Disable API Key Access for users, accounts and domains

[abh1sar]

Description

This PR implements the feature which give Root Admin the ability to Disable Api-key/Secret-key access at different granularities (User/Account/Domain/Global)
Spec : https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=323488155

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

1. Local value should always take precedence unless it is set to Inherit.
   Tested the following matrix. Result denotes if Api key access was allowed for the User or not.

User	Account	Domain	Global	Result
Inherit	Inherit	Inherit	Enabled	Enabled
Inherit	Inherit	Inherit	Disabled	Disabled
Inherit	Inherit	Enabled	Disabled	Enabled
Inherit	Disabled	Enabled	Enabled	Disabled
Disabled	Enabled	Enabled	Enabled	Disabled
Enabled	Inherit	Inherit	Disabled	Enabled

2. Tested that apikeyaccess parameter in updateUser, updateAccount, listUsers and listAccounts is not shown to anyone else apart from the Root Admin.

3. Tested that api.key.access configuration is not editable by the domain admin.

How did you try to break this feature and the system with this change?

[codecov]

Codecov Report

Attention: Patch coverage is 44.52555% with 76 lines in your changes missing coverage. Please review.

Project coverage is 15.82%. Comparing base (c159471) to head (113c700).
Report is 7 commits behind head on main.

Files with missing lines	Patch %	Lines
...c/main/java/com/cloud/user/dao/AccountDaoImpl.java	0.00%	14 Missing ⚠️
...n/java/org/apache/cloudstack/api/ApiConstants.java	47.05%	9 Missing ⚠️
...ain/java/com/cloud/api/query/QueryManagerImpl.java	60.86%	5 Missing and 4 partials ⚠️
...ne/schema/src/main/java/com/cloud/user/UserVO.java	0.00%	6 Missing ⚠️
...schema/src/main/java/com/cloud/user/AccountVO.java	16.66%	5 Missing ⚠️
server/src/main/java/com/cloud/api/ApiServer.java	76.19%	4 Missing and 1 partial ⚠️
...ck/api/command/admin/account/UpdateAccountCmd.java	0.00%	3 Missing ⚠️
...loudstack/api/command/admin/user/ListUsersCmd.java	0.00%	3 Missing ⚠️
...oudstack/api/command/admin/user/UpdateUserCmd.java	0.00%	3 Missing ⚠️
...tack/api/command/user/account/ListAccountsCmd.java	0.00%	3 Missing ⚠️
... and 7 more

Additional details and impacted files

@@             Coverage Diff              @@
##              main    #9741       +/-   ##
============================================
+ Coverage     4.03%   15.82%   +11.78%     
- Complexity       0    12572    +12572     
============================================
  Files          392     5626     +5234     
  Lines        32157   492174   +460017     
  Branches      5673    60349    +54676     
============================================
+ Hits          1299    77862    +76563     
- Misses       30710   405816   +375106     
- Partials       148     8496     +8348     

Flag	Coverage Δ
uitests	4.03% <ø> (-0.01%)	⬇️
unittests	16.64% <44.52%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[weizhouapache]

maybe define a constant "System" somewhere

[abh1sar]

Done.

[weizhouapache]

is it targetted 4.20.1 ?

[abh1sar]

Yes, is that ok?

[abh1sar]

@blueorangutan package

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 11245

[abh1sar]

@blueorangutan test

[blueorangutan]

@abh1sar a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[sureshanaparti]

use IDEMPOTENT_ADD_COLUMN call to add columns

[abh1sar]

done

[sureshanaparti]

Suggested change

	"Determines whether API (api-key/secret-key) access is allowed or not. Editable only by Root Admin.",
	"Determines whether API (api-key/secret-key) access is allowed or not.",

[abh1sar]

This setting is visible to domain admin, but editable only by root admin.
When they try to edit it, the Domain admin gets a generic error : "There was an error saving this setting. Please try again later"
I thought it might get confusing to the domain admin, that's why I added the info about root admin only being able to edit it.
I can remove it if you still think it is not required.

[sureshanaparti]

Suggested change

	throw new CloudRuntimeException("Only Root Admin is allowed to edit this configuration.");
	throw new CloudRuntimeException("You are not allowed to update this configuration.");

better not to indicate in the msg about who has permissions

[abh1sar]

Same as above.

[sureshanaparti]

targeted for 4.20.1? add these changes in engine/schema/src/main/resources/META-INF/db/schema-42000to42010.sql

[abh1sar]

Will create the new schema file once 4.20.0 is cut. Keeping this PR in draft until then

[blueorangutan]

[SF] Trillian test result (tid-11585)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 49512 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr9741-t11585-kvm-ol8.zip
Smoke tests completed. 141 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File