Chapter 7. Authentication/Authorization

MidoNet API provides two ways to authenticate: username/password and token. MidoNet uses Basic Access Authentication [1] scheme for username/password authentication. From the client with username 'foo' and password 'bar', the following HTTP POST request should be sent to '/login' path appended to the base URI:

POST    /login
Authorization: Basic Zm9vOmJhcg==

where Zm9vOmJhcg== is the base64 encoded value of foo:bar.

If the API sever is configured to use OpenStack Keystone as its authentication service, then the tenant name given in the web.xml file will be used in the request sent to the keystone authentication service. However, you can override this tenant name by specifying it in the request header. :

X-Auth-Project: example_tenant_name

The server returns 401 Unauthorized if the authentication fails, and 200 if succeeds. When the login succeeds, the server sets 'Set-Cookie' header with the generated token and its expiration data as such:

Set-Cookie: sessionId=baz; Expires=Fri, 02 July 2014 1:00:00 GMT

where 'baz' is the token and 'Wed, 09 Jun 2021 10:18:14 GM' is the expiration date. The token can be used for all the subsequent requests until it expires. Additionally, the content type is set to a Token json type as such:

Content-Type: application/vnd.org.midonet.Token-v1+json;charset=UTF-8

with the body of the response set to the token information:

{"key":"baz","expires":"Fri, 02 July 2014 1:00:00 GMT"}

To send a token instead for authentication, the client needs to set it in X-Auth-Token HTTP header:

X-Auth-Token: baz

The server returns 200 if the token is validated successfully, 401 if the token was invalid, and 500 if there was a server error.

For authorization, if the requesting user attempts to perform operations or access resources that it does not have permission to, the API returns 403 Forbidden in the response. Currently there are only three roles in MidoNet:

  • Admin: Superuser that has access to everything
  • Tenant Admin: Admin of a tenant that has access to everything that belongs to the tenant
  • Tenant User: User of a tenant that only has read-only access to resources belonging to the tenant

Roles and credentials are set up in the auth service used by the API.

Questions? Discuss on Mailing Lists or Chat.
Found an error? Report a bug.