Isilon Rest API using Powershell Part 2: Authentication Options


This is Part 2 of a series dedicated to Isilon and Powershell. In Part 1 we looked at the basics of how to leverage Powershell for REST scripting and ended with a quick example with parts from Jeremy. In this part we will have a more detailed view on the two authentication methods for REST offered by Isilon.

HTTP Basic Authentication:

The first way of authenticating the REST call is to send a HTTP basic authentication header with every call. This is simple as you just combine your username + password and encode the string with Base64. In Part 1 I already posted an example for basic authentication and will now explain it in more detail.

The first part is to create the basic authorization header encoded with Base64. (username and password would be passed as a parameter in a cmdlet later)

The next part is to create the uri (unified resource identifier). In the Isilon Platform API documentation you can find the different resource URLs available. In this case we are going to send a call to the SMB shares resource.

In the last part we are creating a REST call with the “Invoke-RestMethod” of powershell to get (Method: GET) all available SMB shares. With the switch “headers” we send our created authorization header.
The “ISIObject” is a powershell object which holds all the SMB shares and its configuration parameters. This object can be used e.g. as an input to a second cmdlet.

This was easy. But what is the downside? Isilon needs resources to decode the authentication header of every call. Furthermore you have to store the encoded header securely somewhere if you want to do multiple calls without entering the password again and again. If someone gets access to the string he will be able to authenticate now and in the future to the Isilon! This could be a security issue.

Session cookies:

The solution is to leverage session cookies. In this way we first use a REST call to authenticate with Isilon and receive a session cookie. In successive calls we just pass the cookie along with our REST calls. The advantage is that Isilon just needs to authenticate you once. Furthermore the session does have a limited idle and life time which increases security.

If you enter a FQDN of a SmartConnect zone rather than a node or SmartConnect Service IP you will have to resolve the IP of the FQDN first. This is necessary as you are only able to use the session cookie with the same node where you have done the authentication. This can be done by:

The username and password are sent to the Isilon in the body of the REST call as a JSON object. Encryption is done by SSL. You can also decide if you want to get a session cookie for the “platform API”, the “namespace” or both. In our example we request a session for both.

The next step is to create the URI for the session resource.

Next we send our REST call with the credentials in the body. If we do a “post” we have to specify the contentype, which is “application/json”. We also have to specify the session variable where we will save the cookie. Please note that you only specify the name of the variable and not the variable itself. (in our case “session” instead of “$session”)

Finally we use our session cookie to authenticate our REST call to receive all SMB shares. The cookie is passed by using the parameter “WebSession” and our session variable

Conclusion:

Personally I think that using session authentication is the way to go. With powershell it is very simple to leverage this authentication method and you can write secure and rich powershell cmdlets.

In Part 3 I will introduce a couple of cmdlets which cover session handling. These cmdlets should help you to start writing your own scripts or cmdlets.


Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

One thought on “Isilon Rest API using Powershell Part 2: Authentication Options

  • Heike Flemmerer-Humbs

    Hi Christopher,

    as a Windows Administrator I love your Powershell cmdlets for Isilon to manage quotas and local users and groups.
    Will there be a update for OneFS 8.1.0.4 including “Authentication w/ CSRF Protection”?

    Regards

    Heike