You could imagine for instance the ability to expire keys, regenerate keys etc. This makes it onerous on the end-user to re-register their keys. API keys are fundamental enough that I feel comfortable allowing the aws api web app access the cloudstack db.
On 12/17/12 5:28 AM, "Likitha Shetty" <likitha.she...@citrix.com> wrote: >Yes, doesn't sound like a good idea. But currently we do make calls to >the CloudStack DB from AWSAPI. For e.g. to get the service-offering id of >the specified service-offering name during VM we call the CloudStack DB. >Also, if we put the keys in the cloud bridge DB when the CS API is called >won't we be mixing the DBs anyway ? > >Thank you, >Likitha > >-----Original Message----- >From: Sebastien Goasguen [mailto:run...@gmail.com] >Sent: Monday, December 17, 2012 6:19 PM >To: cloudstack-dev@incubator.apache.org >Subject: Re: [AWSAPI] user registration > > >On Dec 17, 2012, at 10:43 AM, Likitha Shetty <likitha.she...@citrix.com> >wrote: > >> In AWSAPI, while checking if the user keys exists and also while >>retrieving the secret-key for signature generation, we could make a >>change to directly check in the CloudStack DB instead of the cloudbridge >>DB ? This way we won't require user-registration for Query API. >> > >Maybe. > >Since awsapi is a separate app, maybe mixing db's is not a good idea. I'd >rather see the keys being put in the cloud bridge db when they are >generated (via gui or api call). We can check if cloud bridge is setup, >if yes then store the keys. > >-Sebastien > > >> Thank you, >> Likitha >> >> -----Original Message----- >> From: Sebastien Goasguen [mailto:run...@gmail.com] >> Sent: Monday, December 17, 2012 2:17 PM >> To: cloudstack-dev@incubator.apache.org >> Subject: Re: [AWSAPI] user registration >> >> >> On Dec 17, 2012, at 8:30 AM, Chiradeep Vittal >><chiradeep.vit...@citrix.com> wrote: >> >>> Sebastien, how does this proposed patch work? With the query API, >>> there should not be any need for the registration step since the >>> query API does not need the certificate. When the admin / user >>> generates the keys these should be made available to the aws api web >>>app. >> >> Nothing fancy. From the thread with Likitha it seems we do still need >>to register. In the case of the query API it's just a call to >>SetUserKeys. >> So I just put a if statement on there, that checks if a certificate is >>present when you use the cloudstack-aws-api-register script. i.e is the >>-c option used or not. If not then it only calls SetUserKeys and not the >>SetCertificate afterwards. >> >> Of course, I do think that when keys are generated for the user they >>could be automatically registered in the aws web app. But as far as I >>know this is not the case yet. Could be a simple change to the UI >>scripts. I have not looked into that. >> >> Does that make sense ? >> >> >>> >>> On 12/15/12 8:45 AM, "Sebastien Goasguen" <run...@gmail.com> wrote: >>> >>>> >>>> On Dec 14, 2012, at 4:09 PM, Likitha Shetty >>>> <likitha.she...@citrix.com> >>>> wrote: >>>> >>>>> You are right Sebastien, like we discussed in the previous thread >>>>> we do need perform user-registration before making both EC2 SOAP >>>>> and >>>>> EC2 Query API calls. >>>>> >>>>> >>>>> >>>>> The difference is the steps in the user-registration, >>>>> >>>>> 1. For SOAP, cloudstack-aws-api-register --apikey=<User's >>>>> CloudPlatform API key> --secretkey=< User's CloudPlatform Secret >>>>> key > --cert=<path/to/cert.pem> >>>>>--url=http://<cloud-mgmt-server>:7080/awsapi. >>>>> >>>>> 2. For REST, http:// >>>>> <cloud-mgmt-server>:7080/awsapi?Action=SetUserKeys&accesskey=<User' >>>>> s CloudPlatform API key>&secretkey=< User's CloudPlatform Secret >>>>> key > >>>>> >>>>> >>>>> >>>>> Additional info: >>>>> >>>>> cloudstack-aws-api-register script performs both the actions, >>>>> SetUserKeys and SetCertificate. >>>>> >>>>> * SetUserKeys gives the user's API access and secret keys to >>>>> AWSAPI so that AWSAPI can call the CloudStack API with these keys. >>>>> This is required for both Query and SOAP. >>>>> >>>>> * SetCertificate registers the user's X.509 certificate with >>>>> AWSAPI. EC2 requires the client to have a public/private key pair >>>>> with the public key defined by a X.509 certificate. This is >>>>> required only for SOAP access only >>>>> (http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-so >>>>> a >>>>> p-api >>>>> .html) >>>>> >>>>> >>>> >>>> Thanks for clarifying Likitha. I actually have a patch pending >>>> submission to solve the issue of registering for query or soap. >>>> >>>> Could you check that one can call SetUserKeys several times with the >>>> same keys ? I have read that it can be done, but last time I >>>> checked, if keys were already registered you would get an error. >>>> >>>> thanks, >>>> >>>> -sebastien >>>> >>>> >>>>> >>>>> Thank you, >>>>> >>>>> Likitha >>>>> >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: Rajesh Battala [mailto:rajesh.batt...@citrix.com] >>>>> Sent: Friday, December 14, 2012 7:47 PM >>>>> To: cloudstack-dev@incubator.apache.org >>>>> Subject: RE: [AWSAPI] user registration >>>>> >>>>> >>>>> >>>>> From Likitha I heard we don't need user registration for EC2 Query >>>>>API. >>>>> >>>>> @Likitha can you confirm it.? >>>>> >>>>> >>>>> >>>>> Thanks >>>>> >>>>> Rajesh Battala >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -----Original Message----- >>>>> >>>>> From: Sebastien Goasguen [mailto:run...@gmail.com] >>>>> >>>>> Sent: Friday, December 14, 2012 7:42 PM >>>>> >>>>> To: cloudstack-dev@incubator.apache.org >>>>> >>>>> Subject: [AWSAPI] user registration >>>>> >>>>> >>>>> >>>>> Hi, >>>>> >>>>> >>>>> >>>>> There is a comment from Jessica in >>>>> https://reviews.apache.org/r/8237/ >>>>> that says that user registration is not required for AWSAPI. >>>>> >>>>> >>>>> >>>>> Can one of the developers (Prachi, Likitha, Rajesh..) comment on >>>>>this ? >>>>> >>>>> >>>>> >>>>> From a previous thread with Likitha, I thought that user >>>>> registration was mandatory even for the EC2 Query API. >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> >>>>> >>>>> -Sebastien >>>> >>> >> >
