API key pair restructure

[KlausDornsbach]

Description

API access keypairs are primarily used to support interactions between systems, without the need to create sessions (through user and password authentication). Currently, CloudStack's implementation of API keypairs does not allow you to specify permissions for each keypair, simply using the account's default permissions. Additionally, the number of keypairs is limited to one per user and they have no start and end dates.

An extension of the API keypairs functionality was implemented, adding several new features that increase flexibility and security. It is now possible to specify a subset of permissions (from the base account) for each keypair, as well as create more than one key per user. It is also possible to define start and end dates for the validity of a keypair. A key created without an expiration date will always be valid up until it is deleted. It should be noted that creating API keypairs without specifying permissions just creates an API keypair with all account's base permissions. Also, API keypairs older than this patch will always be viewed as keypairs with full account permissions.

The following endpoints were created:

A new listUserKeys API was added. Through this API the user will be able to specify a single keypairid to fetch its specific properties, or apikeyfilter to return a specific keypair based on an apikey. The user can inform an userid to fetch an user's api keypair list. If no keypairid, apikeyfilter or userid is provided, the API defaults to fetching information on the calling user. The listall property allows for fetching all keypairs in the structure that are visible based on the calling user/keypair permissions, if not specified, it defaults to false, fetching only the apikeys on the level of the calling user/keypair. Also, it is possible to inform showpermissions to list all permissions associated with each returned apikey.

Name	Description	Required	Default
userid	id of the owner of the keypairs	no	none
keypairid	id of the keypair	no	none
listall	list all accessable keypairs	no	false
apikeyfilter	apikey of they keypair	no	none
showpermissions	lists all associated apikey permissions	no	false

The API getUserKeys was modified preserving backwards compatibility. It now fetches the last keypair created for the informed user.

The api registerUserKeys was modified so the new API keypair parameters could be specified on creation:

Name	Description	Required	Example	Default
id	user id	Yes	b8914774-771e-11ee-8e59-5254003754dc	none
name	name of the keypair	No	MyKey	userId + " - API Keypair"
startdate	date when key becomes valid	No	2024-04-09	none
enddate	date when key expires	No	2024-04-09	never expires
description	keypair description	No	read only permissions	none
rules	list of API access rules	No	rules[1].rule=list* rules[1].permission=allow	all user API permissions based on Account Role

A new keypair deletion API was added (deleteUserKeys). It will accept only one required argument, the keypair id.

Name	Description	Required
keypairid	id of the keypair	yes

I also added a listUserKeyRules api, allowing the user to list the rules associated with an API keypair.

Name	Description	Required
keypairid	id of the keypair	yes

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

How Has This Been Tested?

API Key Creation and Basic Testing

Single Key (via UI):

1. I was able to create API keypairs through the UI through the button on the top right of the user view;
2. Through Cloud Monkey, validated that the keypair had the same permissions as the base user by calling a series of APIs;

Multiple Keys (via Cloud Monkey):

1. Created multiple keys;
2. Validated the operation was successful on the DB;
3. Tested creating a key that was not valid and would become valid in the future, with success;
4. Tested creating a key that was valid and would become invalid in the future, with success;
5. Tested trying to create keys that were already invalid and got errors;
6. All permissions of the API key pairs were consistent with each key pair tested.

Permissions Validation

Tested the permissions of keyrules listing, keypair listing, keypair deletion and keypair cretion with the following user/account/domain setup:

• domain /ROOT

  • account root admin

    • user root admin
    • user user1

  • domain subdomain

    • account domain admin
      • user domain admin
    • account userAccount
      • user user2
      • user user3

The following table describes the results obtained when the user on the first column attempted to operate on the keypairs of users on the first row (V: operation was possible, F: operation was not possible).

user	rootAdm	user1	domainAdm	user2	user3
rootAdm	V	V	V	V	V
user1	V	V	V	V	V
domainAdm	F	F	V	V	V
user2	F	F	F	V	F
user3	F	F	F	F	V

Migration to api_keypair Table

1. A key was created for a read-only user
2. The database was updated from version 4.19 to 4.20
3. The API key data was successfully migrated to the api_keypair table, with the corresponding columns in the user table deleted.
4. Confirmed correct permission handling of the api key.

