Upload
buicong
View
235
Download
2
Embed Size (px)
Citation preview
HP SDN REST API and Security Technical Configuration Guide
Version: 1 September 2013
Table of Contents
Introduction .................................................................................................................................................................................... 2 What is REST? ............................................................................................................................................................................ 2 HP SDN Controller REST API ................................................................................................................................................... 2 Security ........................................................................................................................................................................................ 2 REST APIs .................................................................................................................................................................................... 3
REST API via curl ............................................................................................................................................................................ 4 API Discovery ............................................................................................................................................................................ 15 RSDoc Discovery...................................................................................................................................................................... 17 View headers ............................................................................................................................................................................ 21
Flow Manipulation via Curl......................................................................................................................................................... 22 Re-route web traffic between h11 and h44 through spine switch 01 .................................................................... 27
Keystone ....................................................................................................................................................................................... 32 Frequently Asked Questions ..................................................................................................................................................... 37 Resources, contacts, or additional links ................................................................................................................................. 38
Learn more at hp.com/Networking..................................................................................................................................... 38
Introduction What is REST? Representational state transfer (REST) is a style of software architecture for distributed systems such as the World Wide Web. Hypertext Transfer Protocol (HTTP) is used for document transfer, or when AJAX requests are made for example via REST.
Developed by Roy Fielding, REST is a simple way to organize interactions between independent systems. It allows for interaction with minimal overhead between clients and servers. REST has less overhead than comparable protocols such as SOAP (Simple Object Access Protocol).
The developers of the HP SDN Controller chose REST because of it’s simplicity, scalability and interoperability. Many cloud services such as Twitter, Netflix, Google and EBay use REST for these reasons.
It is important to realize that REST is stateless. This is one of the core concepts that enable scalability in RESTful APIs. There are various other HTTP mechanisms available to ensure that the statelessness works.
HP SDN Controller REST API The HP SDN Controller REST API has been updated to version 2.0. This is not backwards compatible with version 1.0. The major number 2 is thus used in the naming conventions.
The API is segmented into three main namespaces or parts:
1. The /sdn/v2.0 category core API. This contains the core functionality of the API such as alerts, support logs, backups restore, basic information and management capability of the controller as well as HA.
2. The second namesapce is /sdn/v2.0/of which contains the OpenFlow APIs. This is how you interact with the flow controller aspect of the HP SDN controller. This provides flow mod, flow statistics and datapath information amongst others.
3. The third namespace is the /sdn/v2.0/net. This provides the network service functionality such topology info, path planning and support tools for tracing packets that traverse the network.
The HP SDN controller provides a flexible environment for development and extensions. If extensions are added to the SDN controller they need to follow the REST API naming convention. This is important so that extensions from various vendors don’t clash with each other. The current specification requires: / Ext – Extension / Vendor ID – for example Cisco / Router which would be a Cisco Router extension. This naming convention allows for codes to be globally unique without the need to be registered with HP.
Security The REST APIs need to be secure. TLS is used to secure the connection and a token-based authentication mechanism is used to secure the API. The mechanism used to secure the APIs is OpenStack Keystone.
The SDN Controller is shipped with OpenStack Keystone and requires the OpenStack Keystone version v2 API. This is a separate piece of software to the core Controller software. Every time an API call is made, the API call is authenticated by Keysthone. This token can be reused for different API calls, but every call needs to be authenticated. The token expires after 24 hours.
Tokens are obtained via an HTTP POST with user and password credentials. This uses the namespace: /sdn/v2.0/auth
The SDN appliance in the diagram represents the HP SDN Controller. This has a Keystone service embedded. An external KeyStone server could also be used. This is represented by the External Authentication Server box in the diagram. This could be used in an enterprise environment where a customer has a separate, external authentication server. Keystone supports LDAP, so the external server could also be integrated with Active Directory.
The first step is to generate a token using username and password credentials. This is presented via a web proxy service using the /sdn/v2.0/auth URL and a token is then generated. After the username and password is authenticated, a token is provided which is valid for 24 hours. This token can be included in the X auth token header and used with API calls. The token is similar to a temporary key to a house, so the token should be guarded carefully to mitigate security risks.
Once the token is received, it should be submitted with the header for any API calls made against the HP SDN Controller. The Controller will then request validation of the token from Keystone. The validation also returns username, project name; (in this case sdn), as well as role information to ensure that the user is authorized to execute the API. The token validation thus also allows for background checking ensuring that the user is authorized. If unauthorized, the API call is rejected.
2
HP SDN REST API and Security
There are two exceptions to the requirement of having a token. The first is /sdn/v.2.0/auth as this is the authentication service. Another path that does not require a token is API discovery, which allows for a connection to the root path and the controller then provides a list of available APIs and information about their use. These two paths do not require tokens but all other API’s in the controllers require tokens for authentication.
Figure 1: REST API
REST APIs Here is an overview of some of the namespaces used by the SDN REST APIs.
Some of the entries listed here are still under development (note the Sprint column). Rather than referring to a document however, it is easier to view this information by accessing the built in help on the controller: RSdoc.
RSdoc is an interactive, online, API documentation tool that’s available with the SDN controller. It is accessed with the following URL: https://<Controller-IP>:8443/api.
3
Figure 2: REST API
REST API via curl Start mininet against SDN Controller
To show the basic API functionality, start Mininet on the Controller VM and generate flows with the pingall command. sdn@sdndev:~$ ssh sdnctl sdn@sdnctl:~$ sudo bin/tt.py 192.168.56.7 mininet> pingall ...
Obtain an Auth Token and save it
cURL is a command line tool for transferring data using various protocols. This allows the sending of files via the CLI sing URL syntax.
However, before any data can be transmitted, a token is required. To get a token, the following command can be used: sdn@sdndev:~$ curl –sk –H ‘Content-Type:application/json’ \ -X POST http://192.168.56.7:8080/sdn/v2.0/auth \ -d ‘{ “login”: { “user”: “sdn”, “password”: “skyline” }}’
-X: An HTTP POST message is sent http://192.168.56.7:8080/sdn/v2.0/auth
-d: Specifies login information of username of “sdn” and a password of “skyline”
-H: (H = Header) Specifies that the data content is application.
-sk: Ignore warnings about self signed certificates. The Controller uses a self signed certificate and cURL will take exception to that if not ignored.
