Disable API Key Access for users, accounts and domains

api/src/main/java/com/cloud/event/EventTypes.java

@@ -292,6 +292,7 @@ public class EventTypes {
 
     //register for user API and secret keys
     public static final String EVENT_REGISTER_FOR_SECRET_API_KEY = "REGISTER.USER.KEY";
+    public static final String API_KEY_ACCESS_UPDATE = "API.KEY.ACCESS.UPDATE";
 
     // Template Events
     public static final String EVENT_TEMPLATE_CREATE = "TEMPLATE.CREATE";

api/src/main/java/com/cloud/user/Account.java

@@ -93,4 +93,8 @@ public static Type getFromValue(Integer type){
 
     boolean isDefault();
 
+    public void setApiKeyAccess(Boolean apiKeyAccess);
+
+    public Boolean getApiKeyAccess();
+
 }

api/src/main/java/com/cloud/user/AccountService.java

@@ -19,6 +19,7 @@
 import java.util.List;
 import java.util.Map;
 
+import com.cloud.utils.Pair;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
@@ -127,9 +128,9 @@ User createUser(String userName, String password, String firstName, String lastN
      */
     UserAccount getUserAccountById(Long userId);
 
-    public Map<String, String> getKeys(GetUserKeysCmd cmd);
+    public Pair<Boolean, Map<String, String>> getKeys(GetUserKeysCmd cmd);
 
-    public Map<String, String> getKeys(Long userId);
+    public Pair<Boolean, Map<String, String>> getKeys(Long userId);
 
     /**
      * Lists user two-factor authentication provider plugins

api/src/main/java/com/cloud/user/User.java

@@ -94,4 +94,9 @@ public enum Source {
     public boolean isUser2faEnabled();
 
     public String getKeyFor2fa();
+
+    public void setApiKeyAccess(Boolean apiKeyAccess);
+
+    public Boolean getApiKeyAccess();
+
 }

api/src/main/java/org/apache/cloudstack/api/ApiConstants.java

@@ -35,6 +35,7 @@
     public static final String ALLOW_USER_FORCE_STOP_VM = "allowuserforcestopvm";
     public static final String ANNOTATION = "annotation";
     public static final String API_KEY = "apikey";
+    public static final String API_KEY_ACCESS = "apikeyaccess";
     public static final String ARCHIVED = "archived";
     public static final String ARCH = "arch";
     public static final String AS_NUMBER = "asnumber";
@@ -1247,4 +1248,30 @@
     public enum DomainDetails {
         all, resource, min;
     }
+
+    public enum ApiKeyAccess {
+        DISABLED(false),
+        ENABLED(true),
+        INHERIT(null);
+
+        Boolean apiKeyAccess;
+
+        ApiKeyAccess(Boolean keyAccess) {
+            apiKeyAccess = keyAccess;
+        }
+
+        public Boolean toBoolean() {
+            return apiKeyAccess;
+        }
+
+        public static ApiKeyAccess fromBoolean(Boolean value) {
+            if (value == null) {
+                return INHERIT;
+            } else if (value) {
+                return ENABLED;
+            } else {
+                return DISABLED;
+            }
+        }
+    }
 }

api/src/main/java/org/apache/cloudstack/api/command/admin/account/UpdateAccountCmd.java

@@ -21,7 +21,9 @@
 
 import javax.inject.Inject;
 
+import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.api.ApiCommandResourceType;
+import org.apache.cloudstack.api.command.user.UserCmd;
 import org.apache.cloudstack.api.response.RoleResponse;
 
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
@@ -40,8 +42,8 @@
 import com.cloud.user.Account;
 
 @APICommand(name = "updateAccount", description = "Updates account information for the authenticated user", responseObject = AccountResponse.class, entityType = {Account.class},
-        requestHasSensitiveInfo = false, responseHasSensitiveInfo = true)
-public class UpdateAccountCmd extends BaseCmd {
+        responseView = ResponseView.Restricted, requestHasSensitiveInfo = false, responseHasSensitiveInfo = true)
+public class UpdateAccountCmd extends BaseCmd implements UserCmd {
 
