cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Likitha Shetty <likitha.she...@citrix.com>
Subject RE: [AWSAPI] user registration
Date Tue, 18 Dec 2012 13:23:00 GMT
+1

-----Original Message-----
From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com] 
Sent: Tuesday, December 18, 2012 1:06 AM
To: CloudStack DeveloperList
Subject: Re: [AWSAPI] user registration

You could imagine for instance the ability to expire keys, regenerate keys etc. This makes
it onerous on the end-user to re-register their keys.
API keys are fundamental enough that I feel comfortable allowing the aws api web app access
the cloudstack db.

On 12/17/12 5:28 AM, "Likitha Shetty" <likitha.shetty@citrix.com> wrote:

>Yes, doesn't sound like a good idea. But currently we do make calls to 
>the CloudStack DB from AWSAPI. For e.g. to get the service-offering id 
>of the specified service-offering name during VM we call the CloudStack DB.
>Also, if we put the keys in the cloud bridge DB when the CS API is 
>called won't we be mixing the DBs anyway ?
>
>Thank you,
>Likitha
>
>-----Original Message-----
>From: Sebastien Goasguen [mailto:runseb@gmail.com]
>Sent: Monday, December 17, 2012 6:19 PM
>To: cloudstack-dev@incubator.apache.org
>Subject: Re: [AWSAPI] user registration
>
>
>On Dec 17, 2012, at 10:43 AM, Likitha Shetty 
><likitha.shetty@citrix.com>
>wrote:
>
>> In AWSAPI, while checking if the user keys exists and also while 
>>retrieving the secret-key for signature generation, we could make a 
>>change to directly check in the CloudStack DB instead of the 
>>cloudbridge DB ? This way we won't require user-registration for Query API.
>> 
>
>Maybe.
>
>Since awsapi is a separate app, maybe mixing db's is not a good idea. 
>I'd rather see the keys being put in the cloud bridge db when they are 
>generated (via gui or api call). We can check if cloud bridge is setup, 
>if yes then store the keys.
>
>-Sebastien
>
>
>> Thank you,
>> Likitha
>> 
>> -----Original Message-----
>> From: Sebastien Goasguen [mailto:runseb@gmail.com]
>> Sent: Monday, December 17, 2012 2:17 PM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: Re: [AWSAPI] user registration
>> 
>> 
>> On Dec 17, 2012, at 8:30 AM, Chiradeep Vittal 
>><Chiradeep.Vittal@citrix.com> wrote:
>> 
>>> Sebastien, how does this proposed patch work? With the query API,  
>>>there should not be any need for the registration step since the  
>>>query API does not need the certificate. When the admin / user  
>>>generates the keys these should be made available to the aws api web 
>>>app.
>> 
>> Nothing fancy. From the thread with Likitha it seems we do still need 
>>to register. In the case of the query API it's just a call to 
>>SetUserKeys.
>> So I just put a if statement on there, that checks if a certificate 
>>is present when you use the cloudstack-aws-api-register script. i.e is 
>>the -c option used or not. If not then it only calls SetUserKeys and 
>>not the SetCertificate afterwards.
>> 
>> Of course, I do think that when keys are generated for the user they 
>>could be automatically registered in the aws web app. But as far as I 
>>know this is not the case yet. Could be a simple change to the UI 
>>scripts. I have not looked into that.
>> 
>> Does that make sense ?
>> 
>> 
>>> 
>>> On 12/15/12 8:45 AM, "Sebastien Goasguen" <runseb@gmail.com> wrote:
>>> 
>>>> 
>>>> On Dec 14, 2012, at 4:09 PM, Likitha Shetty 
>>>> <likitha.shetty@citrix.com>
>>>> wrote:
>>>> 
>>>>> You are right Sebastien, like we discussed in the previous thread 
>>>>> we do need perform user-registration before making both EC2 SOAP 
>>>>> and
>>>>> EC2 Query API calls.
>>>>> 
>>>>> 
>>>>> 
>>>>> The difference is the steps in the user-registration,
>>>>> 
>>>>> 1. For SOAP, cloudstack-aws-api-register --apikey=<User's  
>>>>>CloudPlatform API key>  --secretkey=< User's CloudPlatform Secret
 
