Change Password for Access Key by Object User

An object user can only change their own secret key if they are also an AD user mapped into the namespace using the domain settings on the namespace.  They login to the management API with their AD credentials and then use the 'secret key self-service' API to rotate their key.

The domain user example the jason discusses is described on p44-45 of the Data Access Guide:

https://www.emc.com/collateral/TechnicalDocument/docu86295.pdf

Thanks Jason. Another Question, If object user change password, NS Admin or ECS Admin still can see this new password in GUI with text mode.

NS admin and sysadmin is applicable only to AD. in ECS he is object local user (namespace admin).

You can use Kong api to achieve what you are asking for.

Google kong api gateway

Hello All:

We follow Data Access Guide to setup password, but it isn't success. Who can share your script step by step?

Thanks

Lawrence

If you have configured the AD authentication provider correctly in ECS, any AD user within the search base should be able to authenticate into the management API and obtain a X-SDS-AUTH-TOKEN token.

curl -L --location-trusted -k https://10.247.100.247:4443/login -u "my_ad_user@domain.com:ChangeMe" -v

The curl command above will work without my_ad_user@domain.com existing as a local object user in ECS.  This will at least confirm if you have AD configured correctly in ECS.  If you can't get the X-SDS-AUTH-TOKEN, you likely have something configured incorrectly in the AD Auth Provider within ECS.

Once you have a token, you can attempt to generate a secret key.  However, you first need to configure the domain portion of a namespace so that when my_ad_user@domain.com generates a secret key, ECS can map them to your desired namespace and insert them as a local object user.

Have a look here at example of what the curl commands would look like using an AD user and obtaining a secret key: https://130820690509421904.public.ecstestdrive.com/share/BagOfTricks-CurlWithLDAPUsers.docx

I apologize, I seem to have missed a step in my instructions above as you do not need to assign the AD user as a namespace admin or sys admin.  It looks like before you can authenticate and receive a management token, you need to configure the namespace into which the user will get mapped when they ask for a S3 secret key.  Here's what mine looks like:

Can you try that and let me know if it works?

Once you get the X-SDS-AUTH-TOKEN, you can call:

curl -k -X POST https://10.1.83.51:4443/object/secret-keys -H "X-SDS-AUTH-TOKEN: BAAcU2dGb2VRWDQwVENSdXJ1bVhoWm5YMDFaeUM4PQMAjAQASHVybjpzdG9yYWdlb3M6VmlydHVhbERhdGFDZW50ZXJEYXRhOjQwN2I2YjZjLWJkYTQtNGJhNC04OWY3LTIyMGFjM2Q5YzA0NAIADTE0OTU3NjkxMjY0OTgDAC51cm46VG9rZW46YzUyMTI3MTctYTMxNC00YjkwLWEwMmUtYWEzNjRkNGEzYjAyAgAC0A8=" -H "Content-Type: application/json" --data-binary "{}"

This will insert the AD domain user as an object user in ECS, create a new S3 secret key and return the result.

Thanks,

Ben

Glad to hear Baig1  that it's now working.

lawrencema  Do you still have a question?  If not, can we mark this as answered?