     /////////////////////////////////////////////////////
     //////////////// API parameters /////////////////////
@@ -70,6 +72,9 @@
     @Parameter(name = ApiConstants.ACCOUNT_DETAILS, type = CommandType.MAP, description = "Details for the account used to store specific parameters")
     private Map details;
 
+    @Parameter(name = ApiConstants.API_KEY_ACCESS, type = CommandType.STRING, description = "Determines if Api key access for this user is enabled, disabled or inherits the value from its parent, the domain level setting api.key.access", since = "4.20.1.0", authorized = {RoleType.Admin})
+    private String apiKeyAccess;
+
     @Inject
     RegionService _regionService;
 
@@ -109,6 +114,10 @@
         return params;
     }
 
+    public String getApiKeyAccess() {
+        return apiKeyAccess;
+    }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////
@@ -131,7 +140,7 @@
     public void execute() {
         Account result = _regionService.updateAccount(this);
         if (result != null){
-            AccountResponse response = _responseGenerator.createAccountResponse(ResponseView.Full, result);
+            AccountResponse response = _responseGenerator.createAccountResponse(getResponseView(), result);
             response.setResponseName(getCommandName());
             setResponseObject(response);
         } else {

api/src/main/java/org/apache/cloudstack/api/command/admin/user/GetUserKeysCmd.java

@@ -20,6 +20,7 @@
 
 import com.cloud.user.Account;
 import com.cloud.user.User;
+import com.cloud.utils.Pair;
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
@@ -54,11 +55,13 @@
         else return Account.ACCOUNT_ID_SYSTEM;
     }
     public void execute(){
-        Map<String, String> keys = _accountService.getKeys(this);
+        Pair<Boolean, Map<String, String>> keys = _accountService.getKeys(this);
+
         RegisterResponse response = new RegisterResponse();
         if(keys != null){
-            response.setApiKey(keys.get("apikey"));
-            response.setSecretKey(keys.get("secretkey"));
+            response.setApiKeyAccess(keys.first());
+            response.setApiKey(keys.second().get("apikey"));
+            response.setSecretKey(keys.second().get("secretkey"));
         }
 
         response.setObjectName("userkeys");

api/src/main/java/org/apache/cloudstack/api/command/admin/user/ListUsersCmd.java

@@ -19,20 +19,23 @@
 import com.cloud.server.ResourceIcon;
 import com.cloud.server.ResourceTag;
 import com.cloud.user.Account;
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.command.user.UserCmd;
 import org.apache.cloudstack.api.response.ResourceIconResponse;
 
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseListAccountResourcesCmd;
 import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ResponseObject.ResponseView;
 import org.apache.cloudstack.api.response.ListResponse;
 import org.apache.cloudstack.api.response.UserResponse;
 
 import java.util.List;
 
 @APICommand(name = "listUsers", description = "Lists user accounts", responseObject = UserResponse.class,
-        requestHasSensitiveInfo = false, responseHasSensitiveInfo = true)
-public class ListUsersCmd extends BaseListAccountResourcesCmd {
+        responseView = ResponseView.Restricted, requestHasSensitiveInfo = false, responseHasSensitiveInfo = true)
+public class ListUsersCmd extends BaseListAccountResourcesCmd implements UserCmd {
 
 
     /////////////////////////////////////////////////////
@@ -53,6 +56,9 @@
     @Parameter(name = ApiConstants.USERNAME, type = CommandType.STRING, description = "List user by the username")
     private String username;
 
+    @Parameter(name = ApiConstants.API_KEY_ACCESS, type = CommandType.STRING, description = "List users by the Api key access value", since = "4.20.1.0", authorized = {RoleType.Admin})
+    private String apiKeyAccess;
+
     @Parameter(name = ApiConstants.SHOW_RESOURCE_ICON, type = CommandType.BOOLEAN,
             description = "flag to display the resource icon for users")
     private Boolean showIcon;
@@ -77,6 +83,10 @@
         return username;
     }
 
+    public String getApiKeyAccess() {
+        return apiKeyAccess;
+    }
+
     public Boolean getShowIcon() {
         return showIcon != null ? showIcon : false;
     }
@@ -87,7 +97,7 @@
 