>>>>>key > --cert=<path/to/cert.pem> 
>>>>>--url=http://<cloud-mgmt-server>:7080/awsapi.
>>>>> 
>>>>> 2. For REST, http://
>>>>> <cloud-mgmt-server>:7080/awsapi?Action=SetUserKeys&accesskey=<User'
>>>>> s CloudPlatform API key>&secretkey=< User's CloudPlatform Secret

>>>>> key >
>>>>> 
>>>>> 
>>>>> 
>>>>> Additional info:
>>>>> 
>>>>> cloudstack-aws-api-register script performs both the actions, 
>>>>> SetUserKeys and SetCertificate.
>>>>> 
>>>>> *         SetUserKeys gives the user's API access and secret keys to
>>>>> AWSAPI so that AWSAPI can call the CloudStack API with these keys.
>>>>> This is required for both Query and SOAP.
>>>>> 
>>>>> *         SetCertificate registers the user's X.509 certificate with
>>>>> AWSAPI. EC2 requires the client to have a public/private key pair 
>>>>> with the public key defined by a X.509 certificate. This is 
>>>>> required only for SOAP access only 
>>>>> (http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-s
>>>>> o
>>>>> a
>>>>> p-api
>>>>> .html)
>>>>> 
>>>>> 
>>>> 
>>>> Thanks for clarifying Likitha. I actually have a patch pending 
>>>> submission to solve the issue of registering for query or soap.
>>>> 
>>>> Could you check that one can call SetUserKeys several times with 
>>>> the same keys ? I have read that it can be done, but last time I 
>>>> checked, if keys were already registered you would get an error.
>>>> 
>>>> thanks,
>>>> 
>>>> -sebastien
>>>> 
>>>> 
>>>>> 
>>>>> Thank you,
>>>>> 
>>>>> Likitha
>>>>> 
>>>>> 
>>>>> 
>>>>> -----Original Message-----
>>>>> From: Rajesh Battala [mailto:rajesh.battala@citrix.com]
>>>>> Sent: Friday, December 14, 2012 7:47 PM
>>>>> To: cloudstack-dev@incubator.apache.org
>>>>> Subject: RE: [AWSAPI] user registration
>>>>> 
>>>>> 
>>>>> 
>>>>> From Likitha I heard we don't need user registration for EC2  
>>>>>Query API.
>>>>> 
>>>>> @Likitha can you confirm it.?
>>>>> 
>>>>> 
>>>>> 
>>>>> Thanks
>>>>> 
>>>>> Rajesh Battala
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> -----Original Message-----
>>>>> 
>>>>> From: Sebastien Goasguen [mailto:runseb@gmail.com]
>>>>> 
>>>>> Sent: Friday, December 14, 2012 7:42 PM
>>>>> 
>>>>> To: cloudstack-dev@incubator.apache.org
>>>>> 
>>>>> Subject: [AWSAPI] user registration
>>>>> 
>>>>> 
>>>>> 
>>>>> Hi,
>>>>> 
>>>>> 
>>>>> 
>>>>> There is a comment from Jessica in 
>>>>> https://reviews.apache.org/r/8237/
>>>>> that says that user registration is not required for AWSAPI.
>>>>> 
>>>>> 
>>>>> 
>>>>> Can one of the developers (Prachi, Likitha, Rajesh..) comment on 
>>>>>this ?
>>>>> 
>>>>> 
>>>>> 
>>>>> From a previous thread with Likitha, I thought that user 
>>>>> registration was mandatory even for the EC2 Query API.
>>>>> 
>>>>> 
>>>>> 
>>>>> Thanks,
>>>>> 
>>>>> 
>>>>> 
>>>>> -Sebastien
>>>> 
>>> 
>> 
>


Mime
View raw message