Reference Guide
Table Of Contents
- 1 Introduction
- 2 Establishing Your Test and Development Environments
- 3 Developing Applications
- Introduction
- Authentication
- REST API
- Audit Logging
- Alert Logging
- Configuration
- High Availability
- OpenFlow
- Metrics Framework
- GUI
- SKI Framework - Overview
- SKI Framework - Navigation Tree
- SKI Framework - Hash Navigation
- SKI Framework - View Life-Cycle
- SKI Framework - Live Reference Application
- UI Extension
- Introduction
- Controller Teaming
- Distributed Coordination Service
- Persistence
- Backup and Restore
- Device Driver Framework
- 4 Application Security
- 5 Including Debian Packages with Applications
- 6 Sample Application
- Application Description
- Creating Application Development Workspace
- Application Generator (Automatic Workspace Creation)
- Creating Eclipse Projects
- Updating Project Dependencies
- Building the Application
- Installing the Application
- Application Code
- 7 Testing Applications
- 8 Built-In Applications
- Appendix A
- Appendix B
- Bibliography
shutdown the Openflow port to stop processing Openflow events. If in a teaming
environment, the controller will remove itself from the team.
Persistence Layer
Data Access API—Interfaces, which prescribe how to persist and retrieve the domain model
information, such as locations, devices, topology, etc. This can also include any prescribed routing
and flow control policies.
Data Access Implementations—Implementations of the persistence services to store and
retrieve the SDN-related information in a database or other non-volatile form.
Authentication
Controller REST APIs are secured via a token-based authentication scheme. OpenStack Keystone
[9] is used to provide the token-based authentication.
This security mechanism:
•
Provides user authentication functionality with RBAC support.
•
Completely isolates the security mechanism from the underlying REST API.
•
Works with OpenStack Keystone.
•
Exposes a REST API to allow any authentication server that implements this REST API to be
hosted elsewhere (outside the SDN appliance).
This security mechanism does not:
•
Provide authorization. Authorization needs to be provided by the application based on the
authenticated subject's roles.
•
Support filtering functionality such as black-listing or rate-limiting.
To achieve isolation of security aspects from the API, authentication information is encapsulated by
a token that a user receives by presenting his/her credentials to an Authentication Server. The user
then uses this token (via header X-Auth-Token) in any API call that requires authentication. The
token is validated by an Authentication Filter that fronts the requested API resource. Upon
successful authentication, requests are forwarded to the RESTful APIs with the principal's
information such as:
•
User ID
•
User name
•
User roles
•
Expiration Date
Upon unsuccessful authentication (either no token or invalid token), it is up to the application to
deny or allow access to its resource. This flexibility allows the application to implement its own
authorization mechanism, such as ACL-based or even allow anonymous operations on certain
resources.
The flow of token-based authentication in the HP VAN SDN Controller can be summarized as
illustrated in Figure 9.
13