There is a new comment on the issue related to this patch [1] which suggests a deployment time parameter for enabling the feature that restricts whisk API keys being available to all actions. I looked at the PR and think it can be done with some changes in the controller and the tests. We already have many deployment parameters and a pattern to replicate.
It is worth adding this configuration parameter? I'd expect we'd remove it at some point since the more-secure-by-default makes more sense longer term. -r [1] https://github.com/apache/incubator-openwhisk/issues/4226#issuecomment-470112596
