+1 -----Original Message----- From: Chiradeep Vittal [mailto:[email protected]] Sent: Tuesday, December 18, 2012 1:06 AM To: CloudStack DeveloperList Subject: Re: [AWSAPI] user registration
You could imagine for instance the ability to expire keys, regenerate keys etc. This makes it onerous on the end-user to re-register their keys. API keys are fundamental enough that I feel comfortable allowing the aws api web app access the cloudstack db. On 12/17/12 5:28 AM, "Likitha Shetty" <[email protected]> wrote: >Yes, doesn't sound like a good idea. But currently we do make calls to >the CloudStack DB from AWSAPI. For e.g. to get the service-offering id >of the specified service-offering name during VM we call the CloudStack DB. >Also, if we put the keys in the cloud bridge DB when the CS API is >called won't we be mixing the DBs anyway ? > >Thank you, >Likitha > >-----Original Message----- >From: Sebastien Goasguen [mailto:[email protected]] >Sent: Monday, December 17, 2012 6:19 PM >To: [email protected] >Subject: Re: [AWSAPI] user registration > > >On Dec 17, 2012, at 10:43 AM, Likitha Shetty ><[email protected]> >wrote: > >> In AWSAPI, while checking if the user keys exists and also while >>retrieving the secret-key for signature generation, we could make a >>change to directly check in the CloudStack DB instead of the >>cloudbridge DB ? This way we won't require user-registration for Query API. >> > >Maybe. > >Since awsapi is a separate app, maybe mixing db's is not a good idea. >I'd rather see the keys being put in the cloud bridge db when they are >generated (via gui or api call). We can check if cloud bridge is setup, >if yes then store the keys. > >-Sebastien > > >> Thank you, >> Likitha >> >> -----Original Message----- >> From: Sebastien Goasguen [mailto:[email protected]] >> Sent: Monday, December 17, 2012 2:17 PM >> To: [email protected] >> Subject: Re: [AWSAPI] user registration >> >> >> On Dec 17, 2012, at 8:30 AM, Chiradeep Vittal >><[email protected]> wrote: >> >>> Sebastien, how does this proposed patch work? With the query API, >>>there should not be any need for the registration step since the >>>query API does not need the certificate. When the admin / user >>>generates the keys these should be made available to the aws api web >>>app. >> >> Nothing fancy. From the thread with Likitha it seems we do still need >>to register. In the case of the query API it's just a call to >>SetUserKeys. >> So I just put a if statement on there, that checks if a certificate >>is present when you use the cloudstack-aws-api-register script. i.e is >>the -c option used or not. If not then it only calls SetUserKeys and >>not the SetCertificate afterwards. >> >> Of course, I do think that when keys are generated for the user they >>could be automatically registered in the aws web app. But as far as I >>know this is not the case yet. Could be a simple change to the UI >>scripts. I have not looked into that. >> >> Does that make sense ? >> >> >>> >>> On 12/15/12 8:45 AM, "Sebastien Goasguen" <[email protected]> wrote: >>> >>>> >>>> On Dec 14, 2012, at 4:09 PM, Likitha Shetty >>>> <[email protected]> >>>> wrote: >>>> >>>>> You are right Sebastien, like we discussed in the previous thread >>>>> we do need perform user-registration before making both EC2 SOAP >>>>> and >>>>> EC2 Query API calls. >>>>> >>>>> >>>>> >>>>> The difference is the steps in the user-registration, >>>>> >>>>> 1. For SOAP, cloudstack-aws-api-register --apikey=<User's >>>>>CloudPlatform API key> --secretkey=< User's CloudPlatform Secret >>>>>key > --cert=<path/to/cert.pem> >>>>>--url=http://<cloud-mgmt-server>:7080/awsapi. >>>>> >>>>> 2. For REST, http:// >>>>> <cloud-mgmt-server>:7080/awsapi?Action=SetUserKeys&accesskey=<User' >>>>> s CloudPlatform API key>&secretkey=< User's CloudPlatform Secret >>>>> key > >>>>> >>>>> >>>>> >>>>> Additional info: >>>>> >>>>> cloudstack-aws-api-register script performs both the actions, >>>>> SetUserKeys and SetCertificate. >>>>> >>>>> * SetUserKeys gives the user's API access and secret keys to >>>>> AWSAPI so that AWSAPI can call the CloudStack API with these keys. >>>>> This is required for both Query and SOAP. >>>>> >>>>> * SetCertificate registers the user's X.509 certificate with >>>>> AWSAPI. EC2 requires the client to have a public/private key pair >>>>> with the public key defined by a X.509 certificate. This is >>>>> required only for SOAP access only >>>>> (http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-s >>>>> o >>>>> a >>>>> p-api >>>>> .html) >>>>> >>>>> >>>> >>>> Thanks for clarifying Likitha. I actually have a patch pending >>>> submission to solve the issue of registering for query or soap. >>>> >>>> Could you check that one can call SetUserKeys several times with >>>> the same keys ? I have read that it can be done, but last time I >>>> checked, if keys were already registered you would get an error. >>>> >>>> thanks, >>>> >>>> -sebastien >>>> >>>> >>>>> >>>>> Thank you, >>>>> >>>>> Likitha >>>>> >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: Rajesh Battala [mailto:[email protected]] >>>>> Sent: Friday, December 14, 2012 7:47 PM >>>>> To: [email protected] >>>>> Subject: RE: [AWSAPI] user registration >>>>> >>>>> >>>>> >>>>> From Likitha I heard we don't need user registration for EC2 >>>>>Query API. >>>>> >>>>> @Likitha can you confirm it.? >>>>> >>>>> >>>>> >>>>> Thanks >>>>> >>>>> Rajesh Battala >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -----Original Message----- >>>>> >>>>> From: Sebastien Goasguen [mailto:[email protected]] >>>>> >>>>> Sent: Friday, December 14, 2012 7:42 PM >>>>> >>>>> To: [email protected] >>>>> >>>>> Subject: [AWSAPI] user registration >>>>> >>>>> >>>>> >>>>> Hi, >>>>> >>>>> >>>>> >>>>> There is a comment from Jessica in >>>>> https://reviews.apache.org/r/8237/ >>>>> that says that user registration is not required for AWSAPI. >>>>> >>>>> >>>>> >>>>> Can one of the developers (Prachi, Likitha, Rajesh..) comment on >>>>>this ? >>>>> >>>>> >>>>> >>>>> From a previous thread with Likitha, I thought that user >>>>> registration was mandatory even for the EC2 Query API. >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> >>>>> >>>>> -Sebastien >>>> >>> >> >
