Revision c099b8d8 doc/rapi.rst
b/doc/rapi.rst | ||
---|---|---|
16 | 16 |
which is used by default, can also be disabled by passing command line |
17 | 17 |
parameters. |
18 | 18 |
|
19 |
|
|
20 |
Users and passwords |
|
21 |
------------------- |
|
22 |
|
|
23 |
``ganeti-rapi`` reads users and passwords from a file (usually |
|
24 |
``/var/lib/ganeti/rapi_users``) on startup. After modifying the password |
|
25 |
file, ``ganeti-rapi`` must be restarted. |
|
26 |
|
|
27 |
Each line consists of two or three fields separated by whitespace. The |
|
28 |
first two fields are for username and password. The third field is |
|
29 |
optional and can be used to specify per-user options. Currently, |
|
30 |
``write`` is the only option supported and enables the user to execute |
|
31 |
operations modifying the cluster. Lines starting with the hash sign (#) |
|
32 |
are treated as comments. |
|
33 |
|
|
34 |
Passwords can either be written in clear text or as a hash. Clear text |
|
35 |
passwords may not start with an opening brace (``{``) or they must be |
|
36 |
prefixed with ``{cleartext}``. To use the hashed form, get the MD5 hash |
|
37 |
of the string ``$username:Ganeti Remote API:$password`` (e.g. ``echo -n |
|
38 |
'jack:Ganeti Remote API:abc123' | openssl md5``) [#pwhash]_. Using the |
|
39 |
scheme prefix for all passwords is recommended. Scheme prefixes are not |
|
40 |
case sensitive. |
|
41 |
|
|
42 |
Example:: |
|
43 |
|
|
44 |
# Give Jack and Fred read-only access |
|
45 |
jack abc123 |
|
46 |
fred {cleartext}foo555 |
|
47 |
|
|
48 |
# Give write access to an imaginary instance creation script |
|
49 |
autocreator xyz789 write |
|
50 |
|
|
51 |
# Hashed password for Jessica |
|
52 |
jessica {HA1}7046452df2cbb530877058712cf17bd4 write |
|
53 |
|
|
54 |
|
|
55 |
.. [#pwhash] Using the MD5 hash of username, realm and password is |
|
56 |
described in RFC2617_ ("HTTP Authentication"), sections 3.2.2.2 and |
|
57 |
3.3. The reason for using it over another algorithm is forward |
|
58 |
compatibility. If ``ganeti-rapi`` were to implement HTTP Digest |
|
59 |
authentication in the future, the same hash could be used. |
|
60 |
In the current version ``ganeti-rapi``'s realm, ``Ganeti Remote |
|
61 |
API``, can only be changed by modifying the source code. |
|
62 |
|
|
63 |
|
|
19 | 64 |
Protocol |
20 | 65 |
-------- |
21 | 66 |
|
22 |
The protocol used is JSON_ over HTTP designed after the REST_ |
|
23 |
principle.
|
|
67 |
The protocol used is JSON_ over HTTP designed after the REST_ principle.
|
|
68 |
HTTP Basic authentication as per RFC2617_ is supported.
|
|
24 | 69 |
|
25 | 70 |
.. _JSON: http://www.json.org/ |
26 | 71 |
.. _REST: http://en.wikipedia.org/wiki/Representational_State_Transfer |
72 |
.. _RFC2617: http://tools.ietf.org/rfc/rfc2617.txt |
|
27 | 73 |
|
28 | 74 |
Generic parameters |
29 | 75 |
------------------ |
Also available in: Unified diff