Add an object user

You can create object users and configure them to use the supported object access protocols. You can edit an object user configuration by adding or removing access to an object protocol, or by creating a new secret key for the object user.


  • This operation requires the System Administrator or Namespace Administrator role in ECS.
  • A System Administrator can assign new object users into any namespace.
  • A Namespace Administrator can assign new object users into the namespace in which they are the administrator.
  • If you create an object user who will access the ECS object store through the OpenStack Swift object protocol, the Swift user must belong to an OpenStack group. A group is a collection of Swift users that have been assigned a role by an OpenStack administrator. Swift users that belong to the admin group can perform all operations on Swift buckets (containers) in the namespace to which they belong. Do not add ordinary Swift users to the admin group. For Swift users that belong to any group other than the admin group, authorization depends on the permissions that are set on the Swift bucket. You can assign permissions on the bucket from the OpenStack Dashboard UI or in the ECS Portal using the Custom Group ACL for the bucket. For more information, see Set custom group bucket ACLs.


  1. In the ECS Portal, select Manage > Users.
  2. On the User Management page, click New Object User.
  3. On the New Object User page, in the Name field, type a name for the local object user.
    You can type domain-style names that include @ (for example, You might want to do this to keep names unique and consistent with AD names. However, local object users are authenticated using a secret key that is assigned to the username, not through AD or LDAP.
    NOTE:  User names can include uppercase letters, lowercase letters, numbers, and any of the following characters: ! # $ & ' ( ) * + , - . / : ; = ? @ _ ~
  4. In the Namespace field, select the namespace that you want to assign the object user to, and then complete one of the following steps:
    • To add the object user, and return later to specify passwords or secret keys to access the ECS object protocols, click Save.
    • To specify passwords or secret keys to access the ECS object protocols, click Next to Add Passwords.
  5. NOTE: You can lock or unlock an object user by:
    • Edit > LOCK USER
    • Edit > UNLOCK USER
    On the Update Passwords for User <username> page, in the Object Access area, for each of the protocols that you want the user to use to access the ECS object store, type or generate a key for use in accessing the S3/Atmos, Swift, or CAS interfaces.
    1. For S3 access, in the S3/Atmos box, click Generate & Add Secret Key.
      The secret key (password) is generated.
      To view the secret key in plain text, select the Show Secret Key checkbox.
      To create a second secret key to replace first secret key for security reasons, click Generate & Add Secret Key.
      The Add S3/Atmos Secret Key/Set Expiration on Existing Secret Key dialog is displayed. When adding a second secret key, you can specify for how long to retain the first password. Once this time has expired, the first secret key expires.
      In the Minutes field, type the number of minutes for which you want to retain the first password before it expires. For example, if you typed 3 minutes, you would see This password will expire in 3 minute(s).
      After 3 minutes, you would see that the first password displays as expired and you could then delete it.
    2. For Swift access:
      • In the Swift Groups field, type the OpenStack group to which the user belongs.
      • In the Swift password field, type the OpenStack Swift password for the user.
      • Click Set Groups & Password.
      If you want an S3 user to be able to access Swift buckets, you must add a Swift password and group for the user. The S3 user is authenticated by using the S3 secret key, and the Swift group membership enables access to Swift buckets.
    3. For CAS access:
      • In the CAS field, type the password and click Set Password or click Generate to automatically generate the password and click Set Password.
      • Click Generate PEA file to generate a Pool Entry Authorization (PEA) file. The file output displays in the PEA file box and the output is similar to the following example. The PEA file provides authentication information to CAS before CAS grants access to ECS; this information includes the username and secret. The secret is the base64-encoded password that is used to authenticate the ECS application.
        NOTE: Generate PEA file button is displayed after the password is set.
        <pea version="1.0.0">
        <defaultkey name="s3user4">
        <credential id="csp1.secret" enc="base64">WlFOOTlTZUFSaUl3Mlg3VnZaQ0k=</credential>
        <key type="cluster" id="93b8729a-3610-33e2-9a38-8206a58f6514" name="s3user4">
        <credential id="csp1.secret" enc="base64">WlFOOTlTZUFSaUl3Mlg3VnZaQ0k=</credential>
      • In the Default Bucket field, select a bucket, and click Set Bucket.
      • Optional. Click Add Attribute and type values in the Attribute and Group fields.
      • Click Save Metadata.
  6. Click Close.
    The passwords/secret keys are saved automatically.