Manualshelf

HP VAN SDN Controller Administrator Guide

ManualsBrandsHP ManualsSoftwareHP VAN SDN Controller Software Products
41424344454647484950
47
REST Authentication
The SDN controller relies on token-based authentication to authenticate its REST APIs. In other
words, all REST APIs except the /auth and /rsdoc APIs require an authentication token embedded
in an “X-Auth-Token” header to be included with each REST request. The /auth API allows you to
obtain a token, while the /rsdoc API provides live REST API documentation information about the
controller’s REST API. The next section describes how to obtain a token from the /auth API.
Openstack Keystone
The SDN controller uses Openstack Keystone as an identity management for managing users,
generating tokens, as well as token validation. Upon installation, the SDN controller creates the
following users and roles:
User: sdn This is the primary user that operates different SDN REST and UI
operations. The sdn user has roles sdn-user and sdn-admin.
User: rsdoc This is the primary user that is associated with API documentation
operations. The rsdoc user has sdn-user role.
The Keystone version in use is based on the Folsom release. If a later Keystone version
is in use:
o Ensure that it supports the Keystone v2.0 REST API.
o Configure the token provider to use the UUID token (instead of PKI tokens).
This is configurable via /etc/keystone/keystone.conf.
o For keystone configuration details, refer to:
http://docs.openstack.org/developer/keystone/configuration.html
The SDN controller currently does not enforce role-based permissions (RBAC); however, it may do
so in the future. Also, applications installed on the SDN controller may choose to enforce RBAC
per their security requirements.
To authenticate, one needs to present username/password to the /auth API as below (using curl
as an example):
curl -sk -H 'Content-Type:application/json' -d
'{"login":{"user":"sdn","password":"password","domain":"sdn"}}' https://<controller-
ip>:8443/sdn/v2.0/auth
Caution
Credential information (user name, password, domain, and authentication tokens)
used in cURL commands may be saved in the command history. For security
reasons, HP recommends that you disable command history prior to executing
commands containing credential information.
The above call returns this example JSON data structure that includes the authentication token,
which, by default, expires in 24 hours: