Versions Compared

Old Version 17

changes.mady.by.user Lou M (Unlicensed)

Saved on

compared with

New Version 18

changes.mady.by.user Lou M (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

Abiquo has chosen to implement OAuth 1 because it is more secure and interoperable than OAuth 2. See  https://hueniverse.com/oauth-2-0-and-the-road-to-hell-8eec45921529

...

Code Block
titleGET datacenters request
% curl --verbose 'http://example.com/api/admin/datacenters/' \
        -X GET \
        -H "Accept: application/vnd.abiquo.datacenters+xml" \
        -H "Authorization: Basic ZXhhbXBsZTpleGFtcGxl"

> GET /api/admin/datacenters HTTP/1.1
> User-Agent: curl/7.19.5 (x86_64-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.15
> Host: example.com
> Authorization: Basic ZXhhbXBsZTpleGFtcGxl
> Accept: application/vnd.abiquo.datacenters+xml


Response Headersheaders: Content-Length, Content-Type, Date.
Response Message Bodymessage body: N/A.
Response Statusstatus: 200, 401, 403.
Example Responseresponse: Response of the authenticated GET over a Datacenters resource, but without enough privileges


xml
Code Block
xml
titleGET Datacenters Responsedatacenters response
< HTTP/1.1 403 Forbidden
< Server: Apache-Coyote/1.1
< Content-Type: text/html;charset=utf-8
< Content-Length: 1021
< Date: Fri, 02 Jul 2010 09:59:42 GMT


Token-based authentication

To avoid exposing user credentials, Abiquo provides a token-based authentication. For each authenticated request, Abiquo generates an authentication token that can be used to make requests to the API without the need of passing the credentials. Each HTTP response contains a header with an expirable token that can be used to perform requests to the API. In order to use the token based use  token-based authentication, the client must send it in the "Authorization" header, as follows:

Code Block
titleAuthentication Header header format for token-based authentication
Authorization: Token authentication-token

...

Request a resource without providing credentials

Request Headersheaders: Accept, Content-Type.
Request Parametersparameters: N/A.
Request Message Bodymessage body: N/A.
Request example: Retrieve all the datacenters


Code Block
titleGET Datacenters Requestdatacenters request
% curl --verbose 'http://example.com/api/admin/datacenters/' \
        -X GET \
        -H "Accept:application/vnd.abiquo.datacenters+xml"

> GET /api/admin/datacenters HTTP/1.1
> User-Agent: curl/7.19.5 (x86_64-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.15
> Host: exmaple.com
> Accept: application/vnd.abiquo.datacenters+xml


Response Headersheaders: Content-Length, Content-Type, WWW-Authenticate, Date.
Response Message Bodymessage body: N/A.
Response Statusstatus: 200, 401, 403.
Example Responseresponse: Response of the unauthenticated GET over a Datacenters resource


xml
Code Block
xml
titleGET Datacenters Responsedatacenters response
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
< WWW-Authenticate: Token realm="Abiquo"
< Content-Type: text/html;charset=utf-8
< Content-Length: 1152
< Date: Fri, 02 Jul 2010 09:40:14 GMT

...

Request a resource providing valid credentials

Request Headersheaders: Accept, Content-Type, Authentication.
Request Parametersparameters: N/A.
Request Message Bodymessage body: N/A.
Request example: Retrieve all the datacenters


Code Block
titleGET Datacenters Requestdatacenters request
% curl --verbose 'http://example.com/api/admin/datacenters/' \
        -X GET \
        -H "Accept:application/vnd.abiquo.datacenters+xml" \
        -H "Authorization: Token 1169dbbca2c1da4da5ab6b5a06b2b38756fb"

> GET /api/admin/datacenters HTTP/1.1
> User-Agent: curl/7.19.5 (x86_64-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.15
> Host: example.com
> Authorization: Token 1169dbbca2c1da4da5ab6b5a06b2b38756fb
> Accept: application/vnd.abiquo.datacenters+xml


