[6/x] API Keys

README.md

@@ -119,7 +119,7 @@ Each API user can have `READ`, `CREATE`, `UPDATE`, `DELETE` permission to Ceph r
 
 API authenticaiton usage can be found in [test/auth_test.go](./test/auth_test.go). But in general, client authentication can be handled by any client http/gRPC library supporting OAuth2.0.
 
-There is alternative auth API under `/api/auth` path (see [open api](./api/openapi/ceph-api.swagger.json)). This API is **not** implementing OAuth spec and exists for backwards compatibility with old Ceph API. This old api also does not have refresh token feature.
+There is alternative auth API under `/api/v1/auth/login`, `/api/v1/auth/logout`, and `/api/v1/auth/check` (see [open api](./api/openapi/ceph-api.swagger.json)). This API is **not** implementing OAuth spec and exists for backwards compatibility with old Ceph API. This old api also does not have refresh token feature.
 
 ## Clients
 
@@ -182,6 +182,53 @@ curl -X POST -u "ceph-api:yoursecretpass" \
 http://localhost:9969/api/oauth/token
 ```
 
+## API keys
+
+### Create a scoped API key
+
+using the built in CLI, you will need the API Access token from previous step
+```
+ceph-api auth api-key create \
+  --endpoint http://localhost:9969 \
+  --token "$CEPH_API_TOKEN" \
+  --name github-actions-config \
+  --description "CI key for GitOps config management" \
+  --scope config-opt:read \
+  --scope config-opt:create \
+  --scope config-opt:update \
+  --scope config-opt:delete
+```
+
+will return
+```
+capi_v1_ak_....<secret>
+```
+
+Via HTTP
+
+```
+curl -X POST http://localhost:9969/api/v1/auth/api-keys \
+  -H "Authorization: Bearer $CEPH_API_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "name": "github-actions-config",
+    "description": "CI key for GitOps config management",
+    "scopes": [
+      "config-opt:read",
+      "config-opt:create",
+      "config-opt:update",
+      "config-opt:delete"
+    ]
+  }'
+```
+
+### Use the API Key
+
+```
+curl http://localhost:9969/api/v1/auth/whoami \
+  -H "Authorization: Bearer $CEPH_API_KEY"
+```
+
 ## Test
 
 Along with unit test project contains e2e test to run against real Ceph cluster.

api/auth.proto

@@ -14,6 +14,10 @@ service Auth {
     rpc Logout(google.protobuf.Empty) returns(google.protobuf.Empty);
     rpc Check(TokenCheckReq)returns(TokenCheckResp);
     rpc Whoami(google.protobuf.Empty) returns(WhoamiResp);
+    rpc CreateAPIKey(CreateAPIKeyReq) returns(CreateAPIKeyResp);
+    rpc ListAPIKeys(google.protobuf.Empty) returns(ListAPIKeysResp);
+    rpc GetAPIKey(GetAPIKeyReq) returns(APIKeyResp);
+    rpc RevokeAPIKey(RevokeAPIKeyReq) returns(google.protobuf.Empty);
 }
 
 message LoginReq{
@@ -50,6 +54,44 @@ message WhoamiResp{
     map<string,google.protobuf.ListValue> permissions=5 ;
 }
 
+message CreateAPIKeyReq{
+    string name =1;
+    string description =2;
+    optional google.protobuf.Timestamp expires_at =3;
+    repeated string scopes =4;
+}
+
+message CreateAPIKeyResp{
+    APIKeyResp key =1;
+    string token =2;
+}
+
+message ListAPIKeysResp{
+    repeated APIKeyResp keys =1;
+}
+
+message GetAPIKeyReq{
+    string key_id =1;
+}
+
+message RevokeAPIKeyReq{
+    string key_id =1;
+}
+
+message APIKeyResp{
+    string id =1;
+    string name =2;
+    string description =3;
+    string cluster_id =4;
+    bool enabled =5;
+    optional google.protobuf.Timestamp revoked_at =6;
+    optional google.protobuf.Timestamp created_at =7;
+    string created_by =8;
+    optional google.protobuf.Timestamp expires_at =9;
+    optional google.protobuf.Timestamp last_used_at =10;
+    repeated string scopes =11;
+}
+
 option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
     info: {
       title: "Ceph management API";