Example: sdn@sdndev:~$ curl -sk -H 'Content-Type:application/json' -d '{"login":{"user":"sdn", "password":"skyline"}}' http://192.168.56.7:8080/sdn/v2.0/auth {"record":{"token":"6558d3fc74444e289b72f7cf23148d6d","expiration":1375631592000,"expirationDate":"2013-08-04 08-53-12 -
4
HP SDN REST API and Security
0700","userId":"1cda5d05c628443eaf553dfebc718f8a","userName":"sdn","domainId":"","domainName":""}}sdn@sdndev:~$
To save the token for use later, use the export token command: sdn@sdndev:~$ export token=“6558d3fc74444e289b72f7cf23148d6d”
List Datapaths
The token received can now be used to view information on the Controller such as the number of switches. Use the following command to do this: curl –sk –H “X-Auth-Token:e323bc23220c42ba96ca0a01cce13218” $UMS/v2.0/of/datapaths sdn@sdndev:~$
The resulting output displays. However, the output is not formatted clearly as it is using the REST API and REST information is compacted: {"datapaths":[{"dpid":"00:00:00:00:00:00:00:01","negotiated_version":"1.0.0","ready":"2013-08-02T20:31:52.993+0000","last_message":"2013-08-03T08:31:34.574+0000","num_buffers":256,"num_tables":255,"device_ip":"192.168.56.7","device_port":36644,"masters":[],"slaves":[],"supported_actions":["output","set_vlan_vid","set_vlan_pcp","strip_vlan","set_dl_src","set_dl_dst","set_nw_src","set_nw_dst","set_nw_tos","set_tp_src","set_tp_dst","enqueue"],"capabilities":["flow_stats","table_stats","port_stats","queue_stats","arp_match_ip"],"num_ports":7},{"dpid":"00:00:00:00:00:00:00:02","negotiated_version":"1.0.0","ready":"2013-08-02T20:31:53.050+0000","last_message":"2013-08-03T08:31:34.576+0000","num_buffers":256,"num_tables":255,"device_ip":"192.168.56.7","device_port":36645,"masters":[],"slaves":[],"supported_actions":["output","set_vlan_vid","set_vlan_pcp","strip_vlan","set_dl_src","set_dl_dst","set_nw_src","set_nw_dst","set_nw_tos","set_tp_src","set_tp_dst","enqueue"],"capabilities":["flow_stats","table_stats","port_stats","queue_stats","arp_match_ip"],"num_ports":7},{"dpid":"00:00:00:00:00:00:00:0b","negotiated_version":"1.0.0","ready":"2013-08-02T20:31:53.172+0000","last_message":"2013-08-03T08:31:34.536+0000","num_buffers":256,"num_tables":255,"device_ip":"192.168.56.7","device_port":36646,"masters":[],"slaves":[],"supported_actions":["output","set_vlan_vid","set_vlan_pcp","strip_vlan","set_dl_src","set_dl_dst","set_nw_src","set_nw_dst","set_nw_tos","set_tp_src","set_tp_dst","enqueue"],"capabilities":["flow_stats","table_stats","port_stats","queue_stats","arp_match_ip"],"num_ports":9},{"dpid":"00:00:00:00:00:00:00:0c","negotiated_version":"1.0.0","ready":"2013-08-02T20:31:53.271+0000","last_message":"2013-08-03T08:31:34.540+0000","num_buffers":256,"num_tables":255,"device_ip":"192.168.56.7","device_port":36647,"masters":[],"slaves":[],"supported_actions":["output","set_vlan_vid","set_vlan_pcp","strip_vlan","set_dl_src","set_dl_dst","set_nw_src","set_nw_dst","set_nw_tos","set_tp_src","set_tp_dst","enqueue"],"capabilities":["flow_stats","table_stats","port_stats","queue_stats","arp_match_ip"],"num_ports":9},{"dpid":"00:00:00:00:00:00:00:0d","negotiated_version":"1.0.0","ready":"2013-08-02T20:31:53.414+0000","last_message":"2013-08-03T08:31:34.543+0000","num_buffers":256,"num_tables":255,"device_ip":"192.168.56.7","device_port":36648,"masters":[],"slaves":[],"supported_actions":["output","set_vlan_vid","set_vlan_pcp","strip_vlan","set_dl_src","set_dl_dst","set_nw_src","set_nw_dst","set_nw_tos","set_tp_src","set_tp_dst","enqueue"],"capabilities":["flow_stats","table_stats","port_stats","queue_stats","arp_match_ip"],"num_ports":9},{"dpid":"00:00:00:00:00:00:00:0e","negotiated_version":"1.0.0","ready":"2013-08-02T20:31:53.539+0000","last_message":"2013-08-03T08:31:34.546+0000","num_buffers":256,"num_tables":255,"device_ip":"192.168.56.7","device_port":36649,"masters":[],"slaves":[],"supported_acti
5
ons":["output","set_vlan_vid","set_vlan_pcp","strip_vlan","set_dl_src","set_dl_dst","set_nw_src","set_nw_dst","set_nw_tos","set_tp_src","set_tp_dst","enqueue"],"capabilities":["flow_stats","table_stats","port_stats","queue_stats","arp_match_ip"],"num_ports":9}]}sdn@sdndev:~$
Alias for JSON
An Alias has been created on the Developer VM – “pp” - which uses the JSON tool in Python to graph the data and format it in an easier to read format: sdn@sdndev:~$ alias pp alias pp='python -mjson.tool'
The data can be piped to this alias as follows: sdn@sdndev:~$ curl -sk -H "X-Auth-Token:$token" $UMS/v2.0/of/datapaths | pp { "datapaths": [ { "capabilities": [ "flow_stats", "table_stats", "port_stats", "queue_stats", "arp_match_ip" ], "device_ip": "192.168.56.7", "device_port": 36644, "dpid": "00:00:00:00:00:00:00:01", "last_message": "2013-08-03T08:54:35.886+0000", "masters": [], "negotiated_version": "1.0.0", "num_buffers": 256, "num_ports": 7, "num_tables": 255, "ready": "2013-08-02T20:31:52.993+0000", "slaves": [], "supported_actions": [ "output", "set_vlan_vid", "set_vlan_pcp", "strip_vlan", "set_dl_src", "set_dl_dst", "set_nw_src", "set_nw_dst", "set_nw_tos", "set_tp_src", "set_tp_dst", "enqueue" ] }, { "capabilities": [ "flow_stats", "table_stats", "port_stats", "queue_stats", "arp_match_ip" ], "device_ip": "192.168.56.7", "device_port": 36645, "dpid": "00:00:00:00:00:00:00:02",
