OpenAPI Authentication
OpenAPI uses a digest-based authentication scheme. The workflow is as follows:
-
Log in to the Secure Workload UI Dashboard.
-
Generate an API key and an API secret with the desired capabilities.
-
Use Secure Workload API SDK to send REST requests in JSON format.
-
To use the Python SDK, you install the SDK using
pip install tetpyclient
. -
After the Python SDK is installed, here is some boilerplate code for instantiating the RestClient:
from tetpyclient import RestClient
API_ENDPOINT="https://<UI_VIP_OR_DNS_FOR_TETRATION_DASHBOARD>"
# ``verify`` is an optional param to disable SSL server authentication.
# By default, cluster dashboard IP uses self signed cert after
# deployment. Hence, ``verify=False`` might be used to disable server
# authentication in SSL for API clients. If users upload their own
# certificate to cluster (from ``Platform > SSL Certificate``)
# which is signed by their enterprise CA, then server side authentication
# should be enabled; in such scenarios, in the code below, verify=False
# should be replaced with verify="path-to-CA-file"
# credentials.json looks like:
# {
# "api_key": "<hex string>",
# "api_secret": "<hex string>"
# }
restclient = RestClient(API_ENDPOINT,
credentials_file='<path_to_credentials_file>/credentials.json',
verify=False)
# followed by API calls, for example API to retrieve list of agents.
# API can be passed /openapi/v1/sensors or just /sensors.
resp = restclient.get('/sensors')
Generate API Key and Secret
Procedure
Step 1 |
In the upper right corner of Secure Workload UI, click the logged in account and choose API Keys. |
||||||||||||||||||||||||
Step 2 |
Click Create API Key. |
||||||||||||||||||||||||
Step 3 |
(Optional) Enter a description for the API key. |
||||||||||||||||||||||||
Step 4 |
Select the required capabilities for the key and secret. Select the limited set of capabilities that are intended for using the API Key+Secret pair.
|
||||||||||||||||||||||||
Step 5 |
Click Create. |
Note |
If External Auth with LDAP and LDAP Authorization are enabled, access to OpenAPI using API Keys stop because Secure Workload roles that are derived from LDAP MemberOf groups are reassessed after the user session terminates. Therefore, to ensure uninterrupted OpenAPI access, it is recommended that any user with API keys have the Use Local Authentication option that is enabled in the Edit User Details flow for the user. |