General validations

• Could not create an API keypair with more permissions than the base keypair.
• Deleting system keys was not possible.
• After deleting a user or account, the API keypairs were invalidated.

[codecov]

Codecov Report

❌ Patch coverage is 16.50738% with 961 lines in your changes missing coverage. Please review.
✅ Project coverage is 17.92%. Comparing base (7ad68aa) to head (b6b1b5f).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...c/main/java/com/cloud/user/AccountManagerImpl.java	31.80%	182 Missing and 11 partials ⚠️
...he/cloudstack/api/response/ApiKeyPairResponse.java	0.00%	127 Missing ⚠️
...ck/api/command/admin/user/RegisterUserKeysCmd.java	0.00%	94 Missing ⚠️
...n/java/org/apache/cloudstack/acl/ApiKeyPairVO.java	25.60%	93 Missing ⚠️
...src/main/java/com/cloud/api/ApiResponseHelper.java	0.00%	61 Missing ⚠️
...g/apache/cloudstack/acl/dao/ApiKeyPairDaoImpl.java	0.00%	43 Missing ⚠️
...dstack/api/command/admin/user/ListUserKeysCmd.java	0.00%	35 Missing ⚠️
...g/apache/cloudstack/acl/ApiKeyPairManagerImpl.java	0.00%	33 Missing ⚠️
...tack/api/command/admin/user/DeleteUserKeysCmd.java	0.00%	30 Missing ⚠️
.../cloudstack/discovery/ApiDiscoveryServiceImpl.java	14.28%	28 Missing and 2 partials ⚠️
... and 31 more

Additional details and impacted files

@@            Coverage Diff             @@
##               main    #9504    +/-   ##
==========================================
  Coverage     17.92%   17.92%            
- Complexity    16156    16176    +20     
==========================================
  Files          5939     5949    +10     
  Lines        533192   534058   +866     
  Branches      65239    65301    +62     
==========================================
+ Hits          95591    95748   +157     
- Misses       426859   427553   +694     
- Partials      10742    10757    +15     

Flag	Coverage Δ
uitests	3.66% <ø> (ø)
unittests	19.03% <16.50%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[DaanHoogland]

nice feature @KlausDornsbach , some suggestions,

1. would it make sense to be able to delete a kay based on name?
2. also is admin allowed to delete keys for other users? (would make sense from a maintainance point of view, would it?)

[KlausDornsbach]

Hey @DaanHoogland, thanks for taking a look!

It would make sense to be able to delete a keypair by name, we would just need to block users from creating multiple API keypairs with the same name.

At the moment an admin is allowed to delete keypairs from users it has access, for example, a root admin user could delete any keypair in the platform, domain admin users can delete any keypair in the domain, normal users can only delete their own keys. These permissions are also true for visualization and creation APIs.

[DaanHoogland]

It would make sense to be able to delete a keypair by name, we would just need to block users from creating multiple API keypairs with the same name.

Well, I think a unique constraint on UserId/KeyPairName makes sense also from a usability sense.

At the moment an admin is allowed to delete keypairs from users it has access, for example, a root admin user could delete any keypair in the platform, domain admin users can delete any keypair in the domain, normal users can only delete their own keys. These permissions are also true for visualization and creation APIs.

👍

[rajujith]

@blueorangutan package

[ghost]

This pull request has merge conflicts. Dear author, please fix the conflicts and sync your branch with the base branch.