     @Override
     public void execute() {
-        ListResponse<UserResponse> response = _queryService.searchForUsers(this);
+        ListResponse<UserResponse> response = _queryService.searchForUsers(getResponseView(), this);
         response.setResponseName(getCommandName());
         this.setResponseObject(response);
         if (response != null && response.getCount() > 0 && getShowIcon()) {

api/src/main/java/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java

@@ -18,6 +18,7 @@
 
 import javax.inject.Inject;
 
+import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiCommandResourceType;
 import org.apache.cloudstack.api.ApiConstants;
@@ -69,6 +70,9 @@
     @Parameter(name = ApiConstants.USER_SECRET_KEY, type = CommandType.STRING, description = "The secret key for the user. Must be specified with userApiKey")
     private String secretKey;
 
+    @Parameter(name = ApiConstants.API_KEY_ACCESS, type = CommandType.STRING, description = "Determines if Api key access for this user is enabled, disabled or inherits the value from its parent, the owning account", since = "4.20.1.0", authorized = {RoleType.Admin})
+    private String apiKeyAccess;
+
     @Parameter(name = ApiConstants.TIMEZONE,
             type = CommandType.STRING,
             description = "Specifies a timezone for this command. For more information on the timezone parameter, see Time Zone Format.")
@@ -120,6 +124,10 @@
         return secretKey;
     }
 
+    public String getApiKeyAccess() {
+        return apiKeyAccess;
+    }
+
     public String getTimezone() {
         return timezone;
     }

api/src/main/java/org/apache/cloudstack/api/command/user/account/ListAccountsCmd.java

@@ -20,6 +20,7 @@
 import java.util.EnumSet;
 import java.util.List;
 
+import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiCommandResourceType;
 import org.apache.cloudstack.api.ApiConstants;
@@ -70,6 +71,9 @@
                description = "comma separated list of account details requested, value can be a list of [ all, resource, min]")
     private List<String> viewDetails;
 
+    @Parameter(name = ApiConstants.API_KEY_ACCESS, type = CommandType.STRING, description = "List accounts by the Api key access value", since = "4.20.1.0", authorized = {RoleType.Admin})
+    private String apiKeyAccess;
+
     @Parameter(name = ApiConstants.SHOW_RESOURCE_ICON, type = CommandType.BOOLEAN,
             description = "flag to display the resource icon for accounts")
     private Boolean showIcon;
@@ -120,6 +124,10 @@
         return dv;
     }
 
+    public String getApiKeyAccess() {
+        return apiKeyAccess;
+    }
+
     public boolean getShowIcon() {
         return showIcon != null ? showIcon : false;
     }

api/src/main/java/org/apache/cloudstack/api/response/AccountResponse.java

@@ -271,6 +271,10 @@
     @Param(description = "The tagged resource limit and count for the account", since = "4.20.0")
     List<TaggedResourceLimitAndCountResponse> taggedResources;
 
+    @SerializedName(ApiConstants.API_KEY_ACCESS)
+    @Param(description = "whether api key access is Enabled, Disabled or set to Inherit (it inherits the value from the parent)", since = "4.20.1.0")
+    ApiConstants.ApiKeyAccess apiKeyAccess;
+
     @Override
     public String getObjectId() {
         return id;
@@ -554,4 +558,8 @@
     public void setTaggedResourceLimitsAndCounts(List<TaggedResourceLimitAndCountResponse> taggedResourceLimitsAndCounts) {
         this.taggedResources = taggedResourceLimitsAndCounts;
     }
+
+    public void setApiKeyAccess(Boolean apiKeyAccess) {
+        this.apiKeyAccess = ApiConstants.ApiKeyAccess.fromBoolean(apiKeyAccess);
+    }
 }

api/src/main/java/org/apache/cloudstack/api/response/RegisterResponse.java

@@ -18,19 +18,24 @@
 
 import com.google.gson.annotations.SerializedName;
 
+import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseResponse;
 
 import com.cloud.serializer.Param;
 
 public class RegisterResponse extends BaseResponse {
-    @SerializedName("apikey")
+    @SerializedName(ApiConstants.API_KEY)
     @Param(description = "the api key of the registered user", isSensitive = true)
     private String apiKey;
 