6
HP SDN REST API and Security
"last_message": "2013-08-03T08:54:35.887+0000", "masters": [], "negotiated_version": "1.0.0", "num_buffers": 256, "num_ports": 7, "num_tables": 255, "ready": "2013-08-02T20:31:53.050+0000", "slaves": [], "supported_actions": [ "output", "set_vlan_vid", "set_vlan_pcp", "strip_vlan", "set_dl_src", "set_dl_dst", "set_nw_src", "set_nw_dst", "set_nw_tos", "set_tp_src", "set_tp_dst", "enqueue" ] }, { "capabilities": [ "flow_stats", "table_stats", "port_stats", "queue_stats", "arp_match_ip" ], "device_ip": "192.168.56.7", "device_port": 36646, "dpid": "00:00:00:00:00:00:00:0b", "last_message": "2013-08-03T08:54:35.854+0000", "masters": [], "negotiated_version": "1.0.0", "num_buffers": 256, "num_ports": 9, "num_tables": 255, "ready": "2013-08-02T20:31:53.172+0000", "slaves": [], "supported_actions": [ "output", "set_vlan_vid", "set_vlan_pcp", "strip_vlan", "set_dl_src", "set_dl_dst", "set_nw_src", "set_nw_dst", "set_nw_tos", "set_tp_src", "set_tp_dst", "enqueue" ] }, {
7
"capabilities": [ "flow_stats", "table_stats", "port_stats", "queue_stats", "arp_match_ip" ], "device_ip": "192.168.56.7", "device_port": 36647, "dpid": "00:00:00:00:00:00:00:0c", "last_message": "2013-08-03T08:54:35.857+0000", "masters": [], "negotiated_version": "1.0.0", "num_buffers": 256, "num_ports": 9, "num_tables": 255, "ready": "2013-08-02T20:31:53.271+0000", "slaves": [], "supported_actions": [ "output", "set_vlan_vid", "set_vlan_pcp", "strip_vlan", "set_dl_src", "set_dl_dst", "set_nw_src", "set_nw_dst", "set_nw_tos", "set_tp_src", "set_tp_dst", "enqueue" ] }, { "capabilities": [ "flow_stats", "table_stats", "port_stats", "queue_stats", "arp_match_ip" ], "device_ip": "192.168.56.7", "device_port": 36648, "dpid": "00:00:00:00:00:00:00:0d", "last_message": "2013-08-03T08:54:35.861+0000", "masters": [], "negotiated_version": "1.0.0", "num_buffers": 256, "num_ports": 9, "num_tables": 255, "ready": "2013-08-02T20:31:53.414+0000", "slaves": [], "supported_actions": [ "output", "set_vlan_vid", "set_vlan_pcp", "strip_vlan", "set_dl_src", "set_dl_dst", "set_nw_src", "set_nw_dst",
8
HP SDN REST API and Security
"set_nw_tos", "set_tp_src", "set_tp_dst", "enqueue" ] }, { "capabilities": [ "flow_stats", "table_stats", "port_stats", "queue_stats", "arp_match_ip" ], "device_ip": "192.168.56.7", "device_port": 36649, "dpid": "00:00:00:00:00:00:00:0e", "last_message": "2013-08-03T08:54:35.864+0000", "masters": [], "negotiated_version": "1.0.0", "num_buffers": 256, "num_ports": 9, "num_tables": 255, "ready": "2013-08-02T20:31:53.539+0000", "slaves": [], "supported_actions": [ "output", "set_vlan_vid", "set_vlan_pcp", "strip_vlan", "set_dl_src", "set_dl_dst", "set_nw_src", "set_nw_dst", "set_nw_tos", "set_tp_src", "set_tp_dst", "enqueue" ] } ] } sdn@sdndev:~$
List Ports
To ListPorts, first view the switches in the topology with the command: sdn@sdndev:~$ curl –sk –H “X-Auth-Token:$token” $UMS/v2.0/of/datapaths
Figure 3: Listing ports
9
Use the dpid information from the output (in this case 00:00:00:00:00:00:00:01) and use that in the next command: sdn@sdndev:~$ curl –sk –H “X-Auth-Token:$token” $UMS/v2.0/of/datapaths/00:00:00:00:00:00:00:01/ports
{"version":"1.0.0","ports":[{"id":1,"name":"s1-eth1","mac":"9a:fe:fe:c2:50:29","config":[],"state":["stp_listen"],"current_features":["rate_10gb_fd","copper"],"advertised_features":[],"supported_features":[],"peer_features":[]},{"id":2,"name":"s1-eth2","mac":"a2:6a:8c:b6:03:90","config":[],"state":["stp_listen"],"current_features":["rate_10gb_fd","copper"],"advertised_features":[],"supported_features":[],"peer_features":[]},{"id":3,"name":"s1-eth3","mac":"0e:84:8a:73:3e:65","config":[],"state":["stp_listen"],"current_features":["rate_10gb_fd","copper"],"advertised_features":[],"supported_features":[],"peer_features":[]},{"id":4,"name":"s1-eth4","mac":"22:1b:4a:cc:95:1f","config":[],"state":["stp_listen"],"current_features":["rate_10gb_fd","copper"],"advertised_features":[],"supported_features":[],"peer_features":[]},{"id":5,"name":"s1-eth5","mac":"12:36:a8:68:6f:ca","config":[],"state":["stp_listen"],"current_features":["rate_10gb_fd","copper"],"advertised_features":[],"supported_features":[],"peer_features":[]},{"id":6,"name":"s1-eth6","mac":"7e:40:eb:55:9e:3b","config":[],"state":["stp_listen"],"current_features":["rate_10gb_fd","copper"],"advertised_features":[],"supported_features":[],"peer_features":[]},{"id":4294967294,"name":"s1","mac":"46:cd:e3:40:3d:45","config":["port_down"],"state":["link_down","stp_listen"],"current_features":[],"advertised_features":[],"supported_features":[],"peer_features":[]}]}sdn@sdndev:~$
This displays the port information of the switch with MAC address 00:00:00:00:00:00:00:01.
