-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable API Key Access for users, accounts and domains #9741
base: main
Are you sure you want to change the base?
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #9741 +/- ##
============================================
+ Coverage 4.03% 15.82% +11.78%
- Complexity 0 12572 +12572
============================================
Files 392 5626 +5234
Lines 32157 492174 +460017
Branches 5673 60349 +54676
============================================
+ Hits 1299 77862 +76563
- Misses 30710 405816 +375106
- Partials 148 8496 +8348
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
@@ -955,6 +955,11 @@ public Configuration updateConfiguration(final UpdateCfgCmd cmd) throws InvalidP | |||
category = config.getCategory(); | |||
} | |||
|
|||
if ("System".equals(category) && !_accountMgr.isRootAdmin(caller.getId())) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe define a constant "System" somewhere
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@@ -70,6 +71,9 @@ public class UpdateAccountCmd extends BaseCmd { | |||
@Parameter(name = ApiConstants.ACCOUNT_DETAILS, type = CommandType.MAP, description = "Details for the account used to store specific parameters") | |||
private Map details; | |||
|
|||
@Parameter(name = ApiConstants.API_KEY_ACCESS, type = CommandType.STRING, description = "Determines if Api key access for this user is enabled, disabled or inherits the value from its parent, the domain level setting \"api.key.access\"", since = "4.20.1.0", authorized = {RoleType.Admin}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it targetted 4.20.1 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, is that ok?
@blueorangutan package |
@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 11245 |
@blueorangutan test |
@abh1sar a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests |
ADD COLUMN `api_key_access` boolean; | ||
|
||
ALTER TABLE `cloud`.`account` | ||
ADD COLUMN `api_key_access` boolean; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use IDEMPOTENT_ADD_COLUMN call to add columns
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
public static final ConfigKey<Boolean> apiKeyAccess = new ConfigKey<>(ConfigKey.CATEGORY_SYSTEM, Boolean.class, | ||
"api.key.access", | ||
"true", | ||
"Determines whether API (api-key/secret-key) access is allowed or not. Editable only by Root Admin.", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Determines whether API (api-key/secret-key) access is allowed or not. Editable only by Root Admin.", | |
"Determines whether API (api-key/secret-key) access is allowed or not.", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This setting is visible to domain admin, but editable only by root admin.
When they try to edit it, the Domain admin gets a generic error : "There was an error saving this setting. Please try again later"
I thought it might get confusing to the domain admin, that's why I added the info about root admin only being able to edit it.
I can remove it if you still think it is not required.
@@ -955,6 +956,11 @@ public Configuration updateConfiguration(final UpdateCfgCmd cmd) throws InvalidP | |||
category = config.getCategory(); | |||
} | |||
|
|||
if (CATEGORY_SYSTEM.equals(category) && !_accountMgr.isRootAdmin(caller.getId())) { | |||
logger.warn("Only Root Admin is allowed to edit the configuration " + name); | |||
throw new CloudRuntimeException("Only Root Admin is allowed to edit this configuration."); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
throw new CloudRuntimeException("Only Root Admin is allowed to edit this configuration."); | |
throw new CloudRuntimeException("You are not allowed to update this configuration."); |
better not to indicate in the msg about who has permissions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above.
@@ -425,3 +425,9 @@ INSERT IGNORE INTO `cloud`.`guest_os_hypervisor` (uuid, hypervisor_type, hypervi | |||
|
|||
CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.vm_instance', 'delete_protection', 'boolean DEFAULT FALSE COMMENT "delete protection for vm" '); | |||
CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.volumes', 'delete_protection', 'boolean DEFAULT FALSE COMMENT "delete protection for volumes" '); | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
targeted for 4.20.1? add these changes in engine/schema/src/main/resources/META-INF/db/schema-42000to42010.sql
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will create the new schema file once 4.20.0 is cut. Keeping this PR in draft until then
[SF] Trillian test result (tid-11585)
|
Description
This PR implements the feature which give Root Admin the ability to Disable Api-key/Secret-key access at different granularities (User/Account/Domain/Global)
Spec : https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=323488155
Types of changes
Feature/Enhancement Scale or Bug Severity
Feature/Enhancement Scale
Bug Severity
Screenshots (if appropriate):
How Has This Been Tested?
Tested the following matrix. Result denotes if Api key access was allowed for the User or not.
Tested that apikeyaccess parameter in updateUser, updateAccount, listUsers and listAccounts is not shown to anyone else apart from the Root Admin.
Tested that api.key.access configuration is not editable by the domain admin.
How did you try to break this feature and the system with this change?