Donal,
> 1. How are API calls authenticated and authorized if they are not signed with
> API keys?
API calls are authenticated and authorized by sessionkey returned by login API.
When logging in to cloudstack UI, cloudstack UI passes
userName/password/domainName to login API, then login API returns:
{
"loginresponse": {
"timeout": "1800",
"sessionkey": "SNneDo02sr+ZyXC9QjFS8zDlRkw=",
"username": "admin",
"registered": "false",
"userid": "7be457a7-eec0-1030-9ebb-c172f98ac43b",
"account": "admin",
"lastname": "User",
"domainid": "7be3ba5d-eec0-1030-9ebb-c172f98ac43b",
"firstname": "Admin",
"type": "1"
}
}
Then, UI passes sessionkey("SNneDo02sr+ZyXC9QjFS8zDlRkw=") to all API calls,
e.g.
http://localhost:8080/client/api?command=listZones&response=json&sessionkey=SNneDo02sr%2BZyXC9QjFS8zDlRkw%3D&_=1365111852798
http://localhost:8080/client/api?command=listHosts&response=json&sessionkey=SNneDo02sr%2BZyXC9QjFS8zDlRkw%3D&state=Alert&page=1&pageSize=4&_=1365112437658
http://localhost:8080/client/api?command=listVirtualMachines&response=json&sessionkey=SNneDo02sr%2BZyXC9QjFS8zDlRkw%3D&listAll=true&page=1&pagesize=20&_=1365112441706
Jessica
-----Original Message-----
From: Donal Lafferty [mailto:[email protected]]
Sent: Thursday, April 04, 2013 4:21 AM
To: [email protected]
Subject: CloudStack UI Authentication Mechanism
I noticed that the CloudStack UI allows VM control to accounts that don't have
an API key set defined.
How does its authentication mechanism work? E.g.
1. How are API calls authenticated and authorized if they are
not signed with API keys?
2. Does this work equally well when LDAP is to authenticate
username / password?
DL
