want smartlogin to support administrator role

[arekinath]

It'd be great to have full RBAC support in smartlogin, but in the interim, just having support for the "administrator" role to grant smartlogin access would be great.

[arekinath]

The loadKeys() function in the CAPI shim of UFDS is what smartlogin eventually calls. It also backs the /customer/:uuid/keys endpoint on the shim, but that shound't be used by anything else today anyway.

[arekinath]

Testing done so far (sdc-ufds):

• Hot-patched into ufds zone
• Verified that both sub-users in the administrator role and other accounts in it have their keys added to the /customers/:uuid/keys endpoint using curl
• Tested smartlogin by SSH'ing to a base64 zone

For the cloudapi CR

• Hot-patched into a cloudapi zone
• Verified that now a group account with no keys of its own (but other accounts in the administrator role) can now provision
• Verified that a newly provisioned zone in the group account now gets the keys in root_authorized_keys from all the administrators of the group

[arekinath]

Issue in ps#2 on both:

• Using 'sub' as the search scope for keys will include keys on sub-users for account members of the role (which we don't want)

Testing done on ps#3:

• Re-did testing from earlier
• Also tested with an account member which has a sub-user, verified that its keys now don't make it into the list and aren't accepted by smartlogin

[bahamat]

https://cr.joyent.us/#/c/6944/3

[arekinath]

https://cr.joyent.us/#/c/6945/