This post is more than 5 years old
24 Posts
0
1077
AD-User as Object-User - Encrypted Secret Key?
Hi @all,
I have two questions.
The first question is regarding secret keys of object-users.
After I did a quick ECS Demo, the customer asked if the secret key is always stored as cleartext or if it is encrypted on ECS?
I told him that the connection between client and ECS can be encrypted and that the Object-User doesn't have access to the GUI, so that a object-user can't see the secret key in cleartext. But the customer still wants his question answered.
The second question is, what happens to the object-user-account on ECS if the account will be deleted in AD or LDAP?
I think, because there is no tied integration between Authentication-Providers and Object-Users, the users that created by "self-service rest api" to reduce management overhead, had to be deleted manually on the ECS! Correct?
Kind regards
Matthias
JasonCwik
281 Posts
0
June 1st, 2018 08:00
Hi Matthias,
Yes, the key is encrypted when stored on the ECS. Also note that even in a plaintext HTTP transaction, the key never goes over the wire. In the S3 protocol, the secret key is used to sign the request and that signature goes over the wire, not the key.
You're correct, in ECS when you delete an account in AD we do not delete the object user so they will need some process to clean that up. We're working on an updated IAM workflow for future releases of ECS that will fix this process by using SSO and temporary auth keys instead of object users with fixed secret keys.
EMC_Matze
24 Posts
0
June 1st, 2018 09:00
Hi Jason,
thanks for the clarification ;-)
KR
Matthias