List Links
Links can be viewed with the links option: sdn@sdndev:~$ curl -sk -H "X-Auth-Token:$token" $UMS/v2.0/net/links | pp { "links": [ { "dst_dpid": "00:00:00:00:00:00:00:02", "dst_port": 1, "src_dpid": "00:00:00:00:00:00:00:01", "src_port": 1 }, { "dst_dpid": "00:00:00:00:00:00:00:0c", "dst_port": 1, "src_dpid": "00:00:00:00:00:00:00:01", "src_port": 4 }, { "dst_dpid": "00:00:00:00:00:00:00:02", "dst_port": 3, "src_dpid": "00:00:00:00:00:00:00:0b", "src_port": 2 }, { "dst_dpid": "00:00:00:00:00:00:00:0e", "dst_port": 2, "src_dpid": "00:00:00:00:00:00:00:02", "src_port": 6 }, { "dst_dpid": "00:00:00:00:00:00:00:0b", "dst_port": 1,
10
HP SDN REST API and Security
"src_dpid": "00:00:00:00:00:00:00:01", "src_port": 3 }, { "dst_dpid": "00:00:00:00:00:00:00:02", "dst_port": 2, "src_dpid": "00:00:00:00:00:00:00:01", "src_port": 2 }, { "dst_dpid": "00:00:00:00:00:00:00:0c", "dst_port": 2, "src_dpid": "00:00:00:00:00:00:00:02", "src_port": 4 }, { "dst_dpid": "00:00:00:00:00:00:00:01", "dst_port": 5, "src_dpid": "00:00:00:00:00:00:00:0d", "src_port": 1 }, { "dst_dpid": "00:00:00:00:00:00:00:02", "dst_port": 4, "src_dpid": "00:00:00:00:00:00:00:0c", "src_port": 2 }, { "dst_dpid": "00:00:00:00:00:00:00:0d", "dst_port": 1, "src_dpid": "00:00:00:00:00:00:00:01", "src_port": 5 }, { "dst_dpid": "00:00:00:00:00:00:00:01", "dst_port": 6, "src_dpid": "00:00:00:00:00:00:00:0e", "src_port": 1 }, { "dst_dpid": "00:00:00:00:00:00:00:01", "dst_port": 2, "src_dpid": "00:00:00:00:00:00:00:02", "src_port": 2 }, { "dst_dpid": "00:00:00:00:00:00:00:01", "dst_port": 4, "src_dpid": "00:00:00:00:00:00:00:0c", "src_port": 1 }, { "dst_dpid": "00:00:00:00:00:00:00:0b", "dst_port": 2, "src_dpid": "00:00:00:00:00:00:00:02", "src_port": 3 }, {
11
"dst_dpid": "00:00:00:00:00:00:00:02", "dst_port": 5, "src_dpid": "00:00:00:00:00:00:00:0d", "src_port": 2 }, { "dst_dpid": "00:00:00:00:00:00:00:01", "dst_port": 1, "src_dpid": "00:00:00:00:00:00:00:02", "src_port": 1 }, { "dst_dpid": "00:00:00:00:00:00:00:02", "dst_port": 6, "src_dpid": "00:00:00:00:00:00:00:0e", "src_port": 2 }, { "dst_dpid": "00:00:00:00:00:00:00:0d", "dst_port": 2, "src_dpid": "00:00:00:00:00:00:00:02", "src_port": 5 }, { "dst_dpid": "00:00:00:00:00:00:00:0e", "dst_port": 1, "src_dpid": "00:00:00:00:00:00:00:01", "src_port": 6 }, { "dst_dpid": "00:00:00:00:00:00:00:01", "dst_port": 3, "src_dpid": "00:00:00:00:00:00:00:0b", "src_port": 1 } ] } sdn@sdndev:~$
Nodes can be listed with the nodes option: sdn@sdndev:~$ curl -sk -H "X-Auth-Token:$token" $UMS/v2.0/net/nodes | pp { "nodes": [ { "dpid": "00:00:00:00:00:00:00:0e", "ip": "10.0.0.21", "mac": "aa:c0:1a:4b:ed:3a", "port": 5, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0e", "ip": "10.0.0.23", "mac": "66:60:66:de:40:fb", "port": 7, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0b", "ip": "10.0.0.4", "mac": "ee:d9:4a:e8:bc:6f",
12
HP SDN REST API and Security
"port": 6, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0c", "ip": "10.0.0.8", "mac": "de:d5:eb:77:9c:dc", "port": 4, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0c", "ip": "10.0.0.7", "mac": "b2:9f:04:52:75:46", "port": 3, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0d", "ip": "10.0.0.17", "mac": "e2:84:60:7e:9d:9e", "port": 7, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0d", "ip": "10.0.0.16", "mac": "76:f1:2e:b0:8b:3d", "port": 6, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0e", "ip": "10.0.0.19", "mac": "a6:df:42:53:fe:ca", "port": 3, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0b", "ip": "10.0.0.3", "mac": "3e:fb:01:07:5f:69", "port": 5, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0c", "ip": "10.0.0.11", "mac": "ae:8d:b4:a0:b3:90", "port": 7, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0e", "ip": "10.0.0.24", "mac": "ae:ff:1b:8a:17:13", "port": 8, "vid": 0
13
}, { "dpid": "00:00:00:00:00:00:00:0b", "ip": "10.0.0.2", "mac": "e2:3b:19:e6:49:67", "port": 4, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0b", "ip": "10.0.0.5", "mac": "1a:63:ef:9d:f1:f5", "port": 7, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0c", "ip": "10.0.0.12", "mac": "d6:a7:81:a2:5d:dc", "port": 8, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0d", "ip": "10.0.0.15", "mac": "0e:85:e2:f3:5c:05", "port": 5, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0e", "ip": "10.0.0.22", "mac": "e6:3e:a7:bc:31:bf", "port": 6, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0c", "ip": "10.0.0.10", "mac": "0e:18:d9:74:67:41", "port": 6, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0e", "ip": "10.0.0.20", "mac": "96:ac:76:57:05:9f", "port": 4, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0b", "ip": "10.0.0.1", "mac": "1a:ee:00:b5:9e:99", "port": 3, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0d", "ip": "10.0.0.14", "mac": "fe:48:1f:a4:1a:d3",
14
HP SDN REST API and Security
"port": 4, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0d", "ip": "10.0.0.18", "mac": "36:4c:10:72:cd:04", "port": 8, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0d", "ip": "10.0.0.13", "mac": "ae:10:c3:59:10:c3", "port": 3, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0b", "ip": "10.0.0.6", "mac": "96:71:ac:b4:b4:c2", "port": 8, "vid": 0 }, { "dpid": "00:00:00:00:00:00:00:0c", "ip": "10.0.0.9", "mac": "6e:1e:ab:46:c3:86", "port": 5, "vid": 0 } ] } sdn@sdndev:~$
RSdoc GUI RSDoc is an online documentation tool.
API Discovery Navigate to the Controller on port 8443
APIs can be discovered by navigating to the controller on port 8443. The controller displays a list of available APIs. Even though the v1.0 APIs are shown in the list, these are no longer supported.
Note In the Google Chrome browser, there is an extention, called JSONView, that will display the output of these pages in a more human readable format.
15
Figure 4: Available APIs
Navigate to 192.168.56.7:8080/sdn/v2.0
Navigating to 192.168.56.7:808/sdn/v2.0 displays the SDN v2.0 APIs available.
It is possible to follow the URIs and do API discovery. This is a self describing API.
There are three APIs available:
• /sdn/v2.0
• /sdn/v.20/models
• /api
Figure 5: Available v2 APIs
Navigate to 192.168.56.7:8080/sdn/v2.0/models
The models option describes the format and fields available. This allows you to see the correct format for JSON for example or to see the fields required to push a flow.
