@@ -884,3 +884,76 @@ password for a user:
884884
885885 .. figure :: /_static/images/reset-password.png
886886 :align: center
887+
888+ Using API Key and Secret Key based Authentication
889+ -------------------------------------------------
890+ Users can generate API key and Secret key to directly access CloudStack APIs.
891+ This authenctication method is used for programatically calling CloudStack APIs and thus helps in automation.
892+ The API key uniquely identifies the Account, while the Secret key is used to generate a secure singnature.
893+ When making an API call, the API key and signature are included along with the command and other parameters,
894+ and sent to the CloudStack API endpoint. For detailed information, refer to the CloudStack's Programmer Guide.
895+
896+ Disabling Api Key and Secret Key based Access
897+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
898+ Root Administrators may choose to Disable Api key based access for certain Users, Accounts or Domains.
899+ Or the Administrator may choose to Disable Api Key based access globally and allow only for certain users.
900+ This could be particularly useful in cases where external authorization mechanisms like LDAP, SAML or OAuth2 are used,
901+ as then Api key based authorization is the only means for automation.
902+ This gives control to the Admin over who is allowed to run automation.
903+
904+ Api key based access is enabled by default but it can be disabled (or enabled) at different granularities:
905+
906+ 1. Users
907+
908+ Setting for a User can be changed through the Api Key Access field in the Edit User form, visible only to the Root Administrator.
909+ Three values are possible: Disable, Enable and Inherit. Inherit means that the User will inherit whatever value is set for the Account.
910+
911+ .. figure :: /_static/images/edit-user-api-key-access.png
912+ :align: center
913+
914+ Admins can also search for Users having the required Api key access value using the User list view search filter.
915+
916+ .. figure :: /_static/images/filter-user-api-key-access.png
917+ :align: center
918+
919+ 2. Accounts
920+
921+ Similar to Users, Api Key Access field is present in the Edit Account Form and the Account list view search filter, only for the Root Administrator.
922+ If the value is set to Inherit, it means that Account will inherit whatever value is set for the Domain.
923+
924+ 3. Domains
925+
926+ Api Key Access at Domain level is controlled by the Domain level setting "api.key.access". If the Domain level
927+ configuration is not set, then similar to other configurations it will consult the global value.
928+
929+ 4. Global
930+
931+ The global value of the configuration setting "api.key.access" is set to 'True' by default. So Api Key Access at
932+ all levels is enabled by default. If the global value is changed to 'False' without setting any of the lower levels,
933+ then Api Key Access will be disabled for all Users.
934+
935+ Order of Precedence
936+ ^^^^^^^^^^^^^^^^^^^
937+ The local value always takes precedence over the global value. So if Api key access is disabled for a User but
938+ enabled for an Account, the User authorisation will still fail. Only if the User's Api key access is set to
939+ 'Inherit', the Account's Api Key Access value is considered.
940+ Similarly if Account's Api Key Access is set to 'Inherit', only then the Domain level setting is considered,
941+ And only if the Domain level configuration is not set, the Global configuration is considered.
942+
943+ Examples
944+ ^^^^^^^^
945+
946+ #. Disallow Api key access for all Accounts and Users in a Domain.
947+
948+ #. Leave all User and Account level Api Key Access values to the default 'Inherit'.
949+ #. Set the Domain level setting "api.key.access" to False only for the required domain.
950+
951+ #. Disallow Api key access for some Users, but allowed globally.
952+
953+ #. Set the User level permission to ‘Disabled’ only for the required Users.
954+ #. All upper level permissions should either be Inherit or Enabled.
955+
956+ #. Allow Api key access to some Users, but disallowed globally.
957+
958+ #. Set User level permission to ‘Enabled’ only for the required Users.
959+ #. All upper level permissions should either be Inherit or Disabled.
0 commit comments