[DaanHoogland]

@blueorangutan package

[blueorangutan]

@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 10714

[rajujith]

@blueorangutan package

[blueorangutan]

@rajujith a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 10720

[rajujith]

@blueorangutan package

[blueorangutan]

@rajujith a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 10736

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-11141)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 1356 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr9504-t11141-kvm-ol8.zip
Smoke tests completed. 0 look OK, 0 have errors, 139 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
all_test_2fa	Skipped	---	test_2fa.py
all_test_account_access	Skipped	---	test_account_access.py
all_test_accounts	Skipped	---	test_accounts.py
all_test_affinity_groups_projects	Skipped	---	test_affinity_groups_projects.py
all_test_affinity_groups	Skipped	---	test_affinity_groups.py
all_test_annotations	Skipped	---	test_annotations.py
all_test_async_job	Skipped	---	test_async_job.py
all_test_attach_multiple_volumes	Skipped	---	test_attach_multiple_volumes.py
all_test_backup_recovery_dummy	Skipped	---	test_backup_recovery_dummy.py
all_test_backup_recovery_veeam	Skipped	---	test_backup_recovery_veeam.py
all_test_bucket	Skipped	---	test_bucket.py
all_test_certauthority_root	Skipped	---	test_certauthority_root.py
all_test_cluster_drs	Skipped	---	test_cluster_drs.py
all_test_console_endpoint	Skipped	---	test_console_endpoint.py
all_test_create_list_domain_account_project	Skipped	---	test_create_list_domain_account_project.py
all_test_create_network	Skipped	---	test_create_network.py
all_test_deploy_vgpu_enabled_vm	Skipped	---	test_deploy_vgpu_enabled_vm.py
all_test_deploy_virtio_scsi_vm	Skipped	---	test_deploy_virtio_scsi_vm.py
all_test_deploy_vm_extra_config_data	Skipped	---	test_deploy_vm_extra_config_data.py
all_test_deploy_vm_iso	Skipped	---	test_deploy_vm_iso.py
all_test_deploy_vm_iso_uefi	Skipped	---	test_deploy_vm_iso_uefi.py
all_test_deploy_vm_root_resize	Skipped	---	test_deploy_vm_root_resize.py
all_test_deploy_vms_in_parallel	Skipped	---	test_deploy_vms_in_parallel.py
all_test_deploy_vms_with_varied_deploymentplanners	Skipped	---	test_deploy_vms_with_varied_deploymentplanners.py
all_test_deploy_vm_with_userdata	Skipped	---	test_deploy_vm_with_userdata.py
all_test_diagnostics	Skipped	---	test_diagnostics.py
all_test_direct_download	Skipped	---	test_direct_download.py
all_test_disk_offerings	Skipped	---	test_disk_offerings.py
all_test_disk_provisioning_types	Skipped	---	test_disk_provisioning_types.py
all_test_domain_disk_offerings	Skipped	---	test_domain_disk_offerings.py
all_test_domain_network_offerings	Skipped	---	test_domain_network_offerings.py
all_test_domain_service_offerings	Skipped	---	test_domain_service_offerings.py
all_test_domain_vpc_offerings	Skipped	---	test_domain_vpc_offerings.py
all_test_dynamicroles	Skipped	---	test_dynamicroles.py
all_test_enable_account_settings_for_domain	Skipped	---	test_enable_account_settings_for_domain.py
all_test_enable_role_based_users_in_projects	Skipped	---	test_enable_role_based_users_in_projects.py
