Potential use-cases could be when there are organisations who want to disable 
API-based access using external auth integrations like LDAP, SAML or OAuth2. In 
such setups, sometimes when a user leaves the org - admins would block the auth 
from the external system (LDAP/SAML etc.) but they may continue to use 
API/secret-key based access. Granular control would also allow admins to 
implement their org-specific control and needs.


Regards.

 


________________________________
From: Abhisar Sinha <abhisar.si...@shapeblue.com>
Sent: Wednesday, September 25, 2024 14:17
To: us...@cloudstack.apache.org <us...@cloudstack.apache.org>; 
dev@cloudstack.apache.org <dev@cloudstack.apache.org>
Subject: Re: [Proposal] Disable API (apikey/secret-key) for users, accounts and 
domains

That's right.
This will be useful for cases where 3rd Party authentication mechanisms are 
used instead of username-password based.

Thanks,
Abhisar



________________________________
From: Nux <n...@li.nux.ro>
Sent: Wednesday, September 25, 2024 5:02 AM
To: us...@cloudstack.apache.org <us...@cloudstack.apache.org>
Cc: dev@cloudstack.apache.org <dev@cloudstack.apache.org>
Subject: Re: [Proposal] Disable API (apikey/secret-key) for users, accounts and 
domains

Hi,

Seems like a nice idea, but one can still access the API with the user
and password right? So what exactly are we achieving?

On 2024-09-24 09:03, Abhisar Sinha wrote:
> Hi All,
>
> I am working on this feature where Root Admin will get the option to
> disable Api key/ Secret key based access for a User, Account, or a
> Domain.
> Api keys are primarily used for automation. It is the primary
> authorization mechanism used by automation when password-based access
> is not used.
> This feature will be useful for Root Admins who may want to block
> certain users/accounts from using them. Or the Admin may want to
> disable Api key access for the whole domain and allow only for certain
> users.
>
> I've created a spec here :
> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=323488155
> Your comments and suggestions are greatly appreciated.
>
> Thanks,
> Abhisar

Reply via email to