16
HP SDN REST API and Security
This information is described by the models API. This uses JSON Schema track number 4 from the IETF.
There are three models, the core model described as /sdn/v2.0 which describes properties and required fields for an object called alert.
Figure 6: Models option
OpenFlow Schema
The OpenFlow schema is described here: /sdn/v2.0/of
Properties and options with formats such as datapath can be seen here.
Thus, when wanting to formulate the JSON, look at the scheme and then the API. You can locate the API information in RSDoc.
Figure 7: OpenFlow schema
RSDoc Discovery To view RSDoc information, nagivate to 192.168.5.67:8443/api/
RSdoc is the SDN Controller online documentation tool. This provides a catalog of all the APIs
17
Figure 8: API Catalog
The next figure is an example viewing information about the /datapaths API.
Implementation note information is displayed, parameters and other useful information.
Clicking the “Try it out!” button allows you to test this functionality.
Figure 9: Information viewing example
In this case the response is a 401 error because authentication failed.
To ensure scalability, REST does not provided detailed error information, but rather responds with codes such as 401.
Values in the 200 code range (2XX), mean success.
Values in the 400 code range (4XX), mean an error occurred (bad request). The JSON code format for example may be incorrect. Codes in the 500 (5XX) range mean server side error. The next step would be to look at the server log for more information about server side errors.
18
HP SDN REST API and Security
Figure 10: Failed authentication
Insert an error
Error information can also be view in Curl using the “| more” option.
In this case, and incorrect parameter “i“ was added to the curl command.
The response shows a failed URI. sdn@sdndev:~$ curl -ski 0H "X-Auth-Token:$token" $UMS/v2.0/of/datapaths | more &FailedURI=http%3A%2F%2FX-Auth-Token%2F&AddInType=4&Version=2.1.8-1.90base&Referer=&Implementation=0";if(top.location!=location){var w=window,d=document,e=d.documentElement,b=d.body,x=w.innerW idth||e.clientWidth||b.clientWidth,y=w.innerHeight||e.clientHeight||b.clientHeight;url+="&w="+x+"&h="+y;}window.location.replace(url);</script></head><body></bo dy></html>HTTP/1.1 401 Unauthorized
Previously created Token
The previously stored token can be retrieved using the “echo $token” command: sdn@sdndev:~$ echo $token 6de0eeb533974b649e64d849ecd37cd9
The token can also be retrieved via RSDoc:
19
Figure 11: Token retrieval
The command: {“login”:{“user”:”sdn”,”password”:”skyline”,”domain”:”sdn”:}} can be used to send a username and password to the controller and retrieve a token.
A 200 response code should be received to indicate successful execution of the command.
The token can then be copied and used.
The token received can now be pasted into the “X-Auth-Token” box within RSdoc and used for subsequent API calls. The token is valid for 24 hours.
Figure 12: Token configuration
Datapaths information will now be available as token information has been sent correctly.
20
HP SDN REST API and Security
Figure 13: Successful authentication
Information regarding /datapaths is displayed in RSdoc in a similar way to what was displayed when using CURL.
Figure 14: Datapath information displayed in RSDoc
View headers To view the actual headers and development information, select Tools / Developer Tools on the browser menu.
21
Figure 15: Header display request
Detailed information can be viewed here including the Token sent to the controller for authentication.
Figure 16: Header information
Flow Manipulation via Curl In the network depicted in the next Figure, traffic from 10.0.0.1 to 10.0.0.22 will take the path via core switch S2 by default. This flow can be manipulated to use S1.
Figure 17: Shortest path
Flows can be manipulated directly from CURL. Rather than typing commands manually, the commands can be stored in a file.
22
HP SDN REST API and Security
Send web traffic between h11 and h44 via a path through core switch s1
A file (0e.json) is part of the provided VM. This will need to be copied and edited to create scripts for other switches.
Navigate to the samples folder: sdn@sdndev:~$ cd ~/Downloads/samples/
View files: 0e.json should be in the directory. If not, you will need to create the file manually. See below content of file. sdn@sdndev:~/Downloads/samples$ ls 0e.json problem-apps.tar sdn-of-demo.tar
The contents of the file can be viewed using cat (concatenate files and print): sdn@sdndev:~/Downloads/samples$ cat 0e.json { "flow": { "priority": 30000, "idle_timeout": 30, "match": [ {"eth_type": "ipv4"}, {"ipv4_src": "10.0.0.1"}, {"ipv4_dst": "10.0.0.22"}, {"ip_proto": "tcp"}, {"tcp_dst": "80"} ], "actions": [{"output": 6}] } } sdn@sdndev:~/Downloads/samples$
In the script, the priority and timeout can be seen. The destination port is tcp port 80 (HTTP). Traffic is sent from 10.0.0.1 to 10.0.0.22.
Plan web traffic path between h11 and h44 through spine switch s1
The only file provided is 0e.json. Copy this file and then use Open Gnome editor to edit the files:
Go to the samples directory sdn@sdndev:~$ cd ~/Downloads/samples/
List files: sdn@sdndev:~/Downloads/samples$ ls 0e.json problem-apps.tar sdn-of-demo.tar
Make copies: sdn@sdndev:~$ cp ~/Downloads/samples/0e.json 01.json sdn@sdndev:~$ cp ~/Downloads/samples/0e.json 0b.json
List files: sdn@sdndev:~/Downloads/samples$ ls 01.json 0b.json 0e.json problem-apps.tar sdn-of-demo.tar
Open Gnome Editor: sdn@sdndev:~/Downloads/samples$ gedit 0e.json 01.json 0b.jso
Default Path
Switch 0b sends traffic out of port 2 by default.
The contents of the 0b.json file can be viewed using cat: sdn@sdndev:~/Downloads/samples$ cat 0b.json { "flow": { "priority": 30000, "idle_timeout": 60,
23
"match": [ {"eth_type": "ipv4"}, {"ipv4_src": "10.0.0.1"}, {"ipv4_dst": "10.0.0.22"}, {"ip_proto": "tcp"}, {"tcp_dst": "80"} ], "actions": [{"output": 1}] } } sdn@sdndev:~/Downloads/samples$
Figure 18: Flow can be changed to port 1
Switch 1 does not receive HTTP traffic from 10.0.0.1 to 10.0.0.22 by default.
When a flow is setup to send the traffic to core switch 01, the switch will send the HTTP traffic out of port 6.
