Re: [Proposal] Disable API (apikey/secret-key) for users, accounts and domains

2024-09-25 Thread Abhisar Sinha 
Hi Klaus,
I am aware of the apikey improvements you are working on which are good to see 
and look very useful to me.
But I don't think our PRs will conflict in functionality or implementation.

Individual Api key pairs for a user can be managed by the functionality you are 
adding,
but this feature is extending the use case in some ways:
* Api keypair access can be disabled at a higher granularity (account/domain).
* One can also Disable Api keypair access globally and only allow it for 
certain users and accounts.
* Disabling users/accounts/domains does something similar but it will revoke 
all access which we don't want in this case.
* Admins can invalidate Api keypair for a user, but a user with UI access can 
recreate it themselves (Please correct me if I am wrong here)

Thanks,
Abhisar
 



From: Klaus de Freitas Dornsbach 
Sent: Thursday, September 26, 2024 12:56 AM
To: dev@cloudstack.apache.org 
Subject: RE: [Proposal] Disable API (apikey/secret-key) for users, accounts and 
domains

Hi folks, Just pointing out that we are also working on a PR aiming to
extend the API Key pair functionality
(https://github.com/apache/cloudstack/pull/9504
), including API Key
deletion. It addresses the user leaving an org problem by invalidating
the key altogether, which may be a little safer than letting it be able
to be restored. It could still be interesting to have this system for
enabling and disabling API keys non-destructively, although similar
things can be achieved disabling users/accounts/domains.Although I don't
believe there will be many conflicts between the implementations, it
could be interesting taking a look on the mentioned PR.

On 2024/09/24 08:03:00 Abhisar Sinha wrote:
 > Hi All,
 >
 > I am working on this feature where Root Admin will get the option to
disable Api key/ Secret key based access for a User, Account, or a Domain.
 > Api keys are primarily used for automation. It is the primary
authorization mechanism used by automation when password-based access is
not used.
 > This feature will be useful for Root Admins who may want to block
certain users/accounts from using them. Or the Admin may want to disable
Api key access for the whole domain and allow only for certain users.
 >
 > I've created a spec here :
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=323488155
 > Your comments and suggestions are greatly appreciated.
 >
 > Thanks,
 > Abhisar
 >
 >
 >
 >

Re: [Proposal] Disable API (apikey/secret-key) for users, accounts and domains

2024-09-25 Thread Abhisar Sinha 
That's right.
This will be useful for cases where 3rd Party authentication mechanisms are 
used instead of username-password based.

Thanks,
Abhisar
 



From: Nux 
Sent: Wednesday, September 25, 2024 5:02 AM
To: us...@cloudstack.apache.org 
Cc: dev@cloudstack.apache.org 
Subject: Re: [Proposal] Disable API (apikey/secret-key) for users, accounts and 
domains

Hi,

Seems like a nice idea, but one can still access the API with the user
and password right? So what exactly are we achieving?

On 2024-09-24 09:03, Abhisar Sinha wrote:
> Hi All,
>
> I am working on this feature where Root Admin will get the option to
> disable Api key/ Secret key based access for a User, Account, or a
> Domain.
> Api keys are primarily used for automation. It is the primary
> authorization mechanism used by automation when password-based access
> is not used.
> This feature will be useful for Root Admins who may want to block
> certain users/accounts from using them. Or the Admin may want to
> disable Api key access for the whole domain and allow only for certain
> users.
>
> I've created a spec here :
> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=323488155
> Your comments and suggestions are greatly appreciated.
>
> Thanks,
> Abhisar

Re: [Proposal] Disable API (apikey/secret-key) for users, accounts and domains

2024-09-25 Thread Rohit Yadav 
Potential use-cases could be when there are organisations who want to disable 
API-based access using external auth integrations like LDAP, SAML or OAuth2. In 
such setups, sometimes when a user leaves the org - admins would block the auth 
from the external system (LDAP/SAML etc.) but they may continue to use 
API/secret-key based access. Granular control would also allow admins to 
implement their org-specific control and needs.


Regards.

 



From: Abhisar Sinha 
Sent: Wednesday, September 25, 2024 14:17
To: us...@cloudstack.apache.org ; 
dev@cloudstack.apache.org 
Subject: Re: [Proposal] Disable API (apikey/secret-key) for users, accounts and 
domains

That's right.
This will be useful for cases where 3rd Party authentication mechanisms are 
used instead of username-password based.

