From 55a0aab5488da779ee238f34bd4fb6a557592f7a Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Mon, 12 Aug 2019 15:28:00 -0400
Subject: [PATCH] Add node api key and arming

This is the groundwork for having node authentication.
The intent is for calling code to modify api.armed if
the administrator wants to opt into a one-time set of
credential.

This design as is currently does not fit a stateless
deploy model.  That may suggest an additional manual step
for a fully stateless model.  Alternatively adding support
for credential persistence through sealing to a node's TPM,
which would allow more freely retrievable node credentials.
---
 confluent_server/confluent/config/attributes.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/confluent_server/confluent/config/attributes.py b/confluent_server/confluent/config/attributes.py
index a1d23b6c..73e37e31 100644
--- a/confluent_server/confluent/config/attributes.py
+++ b/confluent_server/confluent/config/attributes.py
@@ -97,6 +97,15 @@ node = {
         'description': ('Classification of node as server or switch'),
         'validvalues': ('switch', 'server'),
     },
+    'api.key': {
+        'description': ('Crypt of api key for self api requests by node'),
+    },
+    'api.armed': {
+        'description': ('Indicates whether an insecure api key request is allowed. '
+                        'The format is an expiration time in ISO8601 format. When '
+                        'the indicated time passes or the first time a node claims '
+                        'the key, key grants will not be allowed.'),
+    }
     #'id': {
     #    'description': ('Numeric identifier for node')
     #},