all_test_events_resource	Skipped	---	test_events_resource.py
all_test_gateway_on_shared_networks	Skipped	---	test_gateway_on_shared_networks.py
all_test_global_acls	Skipped	---	test_global_acls.py
all_test_global_settings	Skipped	---	test_global_settings.py
all_test_guest_os	Skipped	---	test_guest_os.py
all_test_guest_vlan_range	Skipped	---	test_guest_vlan_range.py
all_test_host_control_state	Skipped	---	test_host_control_state.py
all_test_hostha_simulator	Skipped	---	test_hostha_simulator.py
all_test_host_ping	Skipped	---	test_host_ping.py
all_test_host_tags	Skipped	---	test_host_tags.py
all_test_human_readable_logs	Skipped	---	test_human_readable_logs.py
all_test_image_store_object_migration	Skipped	---	test_image_store_object_migration.py
all_test_import_unmanage_volumes	Skipped	---	test_import_unmanage_volumes.py
all_test_internal_lb	Skipped	---	test_internal_lb.py
all_test_ipv6_infra	Skipped	---	test_ipv6_infra.py
all_test_iso	Skipped	---	test_iso.py
all_test_kubernetes_clusters	Skipped	---	test_kubernetes_clusters.py
all_test_kubernetes_supported_versions	Skipped	---	test_kubernetes_supported_versions.py
all_test_list_accounts	Skipped	---	test_list_accounts.py
all_test_list_disk_offerings	Skipped	---	test_list_disk_offerings.py
all_test_list_domains	Skipped	---	test_list_domains.py
all_test_list_hosts	Skipped	---	test_list_hosts.py
all_test_list_ids_parameter	Skipped	---	test_list_ids_parameter.py
all_test_list_service_offerings	Skipped	---	test_list_service_offerings.py
all_test_list_storage_pools	Skipped	---	test_list_storage_pools.py
all_test_list_volumes	Skipped	---	test_list_volumes.py
all_test_loadbalance	Skipped	---	test_loadbalance.py
all_test_login	Skipped	---	test_login.py
all_test_metrics_api	Skipped	---	test_metrics_api.py
all_test_migration	Skipped	---	test_migration.py
all_test_multipleips_per_nic	Skipped	---	test_multipleips_per_nic.py
all_test_nested_virtualization	Skipped	---	test_nested_virtualization.py
all_test_network_acl	Skipped	---	test_network_acl.py
all_test_network_ipv6	Skipped	---	test_network_ipv6.py
all_test_network_permissions	Skipped	---	test_network_permissions.py
all_test_network	Skipped	---	test_network.py
all_test_nic_adapter_type	Skipped	---	test_nic_adapter_type.py
all_test_nic	Skipped	---	test_nic.py
all_test_non_contigiousvlan	Skipped	---	test_non_contigiousvlan.py
all_test_nonstrict_affinity_group	Skipped	---	test_nonstrict_affinity_group.py
all_test_object_stores	Skipped	---	test_object_stores.py
all_test_outofbandmanagement_nestedplugin	Skipped	---	test_outofbandmanagement_nestedplugin.py
all_test_outofbandmanagement	Skipped	---	test_outofbandmanagement.py
all_test_over_provisioning	Skipped	---	test_over_provisioning.py
all_test_password_server	Skipped	---	test_password_server.py
all_test_persistent_network	Skipped	---	test_persistent_network.py
all_test_portable_publicip	Skipped	---	test_portable_publicip.py
all_test_portforwardingrules	Skipped	---	test_portforwardingrules.py
all_test_primary_storage	Skipped	---	test_primary_storage.py
all_test_primary_storage_scope	Skipped	---	test_primary_storage_scope.py
