Title: API key pair restructure by KlausDornsbach · Pull Request #9504 · apache/cloudstack · GitHub
Open Graph Title: API key pair restructure by KlausDornsbach · Pull Request #9504 · apache/cloudstack
X Title: API key pair restructure by KlausDornsbach · Pull Request #9504 · apache/cloudstack
Description: Description API access keypairs are primarily used to support interactions between systems, without the need to create sessions (through user and password authentication). Currently, CloudStack's implementation of API keypairs does not allow you to specify permissions for each keypair, simply using the account's default permissions. Additionally, the number of keypairs is limited to one per user and they have no start and end dates. An extension of the API keypairs functionality was implemented, adding several new features that increase flexibility and security. It is now possible to specify a subset of permissions (from the base account) for each keypair, as well as create more than one key per user. It is also possible to define start and end dates for the validity of a keypair. A key created without an expiration date will always be valid up until it is deleted. It should be noted that creating API keypairs without specifying permissions just creates an API keypair with all account's base permissions. Also, API keypairs older than this patch will always be viewed as keypairs with full account permissions. The following endpoints were created: A new listUserKeys API was added. Through this API the user will be able to specify a single keypairid to fetch its specific properties, or apikeyfilter to return a specific keypair based on an apikey. The user can inform an userid to fetch an user's api keypair list. If no keypairid, apikeyfilter or userid is provided, the API defaults to fetching information on the calling user. The listall property allows for fetching all keypairs in the structure that are visible based on the calling user/keypair permissions, if not specified, it defaults to false, fetching only the apikeys on the level of the calling user/keypair. Also, it is possible to inform showpermissions to list all permissions associated with each returned apikey. Name Description Required Default userid id of the owner of the keypairs no none keypairid id of the keypair no none listall list all accessable keypairs no false apikeyfilter apikey of they keypair no none showpermissions lists all associated apikey permissions no false The API getUserKeys was modified preserving backwards compatibility. It now fetches the last keypair created for the informed user. The api registerUserKeys was modified so the new API keypair parameters could be specified on creation: Name Description Required Example Default id user id Yes b8914774-771e-11ee-8e59-5254003754dc none name name of the keypair No MyKey userId + " - API Keypair" startdate date when key becomes valid No 2024-04-09 none enddate date when key expires No 2024-04-09 never expires description keypair description No read only permissions none rules list of API access rules No rules[1].rule=list* rules[1].permission=allow all user API permissions based on Account Role A new keypair deletion API was added (deleteUserKeys). It will accept only one required argument, the keypair id. Name Description Required keypairid id of the keypair yes I also added a listUserKeyRules api, allowing the user to list the rules associated with an API keypair. Name Description Required keypairid id of the keypair yes Types of changes Breaking change (fix or feature that would cause existing functionality to change) New feature (non-breaking change which adds functionality) Bug fix (non-breaking change which fixes an issue) Enhancement (improves an existing feature and functionality) Cleanup (Code refactoring and cleanup, that may add test cases) build/CI test (unit or integration test code) Feature/Enhancement Scale or Bug Severity Feature/Enhancement Scale Major Minor Bug Severity BLOCKER Critical Major Minor Trivial How Has This Been Tested? API Key Creation and Basic Testing Single Key (via UI): I was able to create API keypairs through the UI through the button on the top right of the user view; Through Cloud Monkey, validated that the keypair had the same permissions as the base user by calling a series of APIs; Multiple Keys (via Cloud Monkey): Created multiple keys; Validated the operation was successful on the DB; Tested creating a key that was not valid and would become valid in the future, with success; Tested creating a key that was valid and would become invalid in the future, with success; Tested trying to create keys that were already invalid and got errors; All permissions of the API key pairs were consistent with each key pair tested. Permissions Validation Tested the permissions of keyrules listing, keypair listing, keypair deletion and keypair cretion with the following user/account/domain setup: domain /ROOT account root admin user root admin user user1 domain subdomain account domain admin user domain admin account userAccount user user2 user user3 The following table describes the results obtained when the user on the first column attempted to operate on the keypairs of users on the first row (V: operation was possible, F: operation was not possible). user rootAdm user1 domainAdm user2 user3 rootAdm V V V V V user1 V V V V V domainAdm F F V V V user2 F F F V F user3 F F F F V Migration to api_keypair Table A key was created for a read-only user The database was updated from version 4.19 to 4.20 The API key data was successfully migrated to the api_keypair table, with the corresponding columns in the user table deleted. Confirmed correct permission handling of the api key. General validations Could not create an API keypair with more permissions than the base keypair. Deleting system keys was not possible. After deleting a user or account, the API keypairs were invalidated.
Open Graph Description: Description API access keypairs are primarily used to support interactions between systems, without the need to create sessions (through user and password authentication). Currently, CloudStack'...
X Description: Description API access keypairs are primarily used to support interactions between systems, without the need to create sessions (through user and password authentication). Currently, CloudStack&...
Opengraph URL: https://github.com/apache/cloudstack/pull/9504
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:1065576a-0ed7-a867-ff57-2b49df3f58c7 |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | 8796:E9E68:1272E3E:18E6874:6A4F15E1 |
| html-safe-nonce | 5cfb8180a2aa61a276107fafd4a7adf5010a06fd875285f738a1b7478da134b1 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4Nzk2OkU5RTY4OjEyNzJFM0U6MThFNjg3NDo2QTRGMTVFMSIsInZpc2l0b3JfaWQiOiIxNTQ1MjcyODIwNDg4OTM0ODgxIiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | 96c314a4bde807be47fee5b7248da22f957c21be09f8caaeb61a6b5539a0410f |
| hovercard-subject-tag | pull_request:2010762678 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/apache/cloudstack/pull/9504/files |
| twitter:image | https://avatars.githubusercontent.com/u/55457416?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/u/55457416?s=400&v=4 |
| og:image:alt | Description API access keypairs are primarily used to support interactions between systems, without the need to create sessions (through user and password authentication). Currently, CloudStack'... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | b92d11c0aa4a77d54ef4af1078b6a15fb5a70a215b30c4ecf28889d5a8e656d9 |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 2b8f23afb982271f1b22258a94aede67a6b77760 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width