Disable API Key Access for users, accounts and domains #9741
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## 4.20 #9741 +/- ##
============================================
+ Coverage 15.98% 16.01% +0.03%
- Complexity 12753 12776 +23
============================================
Files 5631 5633 +2
Lines 492702 492958 +256
Branches 59737 59769 +32
============================================
+ Hits 78755 78962 +207
- Misses 405219 405230 +11
- Partials 8728 8766 +38
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
| @@ -955,6 +955,11 @@ public Configuration updateConfiguration(final UpdateCfgCmd cmd) throws InvalidP | |||
| category = config.getCategory(); | |||
| } | |||
|
|
|||
| if ("System".equals(category) && !_accountMgr.isRootAdmin(caller.getId())) { | |||
There was a problem hiding this comment.
maybe define a constant "System" somewhere
| @@ -70,6 +71,9 @@ public class UpdateAccountCmd extends BaseCmd { | |||
| @Parameter(name = ApiConstants.ACCOUNT_DETAILS, type = CommandType.MAP, description = "Details for the account used to store specific parameters") | |||
| private Map details; | |||
|
|
|||
| @Parameter(name = ApiConstants.API_KEY_ACCESS, type = CommandType.STRING, description = "Determines if Api key access for this user is enabled, disabled or inherits the value from its parent, the domain level setting \"api.key.access\"", since = "4.20.1.0", authorized = {RoleType.Admin}) | |||
|
@blueorangutan package |
|
@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 11245 |
|
@blueorangutan test |
|
@abh1sar a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests |
| ADD COLUMN `api_key_access` boolean; | ||
|
|
||
| ALTER TABLE `cloud`.`account` | ||
| ADD COLUMN `api_key_access` boolean; |
There was a problem hiding this comment.
use IDEMPOTENT_ADD_COLUMN call to add columns
server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java
Show resolved
Hide resolved
| @@ -425,3 +425,9 @@ INSERT IGNORE INTO `cloud`.`guest_os_hypervisor` (uuid, hypervisor_type, hypervi | |||
|
|
|||
| CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.vm_instance', 'delete_protection', 'boolean DEFAULT FALSE COMMENT "delete protection for vm" '); | |||
| CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.volumes', 'delete_protection', 'boolean DEFAULT FALSE COMMENT "delete protection for volumes" '); | |||
|
|
|||
There was a problem hiding this comment.
targeted for 4.20.1? add these changes in engine/schema/src/main/resources/META-INF/db/schema-42000to42010.sql
There was a problem hiding this comment.
Will create the new schema file once 4.20.0 is cut. Keeping this PR in draft until then
|
@blueorangutan package |
|
@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 11671 |
|
@blueorangutan test matrix |
|
@abh1sar a [SL] Trillian-Jenkins matrix job (EL8 mgmt + EL8 KVM, Ubuntu22 mgmt + Ubuntu22 KVM, EL8 mgmt + VMware 7.0u3, EL9 mgmt + XCP-ng 8.2 ) has been kicked to run smoke tests |
|
This pull request has merge conflicts. Dear author, please fix the conflicts and sync your branch with the base branch. |
|
Added Database upgrade path for 42000to42010. |
|
[SF] Trillian test result (tid-11828)
|
|
[SF] Trillian test result (tid-11827)
|
* cli changes to update user/account, list by apikeyaccess, domain level setting * UI changes for updating user/account and searchfilter in listview * make the api parameters and setting accessible only to root admin * revert changes to ui/package-lock.json * minor changes to description strings * UT for ApiServer and AccountManagerImpl classes * fix pre-commit failure * Added a constant for the string System * UT for searchForUsers and searchForAccounts * Fix marvin test error * Update schema to use idempotent add column * Fix `updateTemplatePermission` when the UI is set to a language other than English (apache#9766) * Fix updateTemplatePermission UI in non-english language * Improve fix --------- Co-authored-by: Lucas Martins <lucas.martins@scclouds.com.br> * Added user name uuid to logging * Add events when api key access is changed via api or config setting * fix the userid for api key access update event * Fix ut failure after event logging * Convert drop down to radio-button in edit user and account * Add ApiKeyAccess status in User InfoCard for Users if Api key is generated * Return apiKeyAccess in user and account response only for Root Admin * fixed noredist build failure * Show apikeyaccess on the left panel in the user view for root admins as well * don't show divider if apiKeyAccess is not shown to user * Fix events generated to set Username, Account and Domain of the caller correctly * cli changes to update user/account, list by apikeyaccess, domain level setting * UI changes for updating user/account and searchfilter in listview * make the api parameters and setting accessible only to root admin * revert changes to ui/package-lock.json * minor changes to description strings * UT for ApiServer and AccountManagerImpl classes * fix pre-commit failure * Added a constant for the string System * UT for searchForUsers and searchForAccounts * Fix marvin test error * Update schema to use idempotent add column * Added user name uuid to logging * Add events when api key access is changed via api or config setting * fix the userid for api key access update event * Fix ut failure after event logging * Convert drop down to radio-button in edit user and account * Add ApiKeyAccess status in User InfoCard for Users if Api key is generated * Return apiKeyAccess in user and account response only for Root Admin * fixed noredist build failure * Show apikeyaccess on the left panel in the user view for root admins as well * don't show divider if apiKeyAccess is not shown to user * Fix events generated to set Username, Account and Domain of the caller correctly * Added DB upgrade path from 42000 to 42010 --------- Co-authored-by: Daan Hoogland <daan@onecht.net> Co-authored-by: Lucas Martins <56271185+lucas-a-martins@users.noreply.github.com> Co-authored-by: Lucas Martins <lucas.martins@scclouds.com.br>
Description
This PR implements the feature which give Root Admin the ability to Disable Api-key/Secret-key access at different granularities (User/Account/Domain/Global)
Spec : https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=323488155
Doc PR : apache/cloudstack-documentation#446
Types of changes
Feature/Enhancement Scale or Bug Severity
Feature/Enhancement Scale
Bug Severity
Screenshots (if appropriate):
Edit form :
User view :
Event logging :
How Has This Been Tested?
Tested the following matrix. Result denotes if Api key access was allowed for the User or not.
Tested that apikeyaccess parameter in updateUser, updateAccount, listUsers and listAccounts is not shown to anyone else apart from the Root Admin.
Tested that api.key.access configuration is not editable by the domain admin.
How did you try to break this feature and the system with this change?