Rubrik : Using Token-based authentication for REST-API Calls

Background

With the raise of API-driven systems, the need of extra security appeared. When doing a simple API call using simple credentials like username and password you might face some security leaks like stolen credentials. When using a token, you have an expiration time so worst case if the token got stolen it will disappear in the cyberspace once his expiry is reached !

Token Token Token!!!

Rubrik API stack allows the usage of token. The API to use is under /api/internal/session. From there you have access to token creation/deletion.

Function in my framework to create a new token :

function rkGenToken($clusterConnect,$duration)
{
$API="/api/internal/session";

$config_params="
{
   \"initParams\":
   {
     \"apiToken\":
     {
       \"expiration\": ".$duration.",
       \"tag\": \"API Generated Token\"
     }
   }
}
";

$curl = curl_init();
   
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS,$config_params);
curl_setopt($curl, CURLOPT_USERPWD, $clusterConnect["username"].":".$clusterConnect["password"]);
curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/json','Content-Length: ' . strlen($config_params),'Accept: application/json'));
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_URL, "https://".$clusterConnect["ip"].$API);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);

$result = curl_exec($curl);
curl_close($curl);

return json_decode($result);
}

This is of course still using standard credentials mechanism but this is almost the last time!

Removing the token : 

function rkDelToken($clusterConnect,$tokenID,$userId)
{
$API="/api/internal/session/bulk_delete";

$config_params="
{
  \"tokenIds\": [
\"".$tokenID."\"
  ],
  \"userId\": \"".$userId."\"
}
";

$curl = curl_init();
   
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS,$config_params);
curl_setopt($curl, CURLOPT_USERPWD, $clusterConnect["username"].":".$clusterConnect["password"]);
curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/json','Content-Length: ' . strlen($config_params),'Accept: application/json'));
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_URL, "https://".$clusterConnect["ip"].$API);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);

$result = curl_exec($curl);
$info=curl_getinfo($curl,CURLINFO_HTTP_CODE);

curl_close($curl);

if($info=="204") return TRUE;
else return FALSE;
}

Now that you can manipulate tokens easily, you can use it. I have modified one of my functions that get the cluster info to make good use of token : 

function rkGetClusterDetails_t($clusterConnect,$token)
{
$API="/api/v1/cluster/me";

$curl = curl_init();
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/json',$token));
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_URL, "https://".$clusterConnect["ip"].$API);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($curl);
curl_close($curl);
return $result;
}

In order to generate the token needed for the function, I'm using the rkGenToken function :

$tmp=rkGenToken($clusterConnect,"60");

$token=$tmp->session->token;
$authorization = "Authorization: Bearer ".$token;

So, I can call the rkGetClusterDetails_t function this way :

rkGetClusterDetails_t($clusterConnect,$authorization);
Note : the $duration for the token is expressed in minutes.

Every tokens are stored into the Rubrik cluster and you can see evidence on the UI.



What you see above is not the token itself, this is the ID of the token, there is no way to see the token itself you only see it when generated. There is also a note of the last usage (date/time) and from what IP it has been used. 

A token is similar to this :

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJmNzU4NWIwNC1iMDJiLTRhMjMtYjk4Ny00N2Q4MDZlYWIzOTMiLCJpc3MiOiJjYjJiYjgxZC00Y2JlLTQzYjEtYTY5MC00ODQxMGUyY2FlMDMiLCJqdGkiOiJkMzY0MWY4MC00YzU3LTQwYmUtOWZmNC1jYjk2ZGUxNGE5NDcifQ.ibJB0cGjcaNTTYxiGJusD2N9tFaDx8-7MMZM7Wery6A

I did not had the time to do some benchmarks yet, but that should bring some speed improvements in the various REST-API calls. At least, this is adding security.

To be continued !

Comments

What's hot ?

ShredOS : HDD degaussing with style

Nutanix : CVM stuck into Phoenix