Hi Klaus, I am aware of the apikey improvements you are working on which are good to see and look very useful to me. But I don't think our PRs will conflict in functionality or implementation.
Individual Api key pairs for a user can be managed by the functionality you are adding, but this feature is extending the use case in some ways: * Api keypair access can be disabled at a higher granularity (account/domain). * One can also Disable Api keypair access globally and only allow it for certain users and accounts. * Disabling users/accounts/domains does something similar but it will revoke all access which we don't want in this case. * Admins can invalidate Api keypair for a user, but a user with UI access can recreate it themselves (Please correct me if I am wrong here) Thanks, Abhisar ________________________________ From: Klaus de Freitas Dornsbach <klausdornsb...@gmail.com> Sent: Thursday, September 26, 2024 12:56 AM To: dev@cloudstack.apache.org <dev@cloudstack.apache.org> Subject: RE: [Proposal] Disable API (apikey/secret-key) for users, accounts and domains Hi folks, Just pointing out that we are also working on a PR aiming to extend the API Key pair functionality (https://github.com/apache/cloudstack/pull/9504 <https://github.com/apache/cloudstack/pull/9504>), including API Key deletion. It addresses the user leaving an org problem by invalidating the key altogether, which may be a little safer than letting it be able to be restored. It could still be interesting to have this system for enabling and disabling API keys non-destructively, although similar things can be achieved disabling users/accounts/domains.Although I don't believe there will be many conflicts between the implementations, it could be interesting taking a look on the mentioned PR. On 2024/09/24 08:03:00 Abhisar Sinha wrote: > Hi All, > > I am working on this feature where Root Admin will get the option to disable Api key/ Secret key based access for a User, Account, or a Domain. > Api keys are primarily used for automation. It is the primary authorization mechanism used by automation when password-based access is not used. > This feature will be useful for Root Admins who may want to block certain users/accounts from using them. Or the Admin may want to disable Api key access for the whole domain and allow only for certain users. > > I've created a spec here : https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=323488155 > Your comments and suggestions are greatly appreciated. > > Thanks, > Abhisar > > > >
