Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DEV and version r0641

...

Tip

Tip: API access tokens are the preferred method of authentication.


Info

NOTE: This feature may need to be enabled in your instance of the

D s platform
. For more information, see Enable API Access Tokens.

Basic Steps:

  1. You submit a request to create a new access token.
    1. You can create and delete access tokens through the Settings area of the 
      D s webapp
      . See Access Tokens Page.
    2. You can create access tokens through the REST API endpoint.

      1. If you do not have a valid access token, you must submit your request to the endpoint using one of the other forms of authentication.
      2. If you do have a valid access token, you can use it with your submission to generate a new access token.
      3. See API AccessTokens Create v4.

  2. With each request, you submit the token as part of the Authorization header. 
  3. Continue using the token. As needed, you can create and use additional tokens. There is no limit to the number of tokens you can create.

Tip

Tip: API access tokens work seamlessly with platform-native SAML and LDAP SSO authentication. They do not work with the reverse proxy method of SSO authentication. Details are below.

 

For more information on this process, see Manage API Access Tokens.

...

This example submits authentication requirements over HTTP, including the username and password (me@example.com:me_pwd):

Code Block
$ curl  -u me@example.com:me_pwd \
    -b ~/cookies.txt -c ~/cookies.txt \
    http://<platform_host>:<platform_port_number>/v4/<endpoint>

where:

ParameterDescription
-u me@example.com:me_pwdRequired username and password.
-b and -cRequired paths and filenames for storage of send and receive HTTP cookies.
<platform_host>

Fully qualified name of the host of the

D s platform

<platform_port_number>

Port number through which to access the

D s platform
. Default is 3005.

 

SSO Authentication

You can use the APIs in SSO environments. Below, you can review the best method of authenticating to the APIs based on your SSO environment:

SSO TypeAPI Auth
Platform-native SAMLAPI access tokens work seamlessly. Basic auth does not work.
Platform-native LDAP-ADAPI access tokens work seamlessly. Basic auth does not work.
Reverse proxy SAMLUse basic auth described below. Additional configuration may be required.
Reverse proxy LDAP-ADUse basic auth described below. Additional configuration may be required.

In a single sign-on environment, you can use basic authentication to interact with the APIs.

Info

NOTE: Enabling SSO integration with the 

D s platform
 requires additional configuration. See Configure SSO for AD-LDAP.

 

However However, some changes are required:

  • Basic authentication to the gateway must be enabled as part of the configuration for the reverse proxy. This feature is enabled by default, but please verify that it has not been explicitly disabled in your environment. For more information, see see Configure SSO for AD-LDAP.
  • You must authenticate using the SSO principal as the username and the LDAP or AD password associated with that user. 
  • You must authenticate to the SSO gateway.  In the  In the 
    D s platform
    , this value corresponds to the the <platform_host>:<platform_port_number> value value.

Example:

Code Block
$ curl  -u myUser@example.com:foobar -x http://<platform_host>:<platform_port_number> \
    -b ~/cookies.txt -c ~/cookies.txt \
    http://<platform_host>:<platform_port_number>/v4/<endpoint>
Info

NOTE: For the protocol identifier, you can also use https if SSL is enabled. See Install SSL Certificate.

ParameterDescription
myUser@example.com:foobarLDAP principal and password associated with that username.

For more information, see Configure SSO for AD-LDAP.

...

Credentials are authenticated by the KDC for each request. 

Info

NOTE: SPNEGO must be enabled and configured for your REST client or programming library.

...

  1. Verify that your version of cURL supports GSS:

    Code Block
    $ curl -V
    curl 7.51.0 (x86_64-apple-darwin16.0) libcurl/7.51.0 SecureTransport zlib/1.2.8
    Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
    Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets
  2. Verify that GSS-API and  and SPNEGO are in  are in the output.
  3. Run kinit and  and authenticate using the Hadoop principal:

    Code Block
    $ kinit
    Please enter the password for [hadoop.user.principal]@localhost:
    $ 
  4. Access using cURL

    Code Block
    $ curl --negotiate -u anything \
        -b ~/cookies.txt -c ~/cookies.txt \
        http://<platform_host>:<platform_port_number>/v4/<endpoint>

    where:

    ParameterDescription
    --negotiateEnables SPNEGO use in cURL. This option requires a library built with GSS-API or SSPI support. If this option is used several times, only the first one is used. Use --proxy-negotiate to enable Negotiate (SPNEGO) for proxy authentication.
    -u anythingRequired username. However, this username is ignored. Instead, the principal used in kinit is applied.

For more information:

...