Response Headersheaders: Content-Length, Content-Type, Date, X-Abiquo-Token.
Response Message Bodymessage body: N/A.
Response Statusstatus: 200, 401, 403.
Example Responseresponse: Response of the authenticated GET over a Datacenters resource


xml
Code Block
xmltitleGET Datacenters Responsedatacenters response
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< X-Abiquo-Token: 1169dbbca2c1123455ab6b5a06b2b38756fb
< Content-Type: application/vnd.abiquo.datacenters+xml
< Content-Length: 420
< Date: Fri, 02 Jul 2010 09:50:52 GMT
<
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<datacenters>
    <datacenter>
        <link href="http://example.com/api/admin/datacenters/1" rel="edit"/>
        <link href="http://example.com/api/admin/datacenters/1/racks" rel="racks"/>
        <link href="http://example.com/api/admin/datacenters/1/remoteServices" rel="remoteServices"/>
        <id>1</id>
        <location>Redwood city</location>
        <name>myDatacenter</name>
    </datacenter>
</datacenters>

...

The following step-by-step example shows how to enable two factor authenticaton authentication for a user:

  1. Get the information of the current user:


    Code Block
    titleGET User Infouser info
    % curl -v -u admin:xabiquo http://example.com/api/login -H "Accept:application/vnd.abiquo.user+xml"

> GET /api/login HTTP/1.1
> Authorization: Basic YWRtaW46eGFiaXF1bw==
> User-Agent: curl/7.38.0
> Host: example.com
> Accept:application/vnd.abiquo.user+xml

< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Set-Cookie: auth=YWRtaW46MTQ0MzcxMDM3NDgxMzphZjdjNTY1ZjJhNDgzNTc4Y2EyZGEzNTJiNTcwNmE3ZDpBQklRVU8; Expires=Thu, 01-Oct-2015 14:39:34 GMT; Path=/; HttpOnly
< Set-Cookie: ABQSESSIONID=1691863788974462744; Expires=Thu, 01-Oct-2015 14:39:34 GMT; Path=/; HttpOnly
< Content-Type: application/vnd.abiquo.user+xml
< Content-Length: 1422
< Date: Thu, 01 Oct 2015 14:09:35 GMT

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user>
 <link title="Abiquo" rel="enterprise" type="application/vnd.abiquo.enterprise+xml" href="http://example.com:80/api/admin/enterprises/1"/>
 <link title="CLOUD_ADMIN" rel="role" type="application/vnd.abiquo.role+xml" href="http://example.com:80/api/admin/roles/1"/>
 <link title="admin" rel="edit" type="application/vnd.abiquo.user+xml" href="http://example.com:80/api/admin/enterprises/1/users/1"/>
 <link title="virtual machines" rel="virtualmachines" type="application/vnd.abiquo.virtualmachines+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/action/virtualmachines"/>
 <link title="pending tasks" rel="pendingtasks" type="application/vnd.abiquo.tasks+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/action/pendingtasks"/>
 <link title="applications" rel="applications" type="application/vnd.abiquo.applications+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/applications"/>
 <link title="enable two factor authentication" rel="enable2fa" type="application/vnd.abiquo.twofactorauthcredentials+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/action/enable2fa"/>
 <id>1</id>
 <nick>admin</nick>
 <name>Cloud</name>
 <surname>Administrator</surname>
 <description>Main administrator</description>
 <email></email>
 <locale>en_US</locale>
 <authType>ABIQUO</authType>
 <active>true</active>
 <firstLogin>false</firstLogin>
 <locked>false</locked>
</user>


  2. The user info contains a link  enable two factor authentication . To enable two factor authentication, send a POST request indicating the type of two-factor authentication to enable.


    Code Block
    titleEnable two factor authentication
    % curl -v -u admin:xabiquo -X POST http://localhost:80/api/admin/enterprises/1/users/1/action/enable2fa \
    -H "Accept: application/vnd.abiquo.twofactorauthcredentials+json" \
    -H "Content-type: application/vnd.abiquo.twofactorauthprovider+json" \
    -d '{"type": "GOOGLE_AUTHENTICATOR"}'

> POST /api/admin/enterprises/1/users/1/action/enable2fa HTTP/1.1
> Authorization: Basic YWRtaW46eGFiaXF1bw==
> User-Agent: curl/7.38.0
> Host: localhost
> Accept: application/vnd.abiquo.twofactorauthcredentials+json
> Content-type: application/vnd.abiquo.twofactorauthprovider+json
> Content-Length: 32

