UI for API Key Pair Management

[bernardodemarco]

Description

PR #9504 restructured and extended the implementation of API key pairs to improve flexibility and security. It is now possible to create multiple key pairs per user, define a specific permission scope for each key pair and specify a validation period during which they remain active.

This PR exposes these new features in the ACS graphical interface. Among the new functionalities, users can now list all key pairs associated with a user, view their details and permissions, and register new key pairs with validity periods and permission sets.

Additionally, some minor fixes and enhancements were introduced to the API key pair backend workflows, including:

• Default roles Domain Admin, Resource Admin and User were granted access to the listUserKeyRules API;
• The type of the description column of the cloud.api_keypair table was changed from VARCHAR(100) to VARCHAR(1024); and,
• The type of the description column of the cloud.api_keypair_permissions table is VARCHAR(255). However, the registerUserKeys API currently do not validate the size of the corresponding API parameter. This validation has been introduced.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Screenshots (if appropriate):

2026-05-22.16-06-12.mp4

How Has This Been Tested?

The new UI sections were manually tested and their behavior was verified accordingly.

To test this patch, the backend must include PR #9504.

[codecov]

Codecov Report

❌ Patch coverage is 33.33333% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 18.10%. Comparing base (68221cf) to head (90d7b7b).
⚠️ Report is 32 commits behind head on main.

Files with missing lines	Patch %	Lines
...ck/api/command/admin/user/RegisterUserKeysCmd.java	0.00%	2 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #13225      +/-   ##
============================================
+ Coverage     18.08%   18.10%   +0.01%     
- Complexity    16718    16753      +35     
============================================
  Files          6037     6041       +4     
  Lines        542609   542967     +358     
  Branches      66432    66479      +47     
============================================
+ Hits          98136    98298     +162     
- Misses       433446   433620     +174     
- Partials      11027    11049      +22     

Flag	Coverage Δ
uitests	3.50% <ø> (-0.02%)	⬇️
unittests	19.27% <33.33%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[winterhazel]

@blueorangutan ui

[blueorangutan]

@winterhazel a Jenkins job has been kicked to build UI QA env. I'll keep you posted as I make progress.

[blueorangutan]

UI build: ✔️
Live QA URL: https://qa.cloudstack.cloud/simulator/pr/13225 (QA-JID-940)

[Copilot]

Pull request overview

This PR adds a CloudStack UI surface for the “multiple API key pairs per user” backend introduced in PR #9504, including listing key pairs, viewing key pair details/rules, and registering new key pairs with optional validity windows and rule-based permissions. It also includes a few backend/schema adjustments (description length increase, role permissions update, and parameter validation).

Changes:

• Added a new User tab and Keypair (API key pair) resource view to list and navigate API key pairs, including rule display.
• Added UI components to register API key pairs and to view/edit a key pair’s permission rules.
• Updated schema/entity/API command metadata related to API key pair descriptions and rule-description validation.

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 13 comments.

Show a summary per file

File	Description
ui/src/views/iam/GenerateApiKeyPair.vue	Modal/form to register an API key pair (name/description/dates/rules).
ui/src/views/iam/ApiKeyPairPermissionTable.vue	UI for building/viewing rule-permissions; supports drag ordering and read-only table view.
ui/src/views/AutogenView.vue	Adjusts param mapping for listUserKeys and resource selection behavior.
ui/src/config/section/user.js	Adds apikeypairs tab to the User view.
ui/src/config/section/keypair.js	Introduces a hidden “keypair” section for viewing API key pair details and rules.
ui/src/config/router.js	Registers the new keypair section routes.
ui/src/components/view/ListView.vue	Treats startdate/enddate as date fields for rendering.
ui/src/components/view/InfoCard.vue	Displays API/secret key fields for keypair resources; adjusts status/apikeyaccess display logic.
ui/src/components/view/DetailsTab.vue	Adds startdate/enddate date rendering and guards for empty values.
ui/src/components/view/ApiKeyPairsTab.vue	New User tab listing key pairs with bulk delete and link to keypair detail view.
ui/public/locales/pt_BR.json	Adds new UI strings (includes a typo).
ui/public/locales/en.json	Adds new UI strings for API key pair management.
engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql	Expands api_keypair.description size and grants role permissions for key APIs.
engine/schema/src/main/java/org/apache/cloudstack/acl/ApiKeyPairVO.java	Aligns entity field length with DB schema change.
api/src/main/java/org/apache/cloudstack/api/command/admin/user/RegisterUserKeysCmd.java	Adds parameter length metadata and introduces rule-description length validation (currently buggy).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[DaanHoogland]

@blueorangutan package

[blueorangutan]

@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 18045

[daviftorres]

Dear @bernardodemarco , this is excellent!

I saw in the recording that keys can be added and removed, and that the allow/deny rules are set when the key is created.

Is it possible to later add, remove, or modify the rules for an existing key, or do you need to create a new key each time you want to change the rules?

Regards,

[Copilot]

Pull request overview

Copilot reviewed 15 out of 15 changed files in this pull request and generated 8 comments.

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-16203)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 40171 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr13225-t16203-kvm-ol8.zip
Smoke tests completed. 137 look OK, 3 have errors, 11 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
ContextSuite context=TestClusterDRS>:setup	Error	0.00	test_cluster_drs.py
test_list_system_vms_metrics_history	Failure	0.62	test_metrics_api.py
test_2_userdata_on_cpvm	Error	3.31	test_systemvm_userdata.py
all_test_vnf_templates	Skipped	---	test_vnf_templates.py
all_test_volumes	Skipped	---	test_volumes.py
all_test_vpc_conserve_mode	Skipped	---	test_vpc_conserve_mode.py
all_test_vpc_ipv6	Skipped	---	test_vpc_ipv6.py
all_test_vpc_redundant	Skipped	---	test_vpc_redundant.py
all_test_vpc_router_nics	Skipped	---	test_vpc_router_nics.py
all_test_vpc_vpn	Skipped	---	test_vpc_vpn.py
all_test_webhook_delivery	Skipped	---	test_webhook_delivery.py
all_test_webhook_lifecycle	Skipped	---	test_webhook_lifecycle.py
all_test_host_maintenance	Skipped	---	test_host_maintenance.py
all_test_hostha_kvm	Skipped	---	test_hostha_kvm.py

[bernardodemarco]

Dear @bernardodemarco , this is excellent!

Hello, @daviftorres

Thanks!!!

I saw in the recording that keys can be added and removed, and that the allow/deny rules are set when the key is created.

Yes, exactly. Now it is possible for a user to have multiple API key pairs, each one of them with a specific permission scope and an optional validation period during which they remain active.

During the creation of key pairs, it is optional to define their corresponding set of rule permissions. If a rule set is defined, the API key pair will only have access to APIs for which access has been explicitly granted (i.e., APIs whose corresponding rules are marked as allowed). On the other hand, if no rule set is specified, the API key pair permissions will follow and adapt to the permission set of the user's account role.

Is it possible to later add, remove, or modify the rules for an existing key, or do you need to create a new key each time you want to change the rules?

No, it is currently not possible to update the rules of a specific key pair. The only edge-case for this is when the API key pair rule set is implicitly inferred from the user's account role (i.e., when no rules are explicitly defined for the API key pair). In these scenarios, if the user's account role permission set is changed, the corresponding key pair permissions will be adapted accordingly.