Project

General

Profile

Actions
Copy link

Bug #14105

open

adminops subuser specify S3 keys

Added by Derek Yarnell over 8 years ago. Updated about 4 years ago.

Status:
Need More Info
Priority:
Normal
Assignee:
Abhishek Lekshmanan
Target version:
-
% Done:

0%

Source:
other
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
Ceph - v0.94.2, Ceph - v0.94.3, Ceph - v0.94.4, Ceph - v0.94.5, Ceph - v0.94.6
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

The subuser create interface in the adminops api does not allow you to to specify a secret key and access key for s3.

This call will work and create a subuser 'staff' with read access and S3 generated access and secret keys.

DEBUG:requests.packages.urllib3.connectionpool:"PUT /admin/user?subuser&format=json&uid=staff&subuser=test3&key-type=s3&access=read&generate-secret=True HTTP/1.1" 200 87

This call will not work and returns InvalidArgument when you specify key-type of S3 and give it a access-key and secret-key.

DEBUG:requests.packages.urllib3.connectionpool:"PUT /admin/user?subuser&format=json&uid=staff&subuser=test4&access-key=bbbbbbbbb&secret-key=cccccccccc&key-type=s3&access=read HTTP/1.1" 400 26
ERROR:rgwadmin.rgw:{u'Code': u'InvalidArgument'}

The radosgw-admin command line interface does allow you to create a subuser with S3 access and secret keys specified.

radosgw-admin subuser create --uid=-staff --subuser=test1 --access-key=aaaaaaaaa --secret=zzzzzzzzz --access=read

Actions
Copy link
 #1

Updated by Abhishek Lekshmanan over 8 years ago

Whenever you specify subuser create with a secret key, iirc only the swift secret key is created.. the access key is just dropped as far as I understand... Do check if that is the case..

Actions
Copy link
 #2

Updated by Abhishek Lekshmanan over 8 years ago

  • Status changed from New to Need More Info
Actions
Copy link
 #3

Updated by Derek Yarnell about 8 years ago

The behavior of the radosgw-admin CLI does allow this see this example (hammer). The issue is that the Admin REST API does not conform to this same behavior. There are some good use cases of creating subusers for S3 with the permission model.

[root@cephproxy00 ~]# radosgw-admin user create --uid=testuser --display-name="Test User" {
"user_id": "testuser",
"display_name": "Test User",
"email": "",
"suspended": 0,
"max_buckets": 1000,
"auid": 0,
"subusers": [],
"keys": [ {
"user": "testuser",
"access_key": "!REDACTED!",
"secret_key": "!REDACTED!"
}
],
"swift_keys": [],
"caps": [],
"op_mask": "read, write, delete",
"default_placement": "",
"placement_tags": [],
"bucket_quota": {
"enabled": false,
"max_size_kb": -1,
"max_objects": -1
},
"user_quota": {
"enabled": false,
"max_size_kb": -1,
"max_objects": -1
},
"temp_url_keys": []
}

[root@cephproxy00 ~]# radosgw-admin subuser create --uid=testuser --subuser=test1 --access-key=aaaaaaaaa --secret=zzzzzzzzz --access=read {
"user_id": "testuser",
"display_name": "Test User",
"email": "",
"suspended": 0,
"max_buckets": 1000,
"auid": 0,
"subusers": [ {
"id": "testuser:test1",
"permissions": "read"
}
],
"keys": [ {
"user": "testuser",
"access_key": "!REDACTED!",
"secret_key": "!REDACTED!"
}, {
"user": "testuser:test1",
"access_key": "aaaaaaaaa",
"secret_key": "zzzzzzzzz"
}
],
"swift_keys": [],
"caps": [],
"op_mask": "read, write, delete",
"default_placement": "",
"placement_tags": [],
"bucket_quota": {
"enabled": false,
"max_size_kb": -1,
"max_objects": -1
},
"user_quota": {
"enabled": false,
"max_size_kb": -1,
"max_objects": -1
},
"temp_url_keys": []
}

Actions
Copy link
 #4

Updated by Abhishek Lekshmanan about 4 years ago

  • Assignee set to Abhishek Lekshmanan
Actions
Copy link

Also available in: Atom PDF