Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 3. Authenticating API Calls
Interaction with the Satellite API requires SSL authentication with Satellite Server CA certificate and authentication with valid Satellite user credentials. This chapter outlines the authenticating methods you can use.
3.1. SSL Authentication Overview
Red Hat Satellite uses HTTPS, which provides a degree of encryption and identity verification when communicating with a Red Hat Satellite Server. Satellite 6.7 does not support non-SSL communications.
Each Red Hat Satellite Server uses a self-signed certificate. This certificate acts as both the server certificate to verify the encryption key and the certificate authority (CA) to trust the identity of Satellite Server.
3.1.1. Configuring SSL Authentication
Use the following procedure to configure an SSL authentication for the API requests to Satellite Server.
Procedure
Obtain a certificate from the Satellite Server with which you want to communicate using one of the following options:
If you execute the command from a remote server, obtain a certificate using SSH:
scp root@satellite.example.com:/var/www/html/pub/katello-server-ca.crt ./
$ scp root@satellite.example.com:/var/www/html/pub/katello-server-ca.crt ./Copy to Clipboard Copied! Toggle word wrap Toggle overflow If you execute the command directly on the Satellite Server, copy the certificate to the current directory:
cp /var/www/html/pub/katello-server-ca.crt ./
$ cp /var/www/html/pub/katello-server-ca.crt ./Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Use the API request with the
--cacert katello-server-ca.crtoption to verify the identity of the Satellite Server:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create a Network Security Services (NSS) database to store the
katello-server-ca.crtcertificate:certutil -N -d sql:$HOME/.pki/nssdb
$ certutil -N -d sql:$HOME/.pki/nssdbCopy to Clipboard Copied! Toggle word wrap Toggle overflow Permanently include the certificate in the NSS database:
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "Red Hat Satellite" \ -i katello-server-ca.crt
$ certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "Red Hat Satellite" \ -i katello-server-ca.crtCopy to Clipboard Copied! Toggle word wrap Toggle overflow Verify that the certificate is present in the NSS database by entering the API request without the
--cacertoption:curl --request GET \ --user sat_username:sat_password \ https://satellite.example.com/api/v2/hosts
$ curl --request GET \ --user sat_username:sat_password \ https://satellite.example.com/api/v2/hostsCopy to Clipboard Copied! Toggle word wrap Toggle overflow
3.2. HTTP Authentication Overview
All requests to the Satellite API require a valid Satellite user name and password. The API uses HTTP Basic Authentication to encode these credentials and add to the Authorization header. For more information about Basic Authentication, see RFC 2617 HTTP Authentication: Basic and Digest Access Authentication. If a request does not include an appropriate Authorization header, the API returns a 401 Authorization Required error
Basic authentication involves potentially sensitive information, for example, it sends passwords as plain text. The REST API requires HTTPS for transport level encryption of plain text requests.
Some base64 libraries break encoded credentials into multiple lines and terminate each line with a newline character. This invalidates the header and causes a faulty request. The Authorization header requires that the encoded credentials be on a single line within the header.
3.3. OAuth Authentication Overview
As an alternative to basic authentication, you can use limited OAuth 1.0 authentication. This is sometimes referred to as 1-legged OAuth in version 1.0a of the protocol.
To view OAuth settings, in the Satellite web UI, navigate to Administer > Settings > Authentication. The OAuth consumer key is the token to be used by all OAuth clients.
Satellite stores OAuth settings in the /etc/foreman/settings.yaml file. Use the satellite-installer script to configure these settings, because Satellite overwrites any manual changes to this file when upgrading.
3.3.1. Configuring OAuth
To change the OAuth settings, enter the satellite-installer with the required options. Enter the following command to list all the OAuth related installer options:
satellite-installer --full-help | grep oauth
# satellite-installer --full-help | grep oauthEnabling OAuth mapping
By default, Satellite authorizes all OAuth API requests as the built-in anonymous API administrator account. Therefore, API responses include all Satellite data. However, you can also specify the Foreman user that makes the request and restrict access to data to that user.
To enable OAuth user mapping, enter the following command:
satellite-installer --foreman-oauth-map-users true
# satellite-installer --foreman-oauth-map-users trueSatellite does not sign the header in an OAuth request. Anyone with a valid consumer key can impersonate any Foreman user.
3.3.2. OAuth Request Format
Use an OAuth client library to construct all OAuth parameters. Every OAuth API request requires the FOREMAN-USER header with the login of an existing Foreman user and the Authorization header in the following format:
--header 'FOREMAN-USER: sat_username' \ --header 'Authorization: OAuth oauth_version="1.0",oauth_consumer_key="secretkey",oauth_signature_method="hmac-sha1",oauth_timestamp=1321473112,oauth_signature=Il8hR8/ogj/XVuOqMPB9qNjSy6E='
--header 'FOREMAN-USER: sat_username' \
--header 'Authorization: OAuth oauth_version="1.0",oauth_consumer_key="secretkey",oauth_signature_method="hmac-sha1",oauth_timestamp=1321473112,oauth_signature=Il8hR8/ogj/XVuOqMPB9qNjSy6E='Example
This example lists architectures using OAuth for authentication. The request uses a sat_username username in the FOREMAN-USER header. With the --foreman-oauth-map-users set to true, the response includes only architectures that the user has access to view. The signature reflects every parameter, HTTP method, and URI change.
Example request:
curl 'https://satellite.example.com/api/architectures' \ --header 'Content-Type: application/json' \ --header 'Accept: application/json,version=2' \ --header 'FOREMAN-USER: sat_username' \ --header 'Authorization: OAuth oauth_version="1.0",oauth_consumer_key="secretkey",oauth_signature_method="hmac-sha1",oauth_timestamp=1321473112,oauth_signature=Il8hR8/ogj/XVuOqMPB9qNjSy6E='
$ curl 'https://satellite.example.com/api/architectures' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json,version=2' \
--header 'FOREMAN-USER: sat_username' \
--header 'Authorization: OAuth oauth_version="1.0",oauth_consumer_key="secretkey",oauth_signature_method="hmac-sha1",oauth_timestamp=1321473112,oauth_signature=Il8hR8/ogj/XVuOqMPB9qNjSy6E='
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}