The contents of the 01.json file can be viewed using cat: sdn@sdndev:~/Downloads/samples$ cat 01.json { "flow": { "priority": 30000, "idle_timeout": 60, "match": [ {"eth_type": "ipv4"}, {"ipv4_src": "10.0.0.1"}, {"ipv4_dst": "10.0.0.22"}, {"ip_proto": "tcp"}, {"tcp_dst": "80"} ], "actions": [{"output": 6}] } } sdn@sdndev:~/Downloads/samples$
24
HP SDN REST API and Security
Figure 19: Flow can be changed to port 6
Switch 0e sends traffic to h44 (10.0.0.22) via port 6 by default. When a flow is setup to send the traffic to core switch 01 and received by 0e, the switch will sent the HTTP traffic out of port 6. The contents of the 0e.json file can be viewed using cat: sdn@sdndev:~/Downloads/samples$ cat 0e.json { "flow": { "priority": 30000, "idle_timeout": 60, "match": [ {"eth_type": "ipv4"}, {"ipv4_src": "10.0.0.1"}, {"ipv4_dst": "10.0.0.22"}, {"ip_proto": "tcp"}, {"tcp_dst": "80"} ], "actions": [{"output": 6}] } } sdn@sdndev:~/Downloads/samples$
Figure 20: Flow must stay on port 6
25
26
HP SDN REST API and Security
Re-route web traffic between h11 and h44 through spine switch 01 Modify 0b via REST API
Use the following commands to adjust the flows: sdn@sdndev:~/Downloads/samples$ curl -sk -H "X-Auth-Token:$token" -X POST -H 'Content-Type:application/json' -d @0b.json $UMS/v2.0/of/datapaths/00:00:00:00:00:00:00:0b/flows
To see a response, add the “i” flag (-sik rather than –sk) sdn@sdndev:~/Downloads/samples$ curl -sik -H "X-Auth-Token:$token" -X POST -H 'Content-Type:application/json' -d @0b.json $UMS/v2.0/of/datapaths/00:00:00:00:00:00:00:0b/flows HTTP/1.1 201 Created Server: Apache-Coyote/1.1 Location: https://192.168.56.7:8443/sdn/v2.0/of/datapaths/00:00:00:00:00:00:00:0b/flows Cache-Control: no-cache, no-store, no-transform, must-revalidate Expires: Sat, 03 Aug 2013 16:45:50 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, HEAD, PATCH Access-Control-Allow-Headers: Content-Type, Accept, X-Auth-Token Content-Type: application/json Content-Length: 0 Date: Sat, 03 Aug 2013 16:45:50 GMT sdn@sdndev:~/Downloads/samples$
To set up the webserver on h44, use the following command: mininet> h44 python -m SimpleHTTPServer 80 &
To send HTTP traffic from h11 to h44, use the following command: mininet> h11 wget http://10.0.0.22/ --2013-08-03 09:47:23-- http://10.0.0.22/ Connecting to 10.0.0.22:80... connected. HTTP request sent, awaiting response... 200 OK Length: 598 [text/html] Saving to: `index.html.21' 0K 100% 965K=0.001s 2013-08-03 09:47:23 (965 KB/s) - `index.html.21' saved [598/598] mininet>
Figure 21: Flow routed to port 1 on switch 0b
27
A path has now been added to 0b. HTTP traffic (TCP port 80) now uses port 1 on 0b. This traffic is sent to switch 01. However, switch 01 requires a flow path for the traffic.
Modify S1 via REST API
Use the following commands to adjust the flows on switch 01: sdn@sdndev:~/Downloads/samples$ curl -sk -H "X-Auth-Token:$token" -X POST -H 'Content-Type:application/json' -d @01.json $UMS/v2.0/of/datapaths/00:00:00:00:00:00:00:01/flows sdn@sdndev:~/Downloads/samples$
To see a response, add the “i” flag (-sik rather than –sk): sdn@sdndev:~/Downloads/samples$ curl -sik -H "X-Auth-Token:$token" -X POST -H 'Content-Type:application/json' -d @01.json $UMS/v2.0/of/datapaths/00:00:00:00:00:00:00:01/flows HTTP/1.1 201 Created Server: Apache-Coyote/1.1 Location: https://192.168.56.7:8443/sdn/v2.0/of/datapaths/00:00:00:00:00:00:00:01/flows Cache-Control: no-cache, no-store, no-transform, must-revalidate Expires: Sat, 03 Aug 2013 16:51:40 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, HEAD, PATCH Access-Control-Allow-Headers: Content-Type, Accept, X-Auth-Token Content-Type: application/json Content-Length: 0 Date: Sat, 03 Aug 2013 16:51:40 GMT
To send HTTP traffic from h11 to h44, use the following command: mininet> h11 wget http://10.0.0.22/ --2013-08-03 09:47:23-- http://10.0.0.22/ Connecting to 10.0.0.22:80... connected. HTTP request sent, awaiting response... 200 OK Length: 598 [text/html] Saving to: `index.html.21' 0K 100% 965K=0.001s 2013-08-03 09:47:23 (965 KB/s) - `index.html.21' saved [598/598] mininet>
Figure 22: Flow routed to port 6 on switch 01
A path has now been added to switch 01. HTTP traffic (TCP port 80) now uses port 6 on switch 01. This traffic is sent to switch 0e.
Modify S14 via REST API
Use the following commands to adjust the flows on switch 0e:
28
HP SDN REST API and Security
sdn@sdndev:~/Downloads/samples$ curl -sk -H "X-Auth-Token:$token" -X POST -H 'Content-Type:application/json' -d @0e.json $UMS/v2.0/of/datapaths/00:00:00:00:00:00:00:0e/flows sdn@sdndev:~/Downloads/samples$
To see a response, add the “i” flag (-sik rather than –sk): sdn@sdndev:~/Downloads/samples$ curl -sik -H "X-Auth-Token:$token" -X POST -H 'Content-Type:application/json' -d @0e.json $UMS/v2.0/of/datapaths/00:00:00:00:00:00:00:0e/flows HTTP/1.1 201 Created Server: Apache-Coyote/1.1 Location: https://192.168.56.7:8443/sdn/v2.0/of/datapaths/00:00:00:00:00:00:00:0e/flows Cache-Control: no-cache, no-store, no-transform, must-revalidate Expires: Sat, 03 Aug 2013 16:55:17 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, HEAD, PATCH Access-Control-Allow-Headers: Content-Type, Accept, X-Auth-Token Content-Type: application/json Content-Length: 0 Date: Sat, 03 Aug 2013 16:55:17 GMT
To send HTTP traffic from h11 to h44, use the following command: mininet> h11 wget http://10.0.0.22/ --2013-08-03 09:47:23-- http://10.0.0.22/ Connecting to 10.0.0.22:80... connected. HTTP request sent, awaiting response... 200 OK Length: 598 [text/html] Saving to: `index.html.21' 0K 100% 965K=0.001s 2013-08-03 09:47:23 (965 KB/s) - `index.html.21' saved [598/598] mininet>
Figure 23: Flow routed to port 6 on switch 0e
A path has now been added to switch 0e. HTTP traffic (TCP port 80) now uses port 6 on switch 0e. This traffic is sent to h44.
