Project Introduction

Provide Root Admins the ability to disable Api-key/Secret-key based access for a User/Account/Domain and globally.

Benefits

Api keys are primarily used for automation. It is the primary authorisation mechanism used by automation when password based access is not used.
Admin may want to block certain users/accounts from using them. Or the Admin may want to disable Api key access for the whole domain and allow only for certain users.

Functional Specifications

All Api Parameters and Settings are exposed only to Root Admins.

Enums

ApiKeyAccess: Enabled, Disabled, Inherit

Api Changes

1. New parameter in updateUser and updateAccount Apis : apiKeyAccess
   Root Admin can pass this parameter to disable, enable or set the apiKeyAccess to inherit.

2. New parameter in listUsers and listAccounts Api : apiKeyAccess
   Root Admin can list the users/accounts by giving the new parameter as a filter

DB Changes

New Boolean api_key_access in cloud.user and cloud.account.
true = enabled
false = disabled
null = inherit

Configuration Settings

New Domain level setting api.key.access.
true = enabled
false = disabled

Workflow

As with other CloudStack configuration settings the local value will take precedence over the global value. e.g, if Api key access is disabled for a user but enabled for that account, the result will be that Api key access will not be allowed for the user.

For Domain level permissions, a new domain level setting will be added “api.key.access”.

For storing Account and User level permissions we need a new columns in cloud.account and cloud.user table.

By default Domain level configuration won’t be set, so any check will be redirected to the global setting.

Similarly by default Account level and User level permission will have the default value as Inherit.

If the User level permission is equal to Inherit, then Account level permission will be checked. If the Account level permission also equals to Inherit, then Domain level permission will be checked. And if Domain level configuration setting is also not set, then the global value will be considered to decide whether to allow Api keypair access or not.

Examples

1. Disallow Api key access for all accounts and users in a domain, but allowed for other domains.
   - Leave the User level and Account level permissions for all Users and Accounts to the default value ‘Inherit'.
   - All upper level permissions should either be Inherit or Enabled.

2. Disallow Api key access for some users, but allowed globally.
   - Set the User level permission to ‘Disabled’ only for the required Users.
   - All upper level permissions should either be Inherit or Enabled.

3. Allow Api key access to some users, but disallowed globally.
   - Set User level permission to ‘Enabled’ only for the required Users.
   - All upper level permissions should either be Inherit or Disabled.