search

GOCDB / gocdb

Grid Operations Configuration Management Database. A Repository, Portal and REST style API for managing Grid and Cloud topology objects including; projects, administrative domains, sites, services, service-endpoints, service-groups, downtimes, users, roles and business rules.
Apache License 2.0
12 stars 28 forks source link

[GT-184] Extend API Credential Management to handle periodic renewal #438

Open gregcorbett opened 1 year ago

gregcorbett commented 1 year ago

As a follow on from #437, we should extend the management of API Credentials to deal with the periodic renewal of credentials.

I.e., the case where somebody has set up a useless periodic API operation, and subsequently stopped needing it, but the access continues indefintely.

We would want a suitable user of GOCDB to have to say the access is still needed every X months.

I imagine this could be done by renaming the existing ManageAPICredentialsActions functionality warnUsers() to warnUsersOfInactivity() and adding a warnUsersOfRenewal() method. deleteCreds would also have to be similarly reworked.

gregcorbett commented 1 year ago

Alternatively, we could rename the existing scripts to ManageUnusedAPICredentials... and add new scripts that share code along the lines of ManageUnrenewedAPICredentials....

That may be better than having one giant script that does everything.

gregcorbett commented 1 year ago

Alternatively, we could rename the existing scripts to ManageUnusedAPICredentials... and add new scripts that share code along the lines of ManageUnrenewedAPICredentials....

That may be better than having one giant script that does everything.

Looking at the exact implementation of this in #447, a hypothetical ManageUnneededAPICredentials.php script would be very similiar to the ManageUnusedAPICredentials.php script - except for using lastRenewTime instead of lastUseTime.

We could have seperate scripts for unneeded and unused credentials, so long as most of the code is suitably shared. Another option would be to have a single script (i.e. undo the renaming) and add an option to determine if we are managing unneeded or unused credentials. Something to think about and discuss.

gregcorbett commented 1 year ago

a hypothetical ManageUnneededAPICredentials.php script would be very similiar to the ManageUnusedAPICredentials.php script - except for using lastRenewTime instead of lastUseTime.

This isn't exactly true. The email message would be different as well - maybe that additional difference warrents two thin wrapper scripts over some shared functionality.

gregcorbett commented 1 year ago

This and #453 may best be tackled at a similar time.