29
Verifying the new path using Follow FLow
The Follow Flow information shows that TCP Destination Port 80 (HTTP) traffic is sent out of • port 1 on switch 0b
• port 6 on switch 01
• port 6 on switch 0e
Figure 24: switch 0b flow table
Figure 25: switch 01 flow table
30
HP SDN REST API and Security
Figure 26: switch 0e flow table
These last three graphics show that Web traffic using TCP port 80 has been rerouted to switch 01. However, as shown in the following graphic, Web traffic with TCP port 8080 is still using the original path.
Figure 27: TCP port 8080 traffic uses the original path
After these tests the Web server can be shutdown. mininet> h44 kill %python
31
Keystone Keystone is an OpenStack project that provides identity, token, catalog and policy services for use specifically by projects in the OpenStack family. It implements OpenStack’s Identity API.
The HP SDN Controller uses Keystone for user authentication.
Other OpenStack projects include:
• Glance (OpenStack Image Registry and Delivery Service), which is a project that provides services for discovering, registering, and retrieving virtual machine mages. Glance has a RESTful API that allows querying of VM image metadata as well as retrieval of the actual image.
• Nova - this is the project name for OpenStack Compute, a cloud computing fabric controller, the main part of an IaaS system. Individuals and organizations can use Nova to host and manage their own cloud computing systems. Nova originated as a project out of NASA Ames Research Laboratory.
Keystone is written in Python. Keystone is installed by default with the Keystone client.
See where Keystone is installed: sdn@sdnctl:~$ which keystone /usr/bin/keystone sdn@sdnctl:~$ ls bin count-flows get post short-detour tt.py delete long-detour-1 put tower.py web-login delete-bridges long-detour-2 settings.xml tower.pyc web-logout
Setup for short-hand usage
Before Keystone can be used, a couple of Keystone environment variables need to be defined: sdn@sdnctl:~$ export SERVICE_TOKEN=ADMIN sdn@sdnctl:~$ export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0
These have already been set up in the provided VMs.
To view or check that the environment variables have been configured, use the following command: sdn@sdnctl:~$ env | grep SERVICE SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0 SERVICE_TOKEN=ADMIN sdn@sdnctl:~$
The endpoint is the URL to the Keystone V2 API. The service token is basically a way for the controller to authenticate with keystone. The default account is admin, but this can be changed in Keystone.
List tenants, users and roles
The simplest way to authenticate a user is to ask for credentials (login+password, login+keys, etc.) and check them against a database. But when it comes to lots of separate services as it is in the OpenStack world, we have to rethink that. The main problem is an inability to use one user entity to be authorized everywhere. For example, a user expects Nova to get one's credentials and create or fetch some images in Glance or set up networks in Quantum. This cannot be done without a central authentication and authorization system.
Keystone is intended to incorporate all common information about users and their capabilities across other services, along with a list of these services themselves.
The first basis is the user. Users represent someone or something that can gain access through Keystone. Users come with credentials that can be checked like passwords or API keys.
The second one is tenant. It represents what is called the project in Nova, meaning something that aggregates the number of resources in each service. For example, a tenant can have some machines in Nova, a number of images in Swift/Glance, and couple of networks in Quantum. Users are bound to a tenant by assigning them a role on that tenant.
The third and last authorization-related kinds of objects are roles. A role represents a number of privileges or rights a user has or actions they are allowed to perform. For example, a user who has an 'Admin' role can take admin actions like view all tenants. Users can be added to any role either globally or in a tenant. In the first case, the user gains access implied by the role to the resources in all tenants; in the second case, one's access is limited to resources of the corresponding tenant. For example, the user can be an operator of all tenants and an admin of his own playground.
32
HP SDN REST API and Security
To list tenants on the HP SDN controller, use the following command:
sdn@sdnctl:~$ keystone tenant-list +----------------------------------+------+---------+ | id | name | enabled | +----------------------------------+------+---------+ | 0c472db05cb14025808fd20cb7af2fa1 | sdn | True | +----------------------------------+------+---------+ sdn@sdnctl:~$
A grouping called SDN has been created to provide isolation.
The view users, use the user-list option. By default, two usernames are created: rsdoc – for use with Rsdoc sdn – this is the default user of sdn with password skyline sdn@sdnctl:~$ keystone user-list +----------------------------------+-------+---------+-------+ | id | name | enabled | email | +----------------------------------+-------+---------+-------+ | 1cda5d05c628443eaf553dfebc718f8a | sdn | True | | | 9b8770833d5c48f5ae2b4d4b1771e9e9 | rsdoc | True | | +----------------------------------+-------+---------+-------+ sdn@sdnctl:~$
To view roles, use the role-list option. Two roles are created by default sdn-user: Only has read access sdn-admin: Has read and write access
The SDN Controller only has two basic roles. However, applications written for use with the controller could have multiple roles. That would be configured as part of the application. sdn@sdnctl:~$ keystone role-list +----------------------------------+-----------+ | id | name | +----------------------------------+-----------+ | 94f20a7ddf314a1abb6bd79b3c76baa9 | sdn-user | | d0aefe85f3104a23b6af16a91539ee7f | sdn-admin | +----------------------------------+-----------+ sdn@sdnctl:~$
For more information, please go to:
http://docs.openstack.org/essex/openstack-compute/starter/content/Listing_Tenants_Users_Roles-d1e462.html
Change password
To update a user password, use the following command: keystone user-password-update --pass newpass $uid
To find the user id, use the command “keystone user-list”: sdn@sdnctl:~$ keystone user-list +----------------------------------+-------+---------+-------+ | id | name | enabled | email | +----------------------------------+-------+---------+-------+ | 1cda5d05c628443eaf553dfebc718f8a | sdn | True | | | 9b8770833d5c48f5ae2b4d4b1771e9e9 | rsdoc | True | | +----------------------------------+-------+---------+-------+
For the user “sdn”, the following command would change the password to “skyline2”: sdn@sdnctl:~$ keystone user-password-update --pass skyline2 1cda5d05c628443eaf553dfebc718f8a
The new password could now be used for example to login to the GUI.
33
Create a new user
In this example, a new user “alice” will be created.
