The SDN Controller uses Openstack Keystone as an identity management for managing users, generating tokens, as well as token validation. Upon installation, the SDN Controller creates the following users and roles:
•User: sdn – This is the primary user that operates different SDN REST and UI operations. The sdn user has roles
•User: rsdoc – This is the primary user that is associated with API documentation operations. The rsdoc user has
•The Keystone version in use is based on the Folsom release. If a later Keystone version is in use:
◦
◦
Ensure that it supports the Keystone v2.0 REST API.
Configure the token provider to use the UUID token (instead of PKI tokens). This is configurable via /etc/keystone/keystone.conf.
◦For keystone configuration details, see: http://docs.openstack.org/developer/keystone/configuration.html
The SDN Controller currently does not enforce
To authenticate, one needs to present username/password to the /auth API as below (using curl as an example):
curl
CAUTION: Credential information (user name, password, domain, and authentication tokens) used in cURL commands may be saved in the command history. For security reasons, HP recommends that you disable command history prior to executing commands containing credential information.
The above call returns this example JSON data structure that includes the authentication token, which, by default, expires in 24 hours:
{
"record": {
"domainId": "62e312edff47413fad7e1d7fa6ac7bc7",
"domainName": "sdn",
"expiration": 1377917359000,
"expirationDate":
"token": "54a6f80a9ae243db89bfa05de4ced51d",
"userId": "bca3dea8a28b457e99e899ae16b79634",
"userName": "sdn"
}
}
CAUTION: Please guard this token information, as it can be used as an API key to gain access to your SDN Controller REST APIs.
To gain access to the REST API, include the token in the
curl
5.7 REST authentication | 67 |