all_test_privategw_acl_ovs_gre	Skipped	---	test_privategw_acl_ovs_gre.py
all_test_privategw_acl	Skipped	---	test_privategw_acl.py
all_test_private_roles	Skipped	---	test_private_roles.py
all_test_projects	Skipped	---	test_projects.py
all_test_public_ip_range	Skipped	---	test_public_ip_range.py
all_test_purge_expunged_vms	Skipped	---	test_purge_expunged_vms.py
all_test_pvlan	Skipped	---	test_pvlan.py
all_test_quarantined_ips	Skipped	---	test_quarantined_ips.py
all_test_regions	Skipped	---	test_regions.py
all_test_register_userdata	Skipped	---	test_register_userdata.py
all_test_reset_configuration_settings	Skipped	---	test_reset_configuration_settings.py
all_test_reset_vm_on_reboot	Skipped	---	test_reset_vm_on_reboot.py
all_test_resource_accounting	Skipped	---	test_resource_accounting.py
all_test_resource_detail	Skipped	---	test_resource_detail.py
all_test_resource_names	Skipped	---	test_resource_names.py
all_test_restore_vm	Skipped	---	test_restore_vm.py
all_test_router_dhcphosts	Skipped	---	test_router_dhcphosts.py
all_test_router_dns	Skipped	---	test_router_dns.py
all_test_router_dnsservice	Skipped	---	test_router_dnsservice.py
all_test_routers_iptables_default_policy	Skipped	---	test_routers_iptables_default_policy.py
all_test_routers_network_ops	Skipped	---	test_routers_network_ops.py
all_test_routers	Skipped	---	test_routers.py
all_test_safe_shutdown	Skipped	---	test_safe_shutdown.py
all_test_scale_vm	Skipped	---	test_scale_vm.py
all_test_secondary_storage	Skipped	---	test_secondary_storage.py
all_test_service_offerings	Skipped	---	test_service_offerings.py
all_test_set_sourcenat	Skipped	---	test_set_sourcenat.py
all_test_snapshots	Skipped	---	test_snapshots.py
all_test_ssvm	Skipped	---	test_ssvm.py
all_test_staticroles	Skipped	---	test_staticroles.py
all_test_storage_policy	Skipped	---	test_storage_policy.py
all_test_templates	Skipped	---	test_templates.py
all_test_update_security_group	Skipped	---	test_update_security_group.py
all_test_usage_events	Skipped	---	test_usage_events.py
all_test_usage	Skipped	---	test_usage.py
all_test_vm_autoscaling	Skipped	---	test_vm_autoscaling.py
all_test_vm_deployment_planner	Skipped	---	test_vm_deployment_planner.py
all_test_vm_life_cycle	Skipped	---	test_vm_life_cycle.py
all_test_vm_lifecycle_unmanage_import	Skipped	---	test_vm_lifecycle_unmanage_import.py
all_test_vm_schedule	Skipped	---	test_vm_schedule.py
all_test_vm_snapshot_kvm	Skipped	---	test_vm_snapshot_kvm.py
all_test_vm_snapshots	Skipped	---	test_vm_snapshots.py
all_test_vm_strict_host_tags	Skipped	---	test_vm_strict_host_tags.py
all_test_vnf_templates	Skipped	---	test_vnf_templates.py
all_test_volumes	Skipped	---	test_volumes.py
all_test_vpc_ipv6	Skipped	---	test_vpc_ipv6.py
all_test_vpc_redundant	Skipped	---	test_vpc_redundant.py
all_test_vpc_router_nics	Skipped	---	test_vpc_router_nics.py
all_test_vpc_vpn	Skipped	---	test_vpc_vpn.py
all_test_webhook_delivery	Skipped	---	test_webhook_delivery.py
all_test_webhook_lifecycle	Skipped	---	test_webhook_lifecycle.py
all_test_host_maintenance	Skipped	---	test_host_maintenance.py
all_test_hostha_kvm	Skipped	---	test_hostha_kvm.py

[GutoVeronezi]

good functionality and looks good so far, however, this should go into a non-LTS first and only after extensive testing. it is a cross cutting concern and hence brings risks adherent to such code

I totally agree with you; LTS are supposed to be as stable as possible. We should also apply the same criteria to every other PR with extensive or critical changes as well 😃

[DaanHoogland]

good functionality and looks good so far, however, this should go into a non-LTS first and only after extensive testing. it is a cross cutting concern and hence brings risks adherent to such code

I totally agree with you; LTS are supposed to be as stable as possible. We should also apply the same criteria to every other PR with extensive or critical changes as well 😃

I was kind of inviting this to 23, but yes, if it is a cross-cutting concern it should go in the non-LTS release first. Extensive or critical are gliding scales (and maybe cross-cutting as well, but certainly less so)

[GutoVeronezi]

I was kind of inviting this to 23, but yes, if it is a cross-cutting concern it should go in the non-LTS release first. Extensive or critical are gliding scales (and maybe cross-cutting as well, but certainly less so)

I was under impression that 4.23 would be a regular release (the wiki states so);

Thus, it would make sense to address this PR on release 4.23. 5 months seems enough time to review, test, and mature the PR. I also plan to test it in a few weeks.

[DaanHoogland]

As our ex-colleague always says @GutoVeronezi , “we are in violent agreement”!

[ghost]

This pull request has merge conflicts. Dear author, please fix the conflicts and sync your branch with the base branch.

[bernardodemarco]

@blueorangutan package

[blueorangutan]

@bernardodemarco a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16988

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[ghost]

This pull request has merge conflicts. Dear author, please fix the conflicts and sync your branch with the base branch.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17001

[bernardodemarco]

@blueorangutan package

[blueorangutan]

@bernardodemarco a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17004

[bernardodemarco]

@blueorangutan package

[blueorangutan]

@bernardodemarco a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[bernardodemarco]

@shwstppr @sureshanaparti @DaanHoogland @weizhouapache @GutoVeronezi @winterhazel @JoaoJandre @hsato03 @erikbocks, guys, this one is finally ready for review and testing. Below are the test descriptions that I have performed:

N°	Test	Description	Expected result?
1	Key pair without explicit rules	Verified that when creating a key pair without explicit rules, all the account's role permissions are inferred as the permissions of the key pair.	Yes
2	Key pair with explicit rules	Verified that when creating a key pair with explicit rules, it is only granted access to the key pair's rules.	Yes
3	Change account's role rules after API keys have been created.	Verified that the key pair never has access to more APIs that its role has.	Yes
4	Key pairs creation with more permissions that the caller's role	Verified that it is not possible to create key pairs with more permission than the caller's set of permissions.	Yes
5	Key pair with start and end dates.	Verified that the startdate and enddate attributes of the key pair are correctly respected.	Yes
6	Key pairs creation from the UI.	Accessed the details page of an user and successfully generated an API key pair for it.	Yes
7	Invalidation of API key pairs after user/account deletion	Verified that after deleting accounts and users, their API key pairs are correctly deleted.	Yes
8	Invalidation of API key pairs when they are disabled	Verified that it is not possible to use the API key pairs when they are disabled for their accounts and users.	Yes
9	High-level workflows of the APIs getUserKeys, registerUserKeys, deleteUserKeys, listUserKeyRules, listUserKeys	Verified the execution of such APIs, including access validation checks.	Yes
10	Deletion of system keys	Tried to delete the keys of the baremetal-system-account account and verified that an error message was returned. Verified the possibility of removing the key pair when the baremetal.provision.done.notification is disabled.	Yes
11	Migration to the new DB's schema	Verified that the migration of active API key pairs from the cloud.user table to the cloud.api_keypair one was performed successfully.	Yes

[bernardodemarco]

@shwstppr @sureshanaparti @DaanHoogland @weizhouapache can we run the integration tests for the PR, please?

btw, the simulator tests are failing across multiple PRs (see #12683 and #12680, for instance). Thus, they do not seem to be related with the current PR.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17010

[DaanHoogland]

@blueorangutan package

[blueorangutan]

@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17014

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-15573)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 53151 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr9504-t15573-kvm-ol8.zip
Smoke tests completed. 145 look OK, 5 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_03_ping_in_ssvm_success	Failure	14.66	test_diagnostics.py
test_04_extract_Iso	Failure	1.10	test_iso.py
ContextSuite context=TestListIdsParams>:teardown	Error	1.17	test_list_ids_parameter.py
test_01_snapshot_root_disk	Error	5.16	test_snapshots.py
test_02_list_snapshots_with_removed_data_store	Error	47.14	test_snapshots.py
test_02_list_snapshots_with_removed_data_store	Error	47.15	test_snapshots.py
ContextSuite context=TestSnapshotStandaloneBackup>:teardown	Error	32.48	test_snapshots.py
test_01_snapshot_usage	Error	22.94	test_usage.py
test_01_vpn_usage	Error	1.12	test_usage.py