Mailing-List: contact cloudstack-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: cloudstack-dev@incubator.apache.org
Received-SPF: pass (nike.apache.org: domain of likitha.shetty@citrix.com
 designates 203.166.19.134 as permitted sender)
From: Likitha Shetty <likitha.shetty@citrix.com>
To: "cloudstack-dev@incubator.apache.org"
	<cloudstack-dev@incubator.apache.org>
Date: Tue, 18 Dec 2012 18:53:00 +0530
Subject: RE: [AWSAPI] user registration
Thread-Topic: [AWSAPI] user registration
Thread-Index: Ac3cjbenDcFam5PLTAaWS/9FlHTaAgAlLNHQ
Message-ID: 
 <64FB1554ABC9B44FAA773FBD6CB889C20109380FE66A@BANPMAILBOX01.citrite.net>
References: 
 <64FB1554ABC9B44FAA773FBD6CB889C20109380FE481@BANPMAILBOX01.citrite.net>
 <CCF4B3C6.3C47A%chiradeep.vittal@citrix.com>
In-Reply-To: <CCF4B3C6.3C47A%chiradeep.vittal@citrix.com>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

+1

-----Original Message-----
From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]=20
Sent: Tuesday, December 18, 2012 1:06 AM
To: CloudStack DeveloperList
Subject: Re: [AWSAPI] user registration

You could imagine for instance the ability to expire keys, regenerate keys =
etc. This makes it onerous on the end-user to re-register their keys.
API keys are fundamental enough that I feel comfortable allowing the aws ap=
i web app access the cloudstack db.

On 12/17/12 5:28 AM, "Likitha Shetty" <likitha.shetty@citrix.com> wrote:

