Hi Klaus,
I am aware of the apikey improvements you are working on which are good to see 
and look very useful to me.
But I don't think our PRs will conflict in functionality or implementation.

Individual Api key pairs for a user can be managed by the functionality you are 
adding,
but this feature is extending the use case in some ways:
* Api keypair access can be disabled at a higher granularity (account/domain).
* One can also Disable Api keypair access globally and only allow it for 
certain users and accounts.
* Disabling users/accounts/domains does something similar but it will revoke 
all access which we don't want in this case.
* Admins can invalidate Api keypair for a user, but a user with UI access can 
recreate it themselves (Please correct me if I am wrong here)

Thanks,
Abhisar
 


________________________________
From: Klaus de Freitas Dornsbach <klausdornsb...@gmail.com>
Sent: Thursday, September 26, 2024 12:56 AM
To: dev@cloudstack.apache.org <dev@cloudstack.apache.org>
Subject: RE: [Proposal] Disable API (apikey/secret-key) for users, accounts and 
domains

Hi folks, Just pointing out that we are also working on a PR aiming to
extend the API Key pair functionality
(https://github.com/apache/cloudstack/pull/9504
<https://github.com/apache/cloudstack/pull/9504>), including API Key
deletion. It addresses the user leaving an org problem by invalidating
the key altogether, which may be a little safer than letting it be able
to be restored. It could still be interesting to have this system for
enabling and disabling API keys non-destructively, although similar
things can be achieved disabling users/accounts/domains.Although I don't
believe there will be many conflicts between the implementations, it
could be interesting taking a look on the mentioned PR.

On 2024/09/24 08:03:00 Abhisar Sinha wrote:
 > Hi All,
 >
 > I am working on this feature where Root Admin will get the option to
disable Api key/ Secret key based access for a User, Account, or a Domain.
 > Api keys are primarily used for automation. It is the primary
authorization mechanism used by automation when password-based access is
not used.
 > This feature will be useful for Root Admins who may want to block
certain users/accounts from using them. Or the Admin may want to disable
Api key access for the whole domain and allow only for certain users.
 >
 > I've created a spec here :
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=323488155
 > Your comments and suggestions are greatly appreciated.
 >
 > Thanks,
 > Abhisar
 >
 >
 >
 >

Reply via email to