5 Replies Latest reply: Jan 17, 2018 8:59 PM by dynamox RSS

Xtremio REST Call with not Basic Auth

Raj.la

Hello,

 

  I am using REST API programming script for DB refreshes ( consistency group refresh ) but my script exposing the user credentials in plain text like user:xxxx pass:xxx so Is there anyway I can bypass this? I believe Xtremeio won't support OAuth or Digest Auth.

Also key based ( public/private )  authentication works for CLI but not sure is there anyway I can use for REST call.

 

Appreciate any advise.

  • 1. Re: Xtremio REST Call with not Basic Auth
    dynamox

    but your endpoint is using https, so it shouldn't be clear text ?

  • 2. Re: Xtremio REST Call with not Basic Auth
    scotthoward

    Currently there is no way around this - however it's likely less of an issue than you might think.

     

    The credentials are never sent across the network in plain text - the XtremIO REST API is only available via HTTPS/SSL, so everything is ALWAYS encrypted over the wire.

     

    As you've said, key-based with is supported for the CLI - but fundamentally that doesn't change the security posture at all.  You've just replaced one token that allows you access to the system (the password), with another (the key).  Sure, the key is a little harder to memorize, but in the context of a script that's not really relevant.

     

    The simple fact is that in order to access the API you need *something* that can be used for authentication - and the script needs to have that something.  It doesn't really matter if that a password, a key, or a token - the security level is fundamentally the same.

     

    If you don't want the password to actually be visible in the script then you can encode/encrypt it in some way or other.  Again this doesn't really change the security level as the script needs to be able to decode/decrypt the password - but it does add a little more effort to using it...

  • 3. Re: Xtremio REST Call with not Basic Auth
    dynamox

    and setup a read only account for API calls

  • 4. Re: Xtremio REST Call with not Basic Auth
    Raj.la

    Thank you Scott for your inputs.

     

    Dynamox - I tested read-only account for snapshot refresh, it won't like that privilage.

     

    Unauthorized command 'refresh_data' for user 'syncuser'. At least 'configuration' role is required
  • 5. Re: Xtremio REST Call with not Basic Auth
    dynamox

    ah sorry, i missed that you are making changes to array. I have read-only account because i am only collecting performance/capacity from the API.