>Yes, doesn't sound like a good idea. But currently we do make calls to=20
>the CloudStack DB from AWSAPI. For e.g. to get the service-offering id=20
>of the specified service-offering name during VM we call the CloudStack DB=
.
>Also, if we put the keys in the cloud bridge DB when the CS API is=20
>called won't we be mixing the DBs anyway ?
>
>Thank you,
>Likitha
>
>-----Original Message-----
>From: Sebastien Goasguen [mailto:runseb@gmail.com]
>Sent: Monday, December 17, 2012 6:19 PM
>To: cloudstack-dev@incubator.apache.org
>Subject: Re: [AWSAPI] user registration
>
>
>On Dec 17, 2012, at 10:43 AM, Likitha Shetty=20
><likitha.shetty@citrix.com>
>wrote:
>
>> In AWSAPI, while checking if the user keys exists and also while=20
>>retrieving the secret-key for signature generation, we could make a=20
>>change to directly check in the CloudStack DB instead of the=20
>>cloudbridge DB ? This way we won't require user-registration for Query AP=
I.
>>=20
>
>Maybe.
>
>Since awsapi is a separate app, maybe mixing db's is not a good idea.=20
>I'd rather see the keys being put in the cloud bridge db when they are=20
>generated (via gui or api call). We can check if cloud bridge is setup,=20
>if yes then store the keys.
>
>-Sebastien
>
>
>> Thank you,
>> Likitha
>>=20
>> -----Original Message-----
>> From: Sebastien Goasguen [mailto:runseb@gmail.com]
>> Sent: Monday, December 17, 2012 2:17 PM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: Re: [AWSAPI] user registration
>>=20
>>=20
>> On Dec 17, 2012, at 8:30 AM, Chiradeep Vittal=20
>><Chiradeep.Vittal@citrix.com> wrote:
>>=20
>>> Sebastien, how does this proposed patch work? With the query API, =20
>>>there should not be any need for the registration step since the =20
>>>query API does not need the certificate. When the admin / user =20
>>>generates the keys these should be made available to the aws api web=20
>>>app.
>>=20
>> Nothing fancy. From the thread with Likitha it seems we do still need=20
>>to register. In the case of the query API it's just a call to=20
>>SetUserKeys.
>> So I just put a if statement on there, that checks if a certificate=20
>>is present when you use the cloudstack-aws-api-register script. i.e is=20
>>the -c option used or not. If not then it only calls SetUserKeys and=20
>>not the SetCertificate afterwards.
>>=20
>> Of course, I do think that when keys are generated for the user they=20
>>could be automatically registered in the aws web app. But as far as I=20
>>know this is not the case yet. Could be a simple change to the UI=20
>>scripts. I have not looked into that.
>>=20
>> Does that make sense ?
>>=20
>>=20
>>>=20
>>> On 12/15/12 8:45 AM, "Sebastien Goasguen" <runseb@gmail.com> wrote:
>>>=20
>>>>=20
>>>> On Dec 14, 2012, at 4:09 PM, Likitha Shetty=20
>>>> <likitha.shetty@citrix.com>
>>>> wrote:
>>>>=20
>>>>> You are right Sebastien, like we discussed in the previous thread=20
>>>>> we do need perform user-registration before making both EC2 SOAP=20
>>>>> and
>>>>> EC2 Query API calls.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> The difference is the steps in the user-registration,
>>>>>=20
>>>>> 1. For SOAP, cloudstack-aws-api-register --apikey=3D<User's =20
>>>>>CloudPlatform API key>  --secretkey=3D< User's CloudPlatform Secret =20
>>>>>key > --cert=3D<path/to/cert.pem>=20
>>>>>--url=3Dhttp://<cloud-mgmt-server>:7080/awsapi.
>>>>>=20
>>>>> 2. For REST, http://
>>>>> <cloud-mgmt-server>:7080/awsapi?Action=3DSetUserKeys&accesskey=3D<Use=
r'
>>>>> s CloudPlatform API key>&secretkey=3D< User's CloudPlatform Secret=20
>>>>> key >
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> Additional info:
>>>>>=20
>>>>> cloudstack-aws-api-register script performs both the actions,=20
>>>>> SetUserKeys and SetCertificate.
>>>>>=20
>>>>> *         SetUserKeys gives the user's API access and secret keys to
>>>>> AWSAPI so that AWSAPI can call the CloudStack API with these keys.
>>>>> This is required for both Query and SOAP.
>>>>>=20
>>>>> *         SetCertificate registers the user's X.509 certificate with
>>>>> AWSAPI. EC2 requires the client to have a public/private key pair=20
>>>>> with the public key defined by a X.509 certificate. This is=20
>>>>> required only for SOAP access only=20
>>>>> (http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-s
>>>>> o
>>>>> a
>>>>> p-api
>>>>> .html)
>>>>>=20
>>>>>=20
>>>>=20
>>>> Thanks for clarifying Likitha. I actually have a patch pending=20
>>>> submission to solve the issue of registering for query or soap.
>>>>=20
>>>> Could you check that one can call SetUserKeys several times with=20
>>>> the same keys ? I have read that it can be done, but last time I=20
>>>> checked, if keys were already registered you would get an error.
>>>>=20
>>>> thanks,
>>>>=20
>>>> -sebastien
>>>>=20
>>>>=20
>>>>>=20
>>>>> Thank you,
>>>>>=20
>>>>> Likitha
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> -----Original Message-----
>>>>> From: Rajesh Battala [mailto:rajesh.battala@citrix.com]
>>>>> Sent: Friday, December 14, 2012 7:47 PM
>>>>> To: cloudstack-dev@incubator.apache.org
>>>>> Subject: RE: [AWSAPI] user registration
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> From Likitha I heard we don't need user registration for EC2 =20
>>>>>Query API.
>>>>>=20
>>>>> @Likitha can you confirm it.?
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> Thanks
>>>>>=20
>>>>> Rajesh Battala
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> -----Original Message-----
>>>>>=20
>>>>> From: Sebastien Goasguen [mailto:runseb@gmail.com]
>>>>>=20
>>>>> Sent: Friday, December 14, 2012 7:42 PM
>>>>>=20
>>>>> To: cloudstack-dev@incubator.apache.org
>>>>>=20
>>>>> Subject: [AWSAPI] user registration
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> Hi,
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> There is a comment from Jessica in=20
>>>>> https://reviews.apache.org/r/8237/
>>>>> that says that user registration is not required for AWSAPI.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> Can one of the developers (Prachi, Likitha, Rajesh..) comment on=20
>>>>>this ?
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> From a previous thread with Likitha, I thought that user=20
>>>>> registration was mandatory even for the EC2 Query API.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> Thanks,
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> -Sebastien
>>>>=20
>>>=20
>>=20
>