In the REST API, session-based user authentication is performed. A session is always generated first when a REST API client accesses the REST API server and starts an operation. In the request that generates a session, the user ID and password are used for authentication to access the storage system. After a session is created, specify session information for the Authorization header to perform authentication based on the session information.
-
For REST API user authentication, use a user account registered in the storage system, or use a user account managed by the external authentication servers or approved external servers that are connected to the storage system.
User accounts of other products, such as Hitachi Command Suite products, and user accounts managed by an external authentication servers or an approved external servers that are connected to other products cannot be used for REST API user authentication.
-
To perform REST API user authentication when the storage system and the other products, such as a Hitachi Command Suite products, are connected to the same external authentication server or approved external server, create a user account other than the one used by the other products. In such cases, create a user account that meets the following conditions:
-
If you are creating a user account for external authentication, do not register this account in the Hitachi Command Suite products.
-
If you are creating a user account for approved external authentication, do not register the approved external group in the Hitachi Command Suite products.
-
Selecting the appropriate user authentication method
When using the REST API, use different authorization methods appropriately, as shown below.
- For session generation: Authorization is based on the user ID and password.
- For operations other than the above: Authorization is based on the session.
The following provides an overview of authentication based on the operation of the REST API.
Authentication by the user ID and password
When you create a session, specify authentication information in the following format in the Authorization header:
Authorization: Basic authentication-information
- authentication-information
- Specify a base64-encoded character string in which the user ID and password are concatenated with a colon (:). Use the user ID and password of a user account that can perform operations on storage system resources.
When using the REST API, you can use the following characters for the user ID and password.
Item |
Number of characters |
Specifiable characters |
---|---|---|
User ID |
1 to 63 characters |
You can use the following characters.
|
Password |
6 to 63 characters |
You can use the following characters.
|
The following is an example of the Authorization header where the user ID is sample-user, and the password is sample-password:
Authorization: Basic c2FtcGxlLXVzZXI6c2FtcGxlLXBhc3N3b3Jk
Authentication by sessions
Specify the token for the session in the following format in the Authorization header:
Authorization: Session token
- Token
- A token is authentication information that is returned after a session is created. This information is used to determine whether the request was issued from an authorized user.
Example of the Authorization header:
Authorization: Session 550e8400-e29b-41d4-a716-446655440000