cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Prasanna Santhanam <>
Subject Re: registerUserKeys API
Date Wed, 06 Jun 2012 08:28:38 GMT

> Several questions regarding the "registerUserKeys" API:
> 1. Only the ROOT admin have access to it. In a public cloud, it does not
> make sense for the ROOT admin to create keys for every user in every
> domain. The responsibility should go to domain admins. Is there a plan to
> give domain admin access to the API?

I agree. Once an admin has created an account for a tenant he/she
should be able to alter the keys for his/her account. These keys are
necessarily resources belonging to a user and less to do with the
admin of the cloud/domain-admin of the domain. Perhaps we should make
the API user level.

> 2. The API simply takes user id as parameter. It does not take into account
> whether the user already has a key or not. User's key will be overwritten
> if he/she already has one. Should we change the API a little bit to take
> this into account?

Yes - again. I think we should'nt disturb keys that already exist.
Overwriting them without warning is going to break the integration the
user has put in to his client side code.

Also - it would be nicer to have the API accept the account name and
the name of the user in that account. 


> 3. You can actually generate key for the internal "system" user (with
> id=0). It might cause some issues if "system" is meant to be an internal
> user only. Is there a valid use case for system user to use its API key? If
> not, it should be blocked.

Can't think of a use case. But since the listUser API is admin only
there's going to be no way for non-admin userse to see those keys. If
the above two enhancements do happen this should be blocked.


View raw message