Bug #14105
openadminops subuser specify S3 keys
0%
Description
The subuser create interface in the adminops api does not allow you to to specify a secret key and access key for s3.
This call will work and create a subuser 'staff' with read access and S3 generated access and secret keys.
DEBUG:requests.packages.urllib3.connectionpool:"PUT /admin/user?subuser&format=json&uid=staff&subuser=test3&key-type=s3&access=read&generate-secret=True HTTP/1.1" 200 87
This call will not work and returns InvalidArgument when you specify key-type of S3 and give it a access-key and secret-key.
DEBUG:requests.packages.urllib3.connectionpool:"PUT /admin/user?subuser&format=json&uid=staff&subuser=test4&access-key=bbbbbbbbb&secret-key=cccccccccc&key-type=s3&access=read HTTP/1.1" 400 26
ERROR:rgwadmin.rgw:{u'Code': u'InvalidArgument'}
The radosgw-admin command line interface does allow you to create a subuser with S3 access and secret keys specified.
radosgw-admin subuser create --uid=-staff --subuser=test1 --access-key=aaaaaaaaa --secret=zzzzzzzzz --access=read
Updated by Abhishek Lekshmanan over 8 years ago
Whenever you specify subuser create with a secret key, iirc only the swift secret key is created.. the access key is just dropped as far as I understand... Do check if that is the case..
Updated by Abhishek Lekshmanan over 8 years ago
- Status changed from New to Need More Info
Updated by Derek Yarnell about 8 years ago
The behavior of the radosgw-admin CLI does allow this see this example (hammer). The issue is that the Admin REST API does not conform to this same behavior. There are some good use cases of creating subusers for S3 with the permission model.
[root@cephproxy00 ~]# radosgw-admin user create --uid=testuser --display-name="Test User"
{
"user_id": "testuser",
"display_name": "Test User",
"email": "",
"suspended": 0,
"max_buckets": 1000,
"auid": 0,
"subusers": [],
"keys": [
{
"user": "testuser",
"access_key": "!REDACTED!",
"secret_key": "!REDACTED!"
}
],
"swift_keys": [],
"caps": [],
"op_mask": "read, write, delete",
"default_placement": "",
"placement_tags": [],
"bucket_quota": {
"enabled": false,
"max_size_kb": -1,
"max_objects": -1
},
"user_quota": {
"enabled": false,
"max_size_kb": -1,
"max_objects": -1
},
"temp_url_keys": []
}
[root@cephproxy00 ~]# radosgw-admin subuser create --uid=testuser --subuser=test1 --access-key=aaaaaaaaa --secret=zzzzzzzzz --access=read
{
"user_id": "testuser",
"display_name": "Test User",
"email": "",
"suspended": 0,
"max_buckets": 1000,
"auid": 0,
"subusers": [
{
"id": "testuser:test1",
"permissions": "read"
}
],
"keys": [
{
"user": "testuser",
"access_key": "!REDACTED!",
"secret_key": "!REDACTED!"
},
{
"user": "testuser:test1",
"access_key": "aaaaaaaaa",
"secret_key": "zzzzzzzzz"
}
],
"swift_keys": [],
"caps": [],
"op_mask": "read, write, delete",
"default_placement": "",
"placement_tags": [],
"bucket_quota": {
"enabled": false,
"max_size_kb": -1,
"max_objects": -1
},
"user_quota": {
"enabled": false,
"max_size_kb": -1,
"max_objects": -1
},
"temp_url_keys": []
}
Updated by Abhishek Lekshmanan about 4 years ago
- Assignee set to Abhishek Lekshmanan