The tenant-id is show using the following command: sdn@sdnctl:~$ keystone tenant-list +----------------------------------+------+---------+ | id | name | enabled | +----------------------------------+------+---------+ | 0c472db05cb14025808fd20cb7af2fa1 | sdn | True | +----------------------------------+------+---------+ sdn@sdnctl:~$ sdn@sdnctl:~$ keystone user-create --name alice --tenant-id 0c472db05cb14025808fd20cb7af2fa1 --pass skyline +----------+-------------------------------------------------------------------------------------------------------------------------+ | Property | Value | +----------+-------------------------------------------------------------------------------------------------------------------------+ | email | | | enabled | True | | id | a6f5428cbd1241b68512afdd99ce78d5 | | name | alice | | password | $6$rounds=40000$Z5ZrW1VvwlZaVHuG$nUN4WKuXXc2jP.9AidBC9sO2YUGK6ldby.ArycqZyi81JnHctfG/qOZiwLiSxCcOZuEFlqmElBRORPHJan8nI1 | | tenantId | 0c472db05cb14025808fd20cb7af2fa1 | +----------+-------------------------------------------------------------------------------------------------------------------------+ sdn@sdnctl:~$
To verify that the new user “alice” has been created, use the command “keystone user-list”: sdn@sdnctl:~$ keystone user-list +----------------------------------+-------+---------+-------+ | id | name | enabled | email | +----------------------------------+-------+---------+-------+ | 1cda5d05c628443eaf553dfebc718f8a | sdn | True | | | 9b8770833d5c48f5ae2b4d4b1771e9e9 | rsdoc | True | | | a6f5428cbd1241b68512afdd99ce78d5 | alice | True | | +----------------------------------+-------+---------+-------+ sdn@sdnctl:~$
Grant role to user
The user “alice” requires the correct role to be able to access the Controller.
To view her user id type the following command: sdn@sdnctl:~$ keystone user-list +----------------------------------+-------+---------+-------+ | id | name | enabled | email | +----------------------------------+-------+---------+-------+ | 1cda5d05c628443eaf553dfebc718f8a | sdn | True | | | 9b8770833d5c48f5ae2b4d4b1771e9e9 | rsdoc | True | | | a6f5428cbd1241b68512afdd99ce78d5 | alice | True | | +----------------------------------+-------+---------+-------+ sdn@sdnctl:~$
34
HP SDN REST API and Security
To view the tenant-id, use the following command: sdn@sdnctl:~$ keystone tenant-list +----------------------------------+------+---------+ | id | name | enabled | +----------------------------------+------+---------+ | 0c472db05cb14025808fd20cb7af2fa1 | sdn | True | +----------------------------------+------+---------+ sdn@sdnctl:~$
To view the roles, use the following command: sdn@sdnctl:~$ keystone role-list +----------------------------------+-----------+ | id | name | +----------------------------------+-----------+ | 94f20a7ddf314a1abb6bd79b3c76baa9 | sdn-user | | d0aefe85f3104a23b6af16a91539ee7f | sdn-admin | +----------------------------------+-----------+ sdn@sdnctl:~$ So, the following command can now be used to give alice admin rights: sdn@sdnctl:~$ keystone user-role-add --user-id a6f5428cbd1241b68512afdd99ce78d5 --tenant-id 0c472db05cb14025808fd20cb7af2fa1 --role-id d0aefe85f3104a23b6af16a91539ee7f sdn@sdnctl:~$
Test the new user
The user “alice” is now able to login to the Controller GUI and see the same information as the built in user “sdn”.
Figure 28: SDN controller GUI login page
Figure 29: SDN controller console as seen by user Alice
Disable user
Users can also be disabled using the command: sdn@sdnctl:~$ keystone user-update --enabled false $uid
To view the user id, use the following command (note the True flag for enabled): sdn@sdnctl:~$ keystone user-list +----------------------------------+-------+---------+-------+
35
| id | name | enabled | email | +----------------------------------+-------+---------+-------+ | 1cda5d05c628443eaf553dfebc718f8a | sdn | True | | | 9b8770833d5c48f5ae2b4d4b1771e9e9 | rsdoc | True | | | a6f5428cbd1241b68512afdd99ce78d5 | alice | True | | +----------------------------------+-------+---------+-------+ sdn@sdnctl:~$
To disable the user “alice”: sdn@sdnctl:~$ keystone user-update --enabled false a6f5428cbd1241b68512afdd99ce78d5
User has been updated. sdn@sdnctl:~$
Results – note the False flag for enabled: sdn@sdnctl:~$ keystone user-list +----------------------------------+-------+---------+-------+ | id | name | enabled | email | +----------------------------------+-------+---------+-------+ | 1cda5d05c628443eaf553dfebc718f8a | sdn | True | | | 9b8770833d5c48f5ae2b4d4b1771e9e9 | rsdoc | True | | | a6f5428cbd1241b68512afdd99ce78d5 | alice | False | | +----------------------------------+-------+---------+-------+ sdn@sdnctl:~$
Figure 30: Result of login with disabled user account
Delete user
To delete a user, user the user-delete command:
To view the user id, user the user-list command: sdn@sdnctl:~$ keystone user-list +----------------------------------+-------+---------+-------+ | id | name | enabled | email | +----------------------------------+-------+---------+-------+ | 1cda5d05c628443eaf553dfebc718f8a | sdn | True | | | 9b8770833d5c48f5ae2b4d4b1771e9e9 | rsdoc | True | | | a6f5428cbd1241b68512afdd99ce78d5 | alice | False | | +----------------------------------+-------+---------+-------+
Use the user-delete option to delete the account: sdn@sdnctl:~$ keystone user-delete a6f5428cbd1241b68512afdd99ce78d5
To verify, use the user-list command again. Note that the user alice no longer appears in the user list: sdn@sdnctl:~$ keystone user-list +----------------------------------+-------+---------+-------+ | id | name | enabled | email | +----------------------------------+-------+---------+-------+ | 1cda5d05c628443eaf553dfebc718f8a | sdn | True | | | 9b8770833d5c48f5ae2b4d4b1771e9e9 | rsdoc | True | | +----------------------------------+-------+---------+-------+ sdn@sdnctl:~$
36
HP SDN REST API and Security
Figure 31: Result of login with deleted user account
Frequently Asked Questions Can users be managed by the GUI on the controller?
In the HP SDN Controller version 1.6, no GUI interface is provided for user management. This may be available in subsequent releases.
Which roles are available?
In the HP SDN Controller, the only roles are
• SDN-admin
• SDN-user
There is no authorization with in the controller apart from these. Applications built on top of the Controller may have their own authorization roles. The Controller just provides the infrastructure.
37
Resources, contacts, or additional links HP SDN: http://hp.com/sdn
HP SDN SDK and documentation: http://sdndevcenter.hp.com
Learn more at hp.com/Networking
Sign up for updates
hp.com/go/getupdated
Share with colleagues
Rate this document
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
October 2013