< HTTP/1.1 201 Created
* Server Apache-Coyote/1.1 is not blacklisted
< Server: Apache-Coyote/1.1
< Set-Cookie: auth=YWRtaW46MTQ0MzcxMTM2NTcyNzpjOWJmYzczMmRlOGU3ODBmMzFiN2JkYmZhN2RiMTYzMDpBQklRVU8; Expires=Thu, 01-Oct-2015 14:56:05 GMT; Path=/; HttpOnly
< Set-Cookie: ABQSESSIONID=3703152771382913736; Expires=Thu, 01-Oct-2015 14:56:05 GMT; Path=/; HttpOnly
< Content-Type: application/vnd.abiquo.twofactorauthcredentials+json
< Transfer-Encoding: chunked
< Date: Thu, 01 Oct 2015 14:26:05 GMT

{
   "authenticatorURL" : "otpauth://totp/Abiquo:admin?secret=UXEHFMAX7RXAJHYE&issuer=Abiquo",
   "links" : [],
   "provider" : "GOOGLE_AUTHENTICATOR",
   "scratchCodes" : [
      "88309169",
      "40838958",
      "93393020",
      "91684230",
      "17576595"
   ]
}


    The value of the type field can be one of the following: EMAIL, GOOGLE_AUTHENTICATOR.
    The response comes with all the two-factor authentication details:

...

Once the user has the verification code, it can be provided in the X-Abiquo-OTP header, as follows:

Code Block
titleGET User Info user info with the verification code
% curl -v -u admin:xabiquo http://example.com/api/login \
    -H "Accept:application/vnd.abiquo.user+xml" \
    -H "X-Abiquo-OTP: 670870"

> GET /api/login HTTP/1.1
> Authorization: Basic YWRtaW46eGFiaXF1bw==
> User-Agent: curl/7.38.0
> Host: example.com
> Accept:application/vnd.abiquo.user+xml
> X-Abiquo-OTP: 637614

< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Set-Cookie: auth=YWRtaW46MTQ0MzcxMDM3NDgxMzphZjdjNTY1ZjJhNDgzNTc4Y2EyZGEzNTJiNTcwNmE3ZDpBQklRVU8; Expires=Thu, 01-Oct-2015 14:39:34 GMT; Path=/; HttpOnly
< Set-Cookie: ABQSESSIONID=1691863788974462744; Expires=Thu, 01-Oct-2015 14:39:34 GMT; Path=/; HttpOnly
< Content-Type: application/vnd.abiquo.user+xml
< Content-Length: 1422


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user>
 <link title="Abiquo" rel="enterprise" type="application/vnd.abiquo.enterprise+xml" href="http://example.com:80/api/admin/enterprises/1"/>
 <link title="CLOUD_ADMIN" rel="role" type="application/vnd.abiquo.role+xml" href="http://example.com:80/api/admin/roles/1"/>
 <link title="admin" rel="edit" type="application/vnd.abiquo.user+xml" href="http://example.com:80/api/admin/enterprises/1/users/1"/>
 <link title="virtual machines" rel="virtualmachines" type="application/vnd.abiquo.virtualmachines+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/action/virtualmachines"/>
 <link title="pending tasks" rel="pendingtasks" type="application/vnd.abiquo.tasks+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/action/pendingtasks"/>
 <link title="applications" rel="applications" type="application/vnd.abiquo.applications+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/applications"/>
 <link title="enable two factor authentication" rel="enable2fa" type="application/vnd.abiquo.twofactorauthcredentials+xml" href="http://example.com:80/api/admin/enterprises/1/users/1/action/enable2fa"/>
 <id>1</id>
 <nick>admin</nick>
 <name>Cloud</name>
 <surname>Administrator</surname>
 <description>Main administrator</description>
 <email></email>
 <locale>en_US</locale>
 <authType>ABIQUO</authType>
 <active>true</active>
 <firstLogin>false</firstLogin>
 <locked>false</locked>
</user>

...