Open jvanderhoof opened 4 years ago
@jvanderhoof thank you! a blessed change
Regarding the UX of this feature, I wanted to propose that this indication would be in an annotation, like any other authentication we support. Something that would look like this:
- !host
id: myhost
annotations:
authn/api-key: false
Overview
The proposed solution for this is to introduce a new policy attribute for roles (e.g.
host
,user
) calledapi_key_enabled
. This attribute will default totrue
if not explicitly provided, and will dictate whether Conjur:Generates an API key when the role is created by policy: This is relevant for newly created roles. If
api_key_enabled: false
, then this role will never receive a randomly generated API key.Allows an API key to be rotated for a role: This prevents an API key from being created after the initial role creation.
Allows an API key to be validated for a role: This covers the case when an existing role (that has an API key) is updated to set
api_key_enabled
tofalse
. In this case the API key already exists, but the Role model will always returnfalse
forapi_key_valid?
.Scenarios
api_key_enabled: true
api_key_enabled: false
host
/user
) creatednull
.authn
api_key_enabled: true
null
, generate value and store it in database.api_key_enabled: false
null
Prototype
Branches for prototype exploration for this proposal are available at:
Areas not covered in prototype
Rough Effort Estimate