Change Password for Access Key by Object User

An object user can only change their own secret key if they are also an AD user mapped into the namespace using the domain settings on the namespace.  They login to the management API with their AD credentials and then use the 'secret key self-service' API to rotate their key.

The domain user example the jason discusses is described on p44-45 of the Data Access Guide:

https://www.emc.com/collateral/TechnicalDocument/docu86295.pdf

Hi Jason

Shall we assign NS admin/sysadmin role to this AD user, before this user can create secret key by itself?

I tried this on the lab. but it dont work, until i assign NS admin or sysadmin role.

thanks

Thanks Jason. Another Question, If object user change password, NS Admin or ECS Admin still can see this new password in GUI with text mode.

NS admin and sysadmin is applicable only to AD. in ECS he is object local user (namespace admin).

You can use Kong api to achieve what you are asking for.

Google kong api gateway

Hi  HEagle18

We are discussing  How can ECS object user  change his secret access key by himself, without the invlove of NS admin or  ECS System admin.

Could you please share us some steps about how to archive this with Kong API gateway? thanks

thanks

Best Regards

Bai

Hello All:

We follow Data Access Guide to setup password, but it isn't success. Who can share your script step by step?

Thanks

Lawrence

If you have configured the AD authentication provider correctly in ECS, any AD user within the search base should be able to authenticate into the management API and obtain a X-SDS-AUTH-TOKEN token.

curl -L --location-trusted -k https://10.247.100.247:4443/login -u "my_ad_user@domain.com:ChangeMe" -v

The curl command above will work without my_ad_user@domain.com existing as a local object user in ECS.  This will at least confirm if you have AD configured correctly in ECS.  If you can't get the X-SDS-AUTH-TOKEN, you likely have something configured incorrectly in the AD Auth Provider within ECS.

Once you have a token, you can attempt to generate a secret key.  However, you first need to configure the domain portion of a namespace so that when my_ad_user@domain.com generates a secret key, ECS can map them to your desired namespace and insert them as a local object user.

Have a look here at example of what the curl commands would look like using an AD user and obtaining a secret key: https://130820690509421904.public.ecstestdrive.com/share/BagOfTricks-CurlWithLDAPUsers.docx

Hi Ben

Thanks.

I didnt generate the Token. It gives me "unexpected error".

But i can assgin this domain user(not local user) as NS admin/sys admin, as AD/LDAP User. and generate the token successfully.

Base on those, may i say"The AD authentication provider configuration is right, and there is something wrong with my ECS" ?

thanks

I apologize, I seem to have missed a step in my instructions above as you do not need to assign the AD user as a namespace admin or sys admin.  It looks like before you can authenticate and receive a management token, you need to configure the namespace into which the user will get mapped when they ask for a S3 secret key.  Here's what mine looks like:

Can you try that and let me know if it works?

Once you get the X-SDS-AUTH-TOKEN, you can call:

curl -k -X POST https://10.1.83.51:4443/object/secret-keys -H "X-SDS-AUTH-TOKEN: BAAcU2dGb2VRWDQwVENSdXJ1bVhoWm5YMDFaeUM4PQMAjAQASHVybjpzdG9yYWdlb3M6VmlydHVhbERhdGFDZW50ZXJEYXRhOjQwN2I2YjZjLWJkYTQtNGJhNC04OWY3LTIyMGFjM2Q5YzA0NAIADTE0OTU3NjkxMjY0OTgDAC51cm46VG9rZW46YzUyMTI3MTctYTMxNC00YjkwLWEwMmUtYWEzNjRkNGEzYjAyAgAC0A8=" -H "Content-Type: application/json" --data-binary "{}"

This will insert the AD domain user as an object user in ECS, create a new S3 secret key and return the result.

Thanks,

Ben

Hi Ben

Thanks, it works.

It seems i should not configure AD attribute at Namespace configure. i should only configure Group.

thanks for your help.

thanks

Best Regards

Bai