Skip to main content

We've Moved!

Product Documentation has moved to docs.hitachivantara.com
Hitachi Vantara Knowledge

Alternate authentication methods


HSwift supports multiple methods of user authentication. OpenStack Keystone is the recommended method but HCP can also be accessed through other authentication methods.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Creating a Temporary Authentication token


Temporary Authentication converts an HCP user account username and password into an token that can be used by RESTful APIs to authenticate with HCP. The token can be used with the HSwift X-Auth-Token header to validate a user without the use of Keystone.

The Temporary Authentication token is authenticated directly by HCP and is composed of an HCP user account username encoded in base64 and HCP user account password encoded in an md5 hash. The token does not expire unless the HCP user account username or password changes.

To create a Temporary Authentication token you enter the HSwift X-Auth-User header with your HCP user account username, in base64, and the X-Auth-Key header with your HCP user account password, in MD5, in your next command.

HCP responds with a 204 HTTP status code and two headers, X-Auth-Token and X-Storage-Url. The X-Auth-Token is your Temporary Authentication token and X-Storage-Url is the URL of your HCP.

Here is an example of a curl command using Temporary Authentication and a valid response. In this example the HCP user account username is lgreen and the password is start123:

Curl command request

curl -v -X -k HEAD http://example.com/swift/v1/tenant/AUTH_6b6884ebb6f441cfbb7e740f6a927c9e -H "X-Auth-User: bGdyZWVu" -H "X-Auth-Key: a3b9c163f6c520407ff34cfdb83ca5c6"

Response if user is valid

HTTP/1.1 204 No Content
X-Auth-Token: HCP bGdyZWVu:a3b9c163f6c520407ff34cfdb83ca5c6
X-Storage-URL: https://example.com/swift/v1/tenant

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Using Local Authentication


Local Authentication is an authentication method for users using RESTful APIs. When using Local Authentication, HCP forgoes the use of any third party identity service such as Keystone and instead verifies the user directly. To verify a user, Local Authentication requests tokens that are encoded with HCP user account credentials.

In order to use Local Authentication with HSwift, instead of passing a Keystone authentication token with the X-Auth-Token header, you replace the Keystone authentication token with the prefix HCP, followed by your Local Authentication token.

The Local Authentication token can be generated by using the Temporary Authentication service, see Creating a Temporary Authentication token, or by manually encoding your HCP user account username in base64 and your HCP user account password in an md5 hash. The username and password are separated by a colon (:) with no spaces in between.

Local Authentication does not authenticate HCP user accounts that are associated with different tenants than the one you're targeting. To access a tenant with Local Authentication, the management API must be enabled for that tenant.

Containers created using Local Authentication are not assigned to an HCP user account. Containers and objects stored through HSwift are not owned by an HCP user account. If you want to assign containers and objects to HCP user accounts, it must be done through a different interface, see Other container access methods.

Here is an example of how the X-Auth-Token header is formatted when using Local Authentication:

"X-Auth-Token: HCP base64-encoded-username:md5-encoded-password"

Here is an example of a curl request that uses a Local Authentication. The username for this HCP user account is lgreen and the password is start123:

Curl command request

curl -v -X HEAD http://api.example.hcp.com/swift/v1/AUTH_6b6884ebb6f441cfbb7e740f6a927c9e -H "X-Auth-Token: HCP bGdyZWVu:a3b9c163f6c520407ff34cfdb83ca5c6"

Response if token is valid

HTTP/1.1 200 OK

Response if token is invalid

HTTP/1.1 401 Unauthorized

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Active Directory user authentication through HSwift


If HCP is configured to support Windows Active Directory® (AD), you can also use an AD user account that HCP recognizes to access HCP through the HSwift API.

You need to provide credentials with every HSwift API request. If you do not provide credentials or provide invalid credentials, HCP responds with a 403 (Forbidden) error message.

To authenticate to HCP with Active Directory, you need to construct an authentication token from a AD user account and then submit it using a request header with all requests. The username and password does not need to be encoded.

HCP also accepts Active Directory provided through the SPNEGO protocol. For more information about SPNEGO, see http://tools.ietf.org/html/rfc4559.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Active Directory authentication token


An AD authentication token consists of an AD username and password separated by a colon, like this:

AD-username:AD-password

For example, here’s the token for the username lgreen and the password p4ssw0rd:

lgreen@example.com:p4ssw0rd

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Active Directory authorization header


You use the HTTP Authorization request header to provide the authentication token for an AD user accessing HCP through the management API. The value of this header is AD followed by the authentication token, in this format:

Authorization: AD authentication-token

For example, here’s the Authorization header for a user named lgreen and password p4ssw0rd:

Authorization: AD lgreen@example.com:p4ssw0rd

Specifying the Authorization header with HSwift

With cURL, you use the -H option to specify a header. So, for example, a request to list the tenants for the HCP system named example.hcp.com might look like this:

curl -v -X HEAD http://api.example.hcp.com/swift/v1/AUTH_6b6884ebb6f441cfbb7e740f6a927c9e
-H "Authorization: AD lgreen@example.com:p4ssw0rd"

Specifying the authentication header in Python with PycURL

In Python with PycURL, you use the HTTPHEADER option to specify a header, as in this example:

curl.setopt(pycurl.HTTPHEADER, ["Authorization: AD
  lgreen@example.com:p4ssw0rd"])

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

 

  • Was this article helpful?