already has one. Should we change the API a little bit to take > this into account? Yes - again. I think we should'nt disturb keys that already exist. Overwriting them without warning is going to break the integration the user has put in to his client side code. Also - it would be nicer to have the API accept the account name and the name of the user in that account. registerUserKeys&account=<acct>&domainid=<dom>&user=<username> > 3. You can actually generate key for the internal "system" user (with > id=0). It might cause some issues if "system" is meant to be an internal > user only. Is there a valid use case for system user to use its API key? If > not, it should be blocked. > Can't think of a use case. But since the listUser API is admin only there's going to be no way for non-admin userse to see those keys. If the above two enhancements do happen this should be blocked. -- Prasanna.,
