Based on the below discussion, I have submitted a patch for review to remove the user registration step for EC2 Query API calls (Review Request #8742). The approach followed is that AWSAPI web app retrieves the keys from CloudStack DB and uses the same for signature generation.
Do review the patch and bring up any concerns you may have with the approach. Thank you, Likitha -----Original Message----- From: Likitha Shetty [mailto:[email protected]] Sent: Tuesday, December 18, 2012 6:53 PM To: [email protected] Subject: RE: [AWSAPI] user registration +1 -----Original Message----- From: Chiradeep Vittal [mailto:[email protected]] Sent: Tuesday, December 18, 2012 1:06 AM To: CloudStack DeveloperList Subject: Re: [AWSAPI] user registration You could imagine for instance the ability to expire keys, regenerate keys etc. This makes it onerous on the end-user to re-register their keys. API keys are fundamental enough that I feel comfortable allowing the aws api web app access the cloudstack db. On 12/17/12 5:28 AM, "Likitha Shetty" <[email protected]> wrote: >Yes, doesn't sound like a good idea. But currently we do make calls to >the CloudStack DB from AWSAPI. For e.g. to get the service-offering id >of the specified service-offering name during VM we call the CloudStack DB. >Also, if we put the keys in the cloud bridge DB when the CS API is >called won't we be mixing the DBs anyway ? > >Thank you, >Likitha > >-----Original Message----- >From: Sebastien Goasguen [mailto:[email protected]] >Sent: Monday, December 17, 2012 6:19 PM >To: [email protected] >Subject: Re: [AWSAPI] user registration > > >On Dec 17, 2012, at 10:43 AM, Likitha Shetty ><[email protected]> >wrote: > >> In AWSAPI, while checking if the user keys exists and also while >>retrieving the secret-key for signature generation, we could make a >>change to directly check in the CloudStack DB instead of the >>cloudbridge DB ? This way we won't require user-registration for Query API. >> > >Maybe. > >Since awsapi is a separate app, maybe mixing db's is not a good idea. >I'd rather see the keys being put in the cloud bridge db when they are >generated (via gui or api call). We can check if cloud bridge is setup, >if yes then store the keys. > >-Sebastien > > >> Thank you, >> Likitha >> >> -----Original Message----- >> From: Sebastien Goasguen [mailto:[email protected]] >> Sent: Monday, December 17, 2012 2:17 PM >> To: [email protected] >> Subject: Re: [AWSAPI] user registration >> >> >> On Dec 17, 2012, at 8:30 AM, Chiradeep Vittal >><[email protected]> wrote: >> >>> Sebastien, how does this proposed patch work? With the query API, >>>there should not be any need for the registration step since the >>>query API does not need the certificate. When the admin / user >>>generates the keys these should be made available to the aws api web >>>app. >> >> Nothing fancy. From the thread with Likitha it seems we do still need >>to register. In the case of the query API it's just a call to >>SetUserKeys. >> So I just put a if statement on there, that checks if a certificate >>is present when you use the cloudstack-aws-api-register script. i.e is >>the -c option used or not. If not then it only calls SetUserKeys and >>not the SetCertificate afterwards. >> >> Of course, I do think that when keys are generated for the user they >>could be automatically registered in the aws web app. But as far as I >>know this is not the case yet. Could be a simple change to the UI >>scripts. I have not looked into that. >> >> Does that make sense ? >> >> >>> >>> On 12/15/12 8:45 AM, "Sebastien Goasguen" <[email protected]> wrote: >>> >>>> >>>> On Dec 14, 2012, at 4:09 PM, Likitha Shetty >>>> <[email protected]> >>>> wrote: >>>> >>>>> You are right Sebastien, like we discussed in the previous thread >>>>> we do need perform user-registration before making both EC2 SOAP >>>>> and >>>>> EC2 Query API calls. >>>>> >>>>> >>>>> >>>>> The difference is the steps in the user-registration, >>>>> >>>>> 1. For SOAP, cloudstack-aws-api-register --apikey=<User's >>>>>CloudPlatform API key> --secretkey=< User's CloudPlatform Secret >>>>>key > --cert=<path/to/cert.pem> >>>>>--url=http://<cloud-mgmt-server>:7080/awsapi. >>>>> >>>>> 2. For REST, http:// >>>>> <cloud-mgmt-server>:7080/awsapi?Action=SetUserKeys&accesskey=<User' >>>>> s CloudPlatform API key>&secretkey=< User's CloudPlatform Secret >>>>> key > >>>>> >>>>> >>>>> >>>>> Additional info: >>>>> >>>>> cloudstack-aws-api-register script performs both the actions, >>>>> SetUserKeys and SetCertificate. >>>>> >>>>> * SetUserKeys gives the user's API access and secret keys to >>>>> AWSAPI so that AWSAPI can call the CloudStack API with these keys. >>>>> This is required for both Query and SOAP. >>>>> >>>>> * SetCertificate registers the user's X.509 certificate with >>>>> AWSAPI. EC2 requires the client to have a public/private key pair >>>>> with the public key defined by a X.509 certificate. This is >>>>> required only for SOAP access only >>>>> (http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-s >>>>> o >>>>> a >>>>> p-api >>>>> .html) >>>>> >>>>> >>>> >>>> Thanks for clarifying Likitha. I actually have a patch pending >>>> submission to solve the issue of registering for query or soap. >>>> >>>> Could you check that one can call SetUserKeys several times with >>>> the same keys ? I have read that it can be done, but last time I >>>> checked, if keys were already registered you would get an error. >>>> >>>> thanks, >>>> >>>> -sebastien >>>> >>>> >>>>> >>>>> Thank you, >>>>> >>>>> Likitha >>>>> >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: Rajesh Battala [mailto:[email protected]] >>>>> Sent: Friday, December 14, 2012 7:47 PM >>>>> To: [email protected] >>>>> Subject: RE: [AWSAPI] user registration >>>>> >>>>> >>>>> >>>>> From Likitha I heard we don't need user registration for EC2 Query >>>>>API. >>>>> >>>>> @Likitha can you confirm it.? >>>>> >>>>> >>>>> >>>>> Thanks >>>>> >>>>> Rajesh Battala >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -----Original Message----- >>>>> >>>>> From: Sebastien Goasguen [mailto:[email protected]] >>>>> >>>>> Sent: Friday, December 14, 2012 7:42 PM >>>>> >>>>> To: [email protected] >>>>> >>>>> Subject: [AWSAPI] user registration >>>>> >>>>> >>>>> >>>>> Hi, >>>>> >>>>> >>>>> >>>>> There is a comment from Jessica in >>>>> https://reviews.apache.org/r/8237/ >>>>> that says that user registration is not required for AWSAPI. >>>>> >>>>> >>>>> >>>>> Can one of the developers (Prachi, Likitha, Rajesh..) comment on >>>>>this ? >>>>> >>>>> >>>>> >>>>> From a previous thread with Likitha, I thought that user >>>>> registration was mandatory even for the EC2 Query API. >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> >>>>> >>>>> -Sebastien >>>> >>> >> >
