Alright, thanks for clarifying.
It would have been nice to be able to disallow API access completely to
certain users, but this would also kill UI access for them. :/
On 2024-09-25 10:46, Rohit Yadav wrote:
Potential use-cases could be when there are organisations who want to
disable API-based access using external auth integrations like LDAP,
SAML or OAuth2. In such setups, sometimes when a user leaves the org -
admins would block the auth from the external system (LDAP/SAML etc.)
but they may continue to use API/secret-key based access. Granular
control would also allow admins to implement their org-specific control
and needs.
Regards.
________________________________
From: Abhisar Sinha <abhisar.si...@shapeblue.com>
Sent: Wednesday, September 25, 2024 14:17
To: us...@cloudstack.apache.org <us...@cloudstack.apache.org>;
dev@cloudstack.apache.org <dev@cloudstack.apache.org>
Subject: Re: [Proposal] Disable API (apikey/secret-key) for users,
accounts and domains
That's right.
This will be useful for cases where 3rd Party authentication mechanisms
are used instead of username-password based.
Thanks,
Abhisar
________________________________
From: Nux <n...@li.nux.ro>
Sent: Wednesday, September 25, 2024 5:02 AM
To: us...@cloudstack.apache.org <us...@cloudstack.apache.org>
Cc: dev@cloudstack.apache.org <dev@cloudstack.apache.org>
Subject: Re: [Proposal] Disable API (apikey/secret-key) for users,
accounts and domains
Hi,
Seems like a nice idea, but one can still access the API with the user
and password right? So what exactly are we achieving?
On 2024-09-24 09:03, Abhisar Sinha wrote:
Hi All,
I am working on this feature where Root Admin will get the option to
disable Api key/ Secret key based access for a User, Account, or a
Domain.
Api keys are primarily used for automation. It is the primary
authorization mechanism used by automation when password-based access
is not used.
This feature will be useful for Root Admins who may want to block
certain users/accounts from using them. Or the Admin may want to
disable Api key access for the whole domain and allow only for certain
users.
I've created a spec here :
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=323488155
Your comments and suggestions are greatly appreciated.
Thanks,
Abhisar