红帽全球峰会此内容没有您所选择的语言版本。
Chapter 3. API call authentication
Interaction with the Satellite API requires SSL authentication with Satellite Server CA certificate and authentication with valid Satellite user credentials. You can use the following authentication methods.
3.1. SSL authentication overview
Red Hat Satellite uses HTTPS, which provides a degree of encryption and identity verification when communicating with Satellite Server. Satellite 6.18 does not support non-SSL communications.
By default, Satellite Server uses a self-signed certificate. This certificate acts as both the server certificate to verify the encryption key and the certificate authority (CA) to trust the identity of Satellite Server.
You can configure Satellite Server to use a custom SSL certificate. For more information, see Configuring Satellite Server with a custom SSL certificate in Installing Satellite Server in a connected network environment. For more information on disconnected Satellite Server, see Configuring Satellite Server with a custom SSL certificate in Installing Satellite Server in a disconnected network environment.
3.1.1. Configuring SSL authentication
Configure an SSL authentication for the API requests to Satellite Server.
Procedure
Obtain a certificate from your Satellite Server by using one of the following options:
If you plan to call the API from a remote server, download the CA certificate:
curl \ --output /etc/pki/ca-trust/source/anchors/satellite.example.com-katello-server-ca.crt \ http://satellite.example.com/pub/katello-server-ca.crt
$ curl \ --output /etc/pki/ca-trust/source/anchors/satellite.example.com-katello-server-ca.crt \ http://satellite.example.com/pub/katello-server-ca.crtCopy to Clipboard Copied! Toggle word wrap Toggle overflow If you plan to call the API directly on your Satellite Server, copy the certificate to the
/etc/pki/ca-trust/source/anchorsdirectory:cp /var/www/html/pub/katello-server-ca.crt /etc/pki/ca-trust/source/anchors/satellite.example.com-katello-server-ca.crt
# cp /var/www/html/pub/katello-server-ca.crt /etc/pki/ca-trust/source/anchors/satellite.example.com-katello-server-ca.crtCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Add the certificate to the list of trusted CAs:
update-ca-trust extract
$ update-ca-trust extractCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Verify that your client trusts the Satellite SSL certificate by entering the API request without the
--cacertoption:curl \ --request GET \ --user My_User_Name:My_Password \ https://satellite.example.com/api/v2/hosts
$ curl \ --request GET \ --user My_User_Name:My_Password \ https://satellite.example.com/api/v2/hostsCopy to Clipboard Copied! Toggle word wrap Toggle overflow
3.2. HTTP authentication overview
All requests to the Satellite API require a valid Satellite user name and password. The API uses Basic HTTP authentication to encode these credentials and add to the Authorization header. For more information about Basic authentication, see RFC 2617 HTTP Authentication: Basic and Digest Access Authentication. If a request does not include an appropriate Authorization header, the API returns a 401 Authorization Required error.
Basic authentication involves potentially sensitive information, for example, it sends passwords as plain text. The REST API requires HTTPS for transport-level encryption of plain text requests.
Some base64 libraries break encoded credentials into multiple lines and terminate each line with a newline character. This invalidates the header and causes a faulty request. The Authorization header requires the encoded credentials to be on a single line within the header.
3.3. Token authentication overview
Red Hat Satellite supports Personal Access Tokens that you can use to authenticate API requests instead of using your password. You can set an expiration date for your Personal Access Token and you can revoke it if you decide it should expire before the expiration date.
3.3.1. Creating a Personal Access Token
Use this procedure to create a Personal Access Token.
Procedure
- In the Satellite web UI, navigate to Administer > Users.
- Select a user for which you want to create a Personal Access Token.
- On the Personal Access Tokens tab, click Add Personal Access Token.
- Enter a Name for you Personal Access Token.
- Optional: Select the Expires date to set an expiration date. If you do not set an expiration date, your Personal Access Token will never expire unless revoked.
Click Submit. You now have the Personal Access Token available to you on the Personal Access Tokens tab.
ImportantEnsure to store your Personal Access Token as you will not be able to access it again after you leave the page or create a new Personal Access Token. You can click Copy to clipboard to copy your Personal Access Token.
Verification
Make an API request to your Satellite Server and authenticate with your Personal Access Token:
curl \ --user My_Username:My_Personal_Access_Token \ https://satellite.example.com/api/status
$ curl \ --user My_Username:My_Personal_Access_Token \ https://satellite.example.com/api/statusCopy to Clipboard Copied! Toggle word wrap Toggle overflow You should receive a response with status
200, for example:{"satellite_version":"6.18.0","result":"ok","status":200,"version":"3.5.1.10","api_version":2}{"satellite_version":"6.18.0","result":"ok","status":200,"version":"3.5.1.10","api_version":2}Copy to Clipboard Copied! Toggle word wrap Toggle overflow If you go back to Personal Access Tokens tab, you can see the updated Last Used time next to your Personal Access Token.
3.3.2. Revoking a Personal Access Token
Use this procedure to revoke a Personal Access Token before its expiration date.
Procedure
- In the Satellite web UI, navigate to Administer > Users.
- Select a user for which you want to revoke the Personal Access Token.
- On the Personal Access Tokens tab, locate the Personal Access Token you want to revoke.
- Click Revoke in the Actions column next to the Personal Access Token you want to revoke.
Verification
Make an API request to your Satellite Server and try to authenticate with the revoked Personal Access Token:
curl \ --user My_Username:My_Personal_Access_Token \ https://satellite.example.com/api/status
$ curl \ --user My_Username:My_Personal_Access_Token \ https://satellite.example.com/api/statusCopy to Clipboard Copied! Toggle word wrap Toggle overflow You receive the following error message:
{ "error": {"message":"Unable to authenticate user My_Username"} }{ "error": {"message":"Unable to authenticate user My_Username"} }Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}