-    @SerializedName("secretkey")
+    @SerializedName(ApiConstants.SECRET_KEY)
     @Param(description = "the secret key of the registered user", isSensitive = true)
     private String secretKey;
 
+    @SerializedName(ApiConstants.API_KEY_ACCESS)
+    @Param(description = "whether api key access is allowed or not", isSensitive = true)
+    private Boolean apiKeyAccess;
+
     public String getApiKey() {
         return apiKey;
     }
@@ -46,4 +51,8 @@
     public void setSecretKey(String secretKey) {
         this.secretKey = secretKey;
     }
+
+    public void setApiKeyAccess(Boolean apiKeyAccess) {
+        this.apiKeyAccess = apiKeyAccess;
+    }
 }

api/src/main/java/org/apache/cloudstack/api/response/UserResponse.java

@@ -128,6 +128,10 @@
     @Param(description = "true if user has two factor authentication is mandated", since = "4.18.0.0")
     private Boolean is2FAmandated;
 
+    @SerializedName(ApiConstants.API_KEY_ACCESS)
+    @Param(description = "whether api key access is Enabled, Disabled or set to Inherit (it inherits the value from the parent)", since = "4.20.1.0")
+    ApiConstants.ApiKeyAccess apiKeyAccess;
+
     @Override
     public String getObjectId() {
         return this.getId();
@@ -309,4 +313,8 @@
     public void set2FAmandated(Boolean is2FAmandated) {
         this.is2FAmandated = is2FAmandated;
     }
+
+    public void setApiKeyAccess(Boolean apiKeyAccess) {
+        this.apiKeyAccess = ApiConstants.ApiKeyAccess.fromBoolean(apiKeyAccess);
+    }
 }

api/src/main/java/org/apache/cloudstack/query/QueryService.java

@@ -19,6 +19,7 @@
 import java.util.List;
 
 import org.apache.cloudstack.affinity.AffinityGroupResponse;
+import org.apache.cloudstack.api.ResponseObject;
 import org.apache.cloudstack.api.command.admin.domain.ListDomainsCmd;
 import org.apache.cloudstack.api.command.admin.host.ListHostTagsCmd;
 import org.apache.cloudstack.api.command.admin.host.ListHostsCmd;
@@ -130,7 +131,7 @@ public interface QueryService {
     ConfigKey<Boolean> ReturnVmStatsOnVmList = new ConfigKey<>("Advanced", Boolean.class, "list.vm.default.details.stats", "true",
             "Determines whether VM stats should be returned when details are not explicitly specified in listVirtualMachines API request. When false, details default to [group, nics, secgrp, tmpl, servoff, diskoff, backoff, iso, volume, min, affgrp]. When true, all details are returned including 'stats'.", true, ConfigKey.Scope.Global);
 
-    ListResponse<UserResponse> searchForUsers(ListUsersCmd cmd) throws PermissionDeniedException;
+    ListResponse<UserResponse> searchForUsers(ResponseObject.ResponseView responseView, ListUsersCmd cmd) throws PermissionDeniedException;
 
     ListResponse<UserResponse> searchForUsers(Long domainId, boolean recursive) throws PermissionDeniedException;
 

engine/schema/src/main/java/com/cloud/upgrade/DatabaseUpgradeChecker.java

@@ -88,6 +88,7 @@
 import com.cloud.upgrade.dao.Upgrade41810to41900;
 import com.cloud.upgrade.dao.Upgrade41900to41910;
 import com.cloud.upgrade.dao.Upgrade41910to42000;
+import com.cloud.upgrade.dao.Upgrade42000to42010;
 import com.cloud.upgrade.dao.Upgrade420to421;
 import com.cloud.upgrade.dao.Upgrade421to430;
 import com.cloud.upgrade.dao.Upgrade430to440;
@@ -230,6 +231,7 @@ public DatabaseUpgradeChecker() {
                 .next("4.18.1.0", new Upgrade41810to41900())
                 .next("4.19.0.0", new Upgrade41900to41910())
                 .next("4.19.1.0", new Upgrade41910to42000())
+                .next("4.20.0.0", new Upgrade42000to42010())
                 .build();
     }