Disable API Key Access for users, accounts and domains

[abh1sar]

Description

This PR implements the feature which give Root Admin the ability to Disable Api-key/Secret-key access at different granularities (User/Account/Domain/Global)
Spec : https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=323488155
Doc PR : apache/cloudstack-documentation#446

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

Edit form :

User view :

Event logging :

How Has This Been Tested?

1. Local value should always take precedence unless it is set to Inherit.
   Tested the following matrix. Result denotes if Api key access was allowed for the User or not.

User	Account	Domain	Global	Result
Inherit	Inherit	Inherit	Enabled	Enabled
Inherit	Inherit	Inherit	Disabled	Disabled
Inherit	Inherit	Enabled	Disabled	Enabled
Inherit	Disabled	Enabled	Enabled	Disabled
Disabled	Enabled	Enabled	Enabled	Disabled
Enabled	Inherit	Inherit	Disabled	Enabled

2. Tested that apikeyaccess parameter in updateUser, updateAccount, listUsers and listAccounts is not shown to anyone else apart from the Root Admin.

3. Tested that api.key.access configuration is not editable by the domain admin.

How did you try to break this feature and the system with this change?

[codecov]

Codecov Report

Attention: Patch coverage is 25.73840% with 176 lines in your changes missing coverage. Please review.

Project coverage is 15.82%. Comparing base (046870e) to head (a9805b5).
Report is 23 commits behind head on main.

Files with missing lines	Patch %	Lines
...com/cloud/network/vpn/Site2SiteVpnManagerImpl.java	0.00%	48 Missing ⚠️
server/src/main/java/com/cloud/api/ApiServer.java	22.72%	17 Missing ⚠️
...c/main/java/com/cloud/user/dao/AccountDaoImpl.java	0.00%	14 Missing ⚠️
.../cloud/configuration/ConfigurationManagerImpl.java	0.00%	13 Missing ⚠️
...ain/java/com/cloud/api/query/QueryManagerImpl.java	47.82%	7 Missing and 5 partials ⚠️
...c/main/java/com/cloud/user/AccountManagerImpl.java	75.00%	6 Missing and 4 partials ⚠️
...n/java/org/apache/cloudstack/api/ApiConstants.java	47.05%	9 Missing ⚠️
...ne/schema/src/main/java/com/cloud/user/UserVO.java	0.00%	6 Missing ⚠️
...ck/api/command/admin/account/UpdateAccountCmd.java	0.00%	5 Missing ⚠️
...loudstack/api/command/admin/user/ListUsersCmd.java	0.00%	5 Missing ⚠️
... and 12 more

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #9741      +/-   ##
============================================
+ Coverage     15.78%   15.82%   +0.03%     
- Complexity    12552    12587      +35     
============================================
  Files          5625     5628       +3     
  Lines        491972   492483     +511     
  Branches      63764    60018    -3746     
============================================
+ Hits          77664    77912     +248     
- Misses       405849   406059     +210     
- Partials       8459     8512      +53     

Flag	Coverage Δ
uitests	4.03% <ø> (-0.01%)	⬇️
unittests	16.64% <25.73%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[weizhouapache]

maybe define a constant "System" somewhere

[abh1sar]

Done.

[weizhouapache]

is it targetted 4.20.1 ?

[abh1sar]

Yes, is that ok?

[abh1sar]

@blueorangutan package

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 11245

[abh1sar]

@blueorangutan test

[blueorangutan]

@abh1sar a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[sureshanaparti]

use IDEMPOTENT_ADD_COLUMN call to add columns

[abh1sar]

done

[sureshanaparti]

Suggested change

	"Determines whether API (api-key/secret-key) access is allowed or not. Editable only by Root Admin.",
	"Determines whether API (api-key/secret-key) access is allowed or not.",

[abh1sar]

This setting is visible to domain admin, but editable only by root admin.
When they try to edit it, the Domain admin gets a generic error : "There was an error saving this setting. Please try again later"
I thought it might get confusing to the domain admin, that's why I added the info about root admin only being able to edit it.
I can remove it if you still think it is not required.

[sureshanaparti]

Suggested change

	throw new CloudRuntimeException("Only Root Admin is allowed to edit this configuration.");
	throw new CloudRuntimeException("You are not allowed to update this configuration.");

better not to indicate in the msg about who has permissions

[abh1sar]

Same as above.

[abh1sar]

@blueorangutan package

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 11361

[harikrishna-patnala]

new event changes LGTM

[abh1sar]

@blueorangutan package

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 11363

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 11370

[abh1sar]

@blueorangutan package

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 11372

[abh1sar]

@blueorangutan test matrix

[blueorangutan]

@abh1sar a [SL] Trillian-Jenkins matrix job (EL8 mgmt + EL8 KVM, Ubuntu22 mgmt + Ubuntu22 KVM, EL8 mgmt + VMware 7.0u3, EL9 mgmt + XCP-ng 8.2 ) has been kicked to run smoke tests

[abh1sar]

@blueorangutan package

[blueorangutan]

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 11377

[blueorangutan]

[SF] Trillian test result (tid-11678)
Environment: kvm-ubuntu22 (x2), Advanced Networking with Mgmt server u22
Total time taken: 53707 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr9741-t11678-kvm-ubuntu22.zip
Smoke tests completed. 141 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[blueorangutan]

[SF] Trillian test result (tid-11677)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 53373 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr9741-t11677-kvm-ol8.zip
Smoke tests completed. 140 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_03_secured_to_nonsecured_vm_migration	Error	372.43	test_vm_life_cycle.py