Unsolved
This post is more than 5 years old
9 Posts
0
3928
Change Password for Access Key by Object User
Hello Expert:
We found object user's password for Access Key can be changed by ECS Admin/NS Admin or Object User' self.
For Object User's Self, How to change Password? Do user also need NS Admin Role?
Is there any detail info or example can be shared?
Thanks
Lawrence
JasonCwik
281 Posts
0
May 7th, 2018 06:00
An object user can only change their own secret key if they are also an AD user mapped into the namespace using the domain settings on the namespace. They login to the management API with their AD credentials and then use the 'secret key self-service' API to rotate their key.
coneryj
22 Posts
0
May 7th, 2018 07:00
The domain user example the jason discusses is described on p44-45 of the Data Access Guide:
https://www.emc.com/collateral/TechnicalDocument/docu86295.pdf
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
May 7th, 2018 07:00
Hi Jason
Shall we assign NS admin/sysadmin role to this AD user, before this user can create secret key by itself?
I tried this on the lab. but it dont work, until i assign NS admin or sysadmin role.
thanks
LAWRENCEMALONG
9 Posts
0
May 7th, 2018 07:00
Thanks Jason. Another Question, If object user change password, NS Admin or ECS Admin still can see this new password in GUI with text mode.
HEagle18
41 Posts
0
May 7th, 2018 10:00
NS admin and sysadmin is applicable only to AD. in ECS he is object local user (namespace admin).
You can use Kong api to achieve what you are asking for.
Google kong api gateway
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
May 8th, 2018 02:00
Hi HEagle18
We are discussing How can ECS object user change his secret access key by himself, without the invlove of NS admin or ECS System admin.
Could you please share us some steps about how to archive this with Kong API gateway? thanks
thanks
Best Regards
Bai
LAWRENCEMALONG
9 Posts
0
May 8th, 2018 03:00
Hello All:
We follow Data Access Guide to setup password, but it isn't success. Who can share your script step by step?
Thanks
Lawrence
benschumacher
75 Posts
0
May 8th, 2018 09:00
If you have configured the AD authentication provider correctly in ECS, any AD user within the search base should be able to authenticate into the management API and obtain a X-SDS-AUTH-TOKEN token.
curl -L --location-trusted -k https://10.247.100.247:4443/login -u "my_ad_user@domain.com:ChangeMe" -v
The curl command above will work without my_ad_user@domain.com existing as a local object user in ECS. This will at least confirm if you have AD configured correctly in ECS. If you can't get the X-SDS-AUTH-TOKEN, you likely have something configured incorrectly in the AD Auth Provider within ECS.
Once you have a token, you can attempt to generate a secret key. However, you first need to configure the domain portion of a namespace so that when my_ad_user@domain.com generates a secret key, ECS can map them to your desired namespace and insert them as a local object user.
Have a look here at example of what the curl commands would look like using an AD user and obtaining a secret key: https://130820690509421904.public.ecstestdrive.com/share/BagOfTricks-CurlWithLDAPUsers.docx
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
May 8th, 2018 16:00
Hi Ben
Thanks.
I didnt generate the Token. It gives me "unexpected error".
But i can assgin this domain user(not local user) as NS admin/sys admin, as AD/LDAP User. and generate the token successfully.
Base on those, may i say"The AD authentication provider configuration is right, and there is something wrong with my ECS" ?
thanks
benschumacher
75 Posts
0
May 9th, 2018 08:00
I apologize, I seem to have missed a step in my instructions above as you do not need to assign the AD user as a namespace admin or sys admin. It looks like before you can authenticate and receive a management token, you need to configure the namespace into which the user will get mapped when they ask for a S3 secret key. Here's what mine looks like:
Can you try that and let me know if it works?
Once you get the X-SDS-AUTH-TOKEN, you can call:
curl -k -X POST https://10.1.83.51:4443/object/secret-keys -H "X-SDS-AUTH-TOKEN: BAAcU2dGb2VRWDQwVENSdXJ1bVhoWm5YMDFaeUM4PQMAjAQASHVybjpzdG9yYWdlb3M6VmlydHVhbERhdGFDZW50ZXJEYXRhOjQwN2I2YjZjLWJkYTQtNGJhNC04OWY3LTIyMGFjM2Q5YzA0NAIADTE0OTU3NjkxMjY0OTgDAC51cm46VG9rZW46YzUyMTI3MTctYTMxNC00YjkwLWEwMmUtYWEzNjRkNGEzYjAyAgAC0A8=" -H "Content-Type: application/json" --data-binary "{}"
This will insert the AD domain user as an object user in ECS, create a new S3 secret key and return the result.
Thanks,
Ben
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
May 9th, 2018 16:00
Hi Ben
Thanks, it works.
It seems i should not configure AD attribute at Namespace configure. i should only configure Group.
thanks for your help.
thanks
Best Regards
Bai
benschumacher
75 Posts
0
May 10th, 2018 05:00
Glad to hear Baig1 that it's now working.
lawrencema Do you still have a question? If not, can we mark this as answered?