SDN Controller Programming Guide
12
Authentication
HP VAN SDN Controller’s REST APIs are secured via a token-based authentication scheme.
Openstack Keystone [9] is used to provide the token-based authentication.
This security mechanism:
Provide user authentication functionality with RBAC support.
Completely isolate security mechanism from the underlying RESTful API.
Work well with Openstack Keystone (even though Keystone is not a requirement).
Expose a RESTful API to allow any authentication server that implements this RESTful API to be
hosted else where (outside the SDN appliance).
This security mechanism does not:
Provide authorization. Authorization needs to be provided by the application based on the
authenticated subject's roles.
Support filtering functionality such as black-listing or rate-limiting.
To achieve isolation of security aspects from the API, authentication information is encapsulated by
a token that a user receives by presenting his/her credentials to an Authentication Server. The user
then uses this token (via header X-Auth-Token) in any API call that requires authentication. The
token is validated by an Authentication Filter that fronts the requested API resource. Upon
successful authentication, requests are forwarded to the RESTful APIs with the principal's
information such as:
User ID
User name
User roles
Expiration Date
Upon unsuccessful authentication (either no token or invalid token), it is up to the application to
deny or allow access to its resource. This flexibility allows the application to implement its own
authorization mechanism, such as ACL-based or even allow anonymous operations on certain
resources.
The flow of token-based authentication in the HP VAN SDN Controller can be summarized as
illustrated in Figure 9.