HSwift supports multiple methods of user authentication. OpenStack Keystone is the recommended method, but HCP can also be accessed through other authentication methods.
Creating a temporary authentication token
Temporary Authentication converts an HCP user account username and password into an token that can be used by RESTful APIs to authenticate with HCP. The token can be used with the HSwift
X-Auth-Token header to validate a user without the use of Keystone.
The Temporary Authentication token is authenticated directly by HCP and is composed of an HCP user account user name encoded in base64 and HCP user account password encoded in an MD5 hash. The token does not expire unless the HCP user account username or password changes.
To create a Temporary Authentication token you enter the HSwift
X-Auth-User header with your HCP user account user name, in base64, and the
X-Auth-Key header with your HCP user account password, in MD5, in your next command.
HCP responds with a 204 HTTP status code and two headers:
X-Auth-Token is your Temporary Authentication token and
X-Storage-Url is the URL of your HCP.
Here is an example of a curl command using Temporary Authentication and a valid response. In this example, the HCP user account user name is
lgreen and the password is
Curl command request
curl -v -X -k HEAD http://example.com/swift/v1/tenant/AUTH_6b6884ebb6f441cfbb7e740f6a927c9e -H "X-Auth-User: bGdyZWVu" -H "X-Auth-Key: a3b9c163f6c520407ff34cfdb83ca5c6"
Response if user is valid
HTTP/1.1 204 No Content X-Auth-Token: HCP bGdyZWVu:a3b9c163f6c520407ff34cfdb83ca5c6 X-Storage-URL: https://example.com/swift/v1/tenant
Using local authentication
Local Authentication is an authentication method for users using RESTful APIs. When using Local Authentication, HCP forgoes the use of any third party identity service such as Keystone and instead verifies the user directly. To verify a user, Local Authentication requests tokens that are encoded with HCP user account credentials.
In order to use Local Authentication with HSwift, instead of passing a Keystone authentication token with the
X-Auth-Token header, you replace the Keystone authentication token with the prefix HCP, followed by your Local Authentication token.
The Local Authentication token can be generated by using the Temporary Authentication service, or by manually encoding your HCP user account username in base64 and your HCP user account password in an MD5 hash. The user name and password are separated by a colon (:) with no spaces in between.
Local Authentication does not authenticate HCP user accounts that are associated with different tenants than the one you're targeting. To access a tenant with Local Authentication, the management API must be enabled for that tenant.
Containers created using Local Authentication are not assigned to an HCP user account. Containers and objects stored through HSwift are not owned by an HCP user account. If you want to assign containers and objects to HCP user accounts, it must be done through a different interface.
Here is an example of how the
X-Auth-Token header is formatted when using Local Authentication:
"X-Auth-Token: HCP base64-encoded-username:md5-encoded-password"
Here is an example of a curl request that uses a Local Authentication. The username for this HCP user account is
lgreen and the password is
Curl command request
curl -v -X HEAD http://api.example.hcp.com/swift/v1/AUTH_6b6884ebb6f441cfbb7e740f6a927c9e -H "X-Auth-Token: HCP bGdyZWVu:a3b9c163f6c520407ff34cfdb83ca5c6"
Response if token is valid
HTTP/1.1 200 OK
Response if token is invalid
HTTP/1.1 401 Unauthorized
Active Directory user authentication through HSwift
If HCP is configured to support Windows Active Directory® (AD), you can also use an AD user account that HCP recognizes to access HCP through the HSwift API.
You need to provide credentials with every HSwift API request. If you do not provide credentials or provide invalid credentials, HCP responds with a 403 (Forbidden) error message.
To authenticate to HCP with Active Directory, you need to construct an authentication token from a AD user account and then submit it using a request header with all requests. The user name and password does not need to be encoded.
HCP also accepts Active Directory provided through the SPNEGO protocol. For more information about SPNEGO, see http://tools.ietf.org/html/rfc4559.
Active Directory authentication token
An AD authentication token consists of an AD username and password separated by a colon, like this:
For example, here’s the token for the username lgreen and the password p4ssw0rd:
Active Directory authorization header
You use the HTTP Authorization request header to provide the authentication token for an AD user accessing HCP through the management API. The value of this header is
AD followed by the authentication token, in this format:
Authorization: AD authentication-token
For example, here’s the Authorization header for a user named
lgreen and password
Authorization: AD email@example.com:p4ssw0rd
With cURL, you use the -H option to specify a header. So, for example, a request to list the tenants for the HCP system named example.hcp.com might look like this:
curl -v -X HEAD http://api.example.hcp.com/swift/v1/AUTH_6b6884ebb6f441cfbb7e740f6a927c9e -H "Authorization: AD firstname.lastname@example.org:p4ssw0rd"
In Python with PycURL, you use the HTTPHEADER option to specify a header, as in this example:
curl.setopt(pycurl.HTTPHEADER, ["Authorization: AD email@example.com:p4ssw0rd"])