Thanks,
Abhisar




From: Nux 
Sent: Wednesday, September 25, 2024 5:02 AM
To: us...@cloudstack.apache.org 
Cc: dev@cloudstack.apache.org 
Subject: Re: [Proposal] Disable API (apikey/secret-key) for users, accounts and 
domains

Hi,

Seems like a nice idea, but one can still access the API with the user
and password right? So what exactly are we achieving?

On 2024-09-24 09:03, Abhisar Sinha wrote:
> Hi All,
>
> I am working on this feature where Root Admin will get the option to
> disable Api key/ Secret key based access for a User, Account, or a
> Domain.
> Api keys are primarily used for automation. It is the primary
> authorization mechanism used by automation when password-based access
> is not used.
> This feature will be useful for Root Admins who may want to block
> certain users/accounts from using them. Or the Admin may want to
> disable Api key access for the whole domain and allow only for certain
> users.
>
> I've created a spec here :
> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=323488155
> Your comments and suggestions are greatly appreciated.
>
> Thanks,
> Abhisar

Re: [Proposal] Disable API (apikey/secret-key) for users, accounts and domains

2024-09-25 Thread Nux 

Alright, thanks for clarifying.
It would have been nice to be able to disallow API access completely to 
certain users, but this would also kill UI access for them. :/



On 2024-09-25 10:46, Rohit Yadav wrote:
Potential use-cases could be when there are organisations who want to 
disable API-based access using external auth integrations like LDAP, 
SAML or OAuth2. In such setups, sometimes when a user leaves the org - 
admins would block the auth from the external system (LDAP/SAML etc.) 
but they may continue to use API/secret-key based access. Granular 
control would also allow admins to implement their org-specific control 
and needs.



Regards.





From: Abhisar Sinha 
Sent: Wednesday, September 25, 2024 14:17
To: us...@cloudstack.apache.org ; 
dev@cloudstack.apache.org 
Subject: Re: [Proposal] Disable API (apikey/secret-key) for users, 
accounts and domains


That's right.
This will be useful for cases where 3rd Party authentication mechanisms 
are used instead of username-password based.


Thanks,
Abhisar




From: Nux 
Sent: Wednesday, September 25, 2024 5:02 AM
To: us...@cloudstack.apache.org 
Cc: dev@cloudstack.apache.org 
Subject: Re: [Proposal] Disable API (apikey/secret-key) for users, 
accounts and domains


Hi,

Seems like a nice idea, but one can still access the API with the user
and password right? So what exactly are we achieving?

On 2024-09-24 09:03, Abhisar Sinha wrote:

Hi All,

I am working on this feature where Root Admin will get the option to
disable Api key/ Secret key based access for a User, Account, or a
Domain.
Api keys are primarily used for automation. It is the primary
authorization mechanism used by automation when password-based access
is not used.
This feature will be useful for Root Admins who may want to block
certain users/accounts from using them. Or the Admin may want to
disable Api key access for the whole domain and allow only for certain
users.

I've created a spec here :
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=323488155
Your comments and suggestions are greatly appreciated.

Thanks,
Abhisar

RE: [Proposal] Disable API (apikey/secret-key) for users, accounts and domains

2024-09-25 Thread Klaus de Freitas Dornsbach 
Hi folks, Just pointing out that we are also working on a PR aiming to 
extend the API Key pair functionality 
(https://github.com/apache/cloudstack/pull/9504 
), including API Key 
deletion. It addresses the user leaving an org problem by invalidating 
the key altogether, which may be a little safer than letting it be able 
to be restored. It could still be interesting to have this system for 
enabling and disabling API keys non-destructively, although similar 
things can be achieved disabling users/accounts/domains.Although I don't 
believe there will be many conflicts between the implementations, it 
could be interesting taking a look on the mentioned PR.


On 2024/09/24 08:03:00 Abhisar Sinha wrote:
> Hi All,
>
> I am working on this feature where Root Admin will get the option to 
disable Api key/ Secret key based access for a User, Account, or a Domain.
> Api keys are primarily used for automation. It is the primary 
authorization mechanism used by automation when password-based access is 
not used.
> This feature will be useful for Root Admins who may want to block 
certain users/accounts from using them. Or the Admin may want to disable 
Api key access for the whole domain and allow only for certain users.

>
> I've created a spec here : 
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=323488155

> Your comments and suggestions are greatly appreciated.
>
> Thanks,
> Abhisar
>
>
>
>