Skip to main content
Hitachi Vantara Knowledge

Alternate authentication methods

HSwift supports multiple methods of user authentication. OpenStack Keystone is the recommended method, but HCP can also be accessed through other authentication methods.

Creating a temporary authentication token

Temporary Authentication converts an HCP user account username and password into an token that can be used by RESTful APIs to authenticate with HCP. The token can be used with the HSwift X-Auth-Token header to validate a user without the use of Keystone.

The Temporary Authentication token is authenticated directly by HCP and is composed of an HCP user account user name encoded in base64 and HCP user account password encoded in an MD5 hash. The token does not expire unless the HCP user account username or password changes.

To create a Temporary Authentication token you enter the HSwift X-Auth-User header with your HCP user account user name, in base64, and the X-Auth-Key header with your HCP user account password, in MD5, in your next command.

HCP responds with a 204 HTTP status code and two headers: X-Auth-Token and X-Storage-Url. The X-Auth-Token is your Temporary Authentication token and X-Storage-Url is the URL of your HCP.

Here is an example of a curl command using Temporary Authentication and a valid response. In this example, the HCP user account user name is lgreen and the password is start123:

Curl command request

curl -v -X -k HEAD http://example.com/swift/v1/tenant/AUTH_6b6884ebb6f441cfbb7e740f6a927c9e -H "X-Auth-User: bGdyZWVu" -H "X-Auth-Key: a3b9c163f6c520407ff34cfdb83ca5c6"

Response if user is valid

HTTP/1.1 204 No Content
X-Auth-Token: HCP bGdyZWVu:a3b9c163f6c520407ff34cfdb83ca5c6
X-Storage-URL: https://example.com/swift/v1/tenant

Using local authentication

Local Authentication is an authentication method for users using RESTful APIs. When using Local Authentication, HCP forgoes the use of any third party identity service such as Keystone and instead verifies the user directly. To verify a user, Local Authentication requests tokens that are encoded with HCP user account credentials.

In order to use Local Authentication with HSwift, instead of passing a Keystone authentication token with the X-Auth-Token header, you replace the Keystone authentication token with the prefix HCP, followed by your Local Authentication token.

The Local Authentication token can be generated by using the Temporary Authentication service, or by manually encoding your HCP user account username in base64 and your HCP user account password in an MD5 hash. The user name and password are separated by a colon (:) with no spaces in between.

Local Authentication does not authenticate HCP user accounts that are associated with different tenants than the one you're targeting. To access a tenant with Local Authentication, the management API must be enabled for that tenant.

Containers created using Local Authentication are not assigned to an HCP user account. Containers and objects stored through HSwift are not owned by an HCP user account. If you want to assign containers and objects to HCP user accounts, it must be done through a different interface.

Here is an example of how the X-Auth-Token header is formatted when using Local Authentication:

"X-Auth-Token: HCP base64-encoded-username:md5-encoded-password"

Here is an example of a curl request that uses a Local Authentication. The username for this HCP user account is lgreen and the password is start123:

Curl command request

curl -v -X HEAD http://api.example.hcp.com/swift/v1/AUTH_6b6884ebb6f441cfbb7e740f6a927c9e -H "X-Auth-Token: HCP bGdyZWVu:a3b9c163f6c520407ff34cfdb83ca5c6"

Response if token is valid

HTTP/1.1 200 OK

Response if token is invalid

HTTP/1.1 401 Unauthorized

Active Directory user authentication through HSwift

If HCP is configured to support Windows Active Directory® (AD), you can also use an AD user account that HCP recognizes to access HCP through the HSwift API.

You need to provide credentials with every HSwift API request. If you do not provide credentials or provide invalid credentials, HCP responds with a 403 (Forbidden) error message.

To authenticate to HCP with Active Directory, you need to construct an authentication token from a AD user account and then submit it using a request header with all requests. The user name and password does not need to be encoded.

HCP also accepts Active Directory provided through the SPNEGO protocol. For more information about SPNEGO, see http://tools.ietf.org/html/rfc4559.

Active Directory authentication token

An AD authentication token consists of an AD username and password separated by a colon, like this:

AD-username:AD-password

For example, here’s the token for the username lgreen and the password p4ssw0rd:

lgreen@example.com:p4sswOrd

Active Directory authorization header

You use the HTTP Authorization request header to provide the authentication token for an AD user accessing HCP through the management API. The value of this header is AD followed by the authentication token, in this format:

Authorization: AD authentication-token

For example, here’s the Authorization header for a user named lgreen and password p4ssw0rd:

Authorization: AD lgreen@example.com:p4ssw0rd
Specifying the Authorization header with HSwift

With cURL, you use the -H option to specify a header. So, for example, a request to list the tenants for the HCP system named example.hcp.com might look like this:

curl -v -X HEAD http://api.example.hcp.com/swift/v1/AUTH_6b6884ebb6f441cfbb7e740f6a927c9e -H "Authorization: AD lgreen@example.com:p4ssw0rd"
Specifying the authentication header in Python with PycURL

In Python with PycURL, you use the HTTPHEADER option to specify a header, as in this example:

curl.setopt(pycurl.HTTPHEADER, ["Authorization: AD  lgreen@example.com:p4ssw0rd"])

 

  • Was this article helpful?