Re: [Proposal] Disable API (apikey/secret-key) for users, accounts and domains

Wed, 25 Sep 2024 04:29:28 -0700 

Alright, thanks for clarifying.
It would have been nice to be able to disallow API access completely to certain users, but this would also kill UI access for them. :/ 


On 2024-09-25 10:46, Rohit Yadav wrote:

Potential use-cases could be when there are organisations who want to 
disable API-based access using external auth integrations like LDAP, 
SAML or OAuth2. In such setups, sometimes when a user leaves the org - 
admins would block the auth from the external system (LDAP/SAML etc.) 
but they may continue to use API/secret-key based access. Granular 
control would also allow admins to implement their org-specific control 
and needs.



Regards.




________________________________
From: Abhisar Sinha <abhisar.si...@shapeblue.com>
Sent: Wednesday, September 25, 2024 14:17

To: us...@cloudstack.apache.org <us...@cloudstack.apache.org>; 
dev@cloudstack.apache.org <dev@cloudstack.apache.org>
Subject: Re: [Proposal] Disable API (apikey/secret-key) for users, 
accounts and domains


That's right.

This will be useful for cases where 3rd Party authentication mechanisms 
are used instead of username-password based.


Thanks,
Abhisar



________________________________
From: Nux <n...@li.nux.ro>
Sent: Wednesday, September 25, 2024 5:02 AM
To: us...@cloudstack.apache.org <us...@cloudstack.apache.org>
Cc: dev@cloudstack.apache.org <dev@cloudstack.apache.org>

Subject: Re: [Proposal] Disable API (apikey/secret-key) for users, 
accounts and domains


Hi,

Seems like a nice idea, but one can still access the API with the user
and password right? So what exactly are we achieving?

On 2024-09-24 09:03, Abhisar Sinha wrote:

Hi All,

I am working on this feature where Root Admin will get the option to
disable Api key/ Secret key based access for a User, Account, or a
Domain.
Api keys are primarily used for automation. It is the primary
authorization mechanism used by automation when password-based access
is not used.
This feature will be useful for Root Admins who may want to block
certain users/accounts from using them. Or the Admin may want to
disable Api key access for the whole domain and allow only for certain
users.

I've created a spec here :
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=323488155
Your comments and suggestions are greatly appreciated.

Thanks,
Abhisar






















					Reply via email to