Highlighted
8 Krypton

API Auth Changes with Recent Security Patches (anti-CSRF token)

I'm posting this to help anyone using the API and sessioncookie tokens for scripts, so you don't bang you head against the wall like I did wondering what happened.  I did read the patch README and made a mental note of the IMPACTS section concerning anti-CSRF tokens and custom API work, but the note ended up getting lost in the filing cabinet.  For OneFS v8.0.0.4, this concerns patch-211980, but it will affect the other versions with their similar patches as well.

Once a month I run a Perl script against the Isilon to gather basic metrics on storage use by various areas/departments and email to management.  I am using Session Cookies for authentication (docu66301 - Isilon OneFS version 8.0.0 API Reference starting on page 17).  It gave an "ERROR authorization required" this month.  As noted in the README, I needed to take a look at https://support.emc.com/kb/517421 which describes the new requirement for a custom header (X-CSRF-Token) and a referer of the node you are running against.

In Perl I'm using the REST::Client module, so after isolating the new token, I had to add the following two headers to my calls:

  $client->addHeader('X-CSRF-Token', $isicsrf);

  $client->addHeader('Referer', $host);

I kept the session cookie token as a "cookie" (this didn't change):

  $client->GET($cluster_stats . "?key=" . $key_ibt,{ 'Cookie'=>$isisessid });

Something to watch for:

The session cookie token is expected (or accepted) in format 'isisessid=biglongtokkenvalue' while the anti-CSRF token is required to be just the 'biglongtokenvalue' (you have to strip off the 'isicrsf=' part before assigning it to the custom header X-CSRF-Token).

I hope this helps someone.

Labels (1)
1 Reply
Tim681
1 Copper

Re: API Auth Changes with Recent Security Patches (anti-CSRF token)

Thanks. This was huge for me as I was trying to write some .Net code and I kept getting '401' error messages when trying to do a GET on "session/1/session" using my cookie session. I didn't have access to any of the README notes - just the API documentation online. Initially testing on a VM things worked fine, but when switching to our production Isilon, that's when I started getting the authorization errors. I was always wondering when creating the cookie for the very first time what the 'isicsrf' value was for. It wasn't mentioned in the API documentation so I just ignored it.

For any others that may need a start, here is what I used to get session info (GET "session/1/session") about my current cookie.

CookieID - the value of 'isisessid=xxxxxx' from the cookie

CookieCSRF -  the value of 'yyyyyy' from the cookie with the 'isicsrf=' removed

isilonUrl - the address of your isilon - 'https://1.1.1.1:8080'

using (var client = new HttpClient(new HttpClientHandler { UseCookies = false }))

                {

                    client.DefaultRequestHeaders.Add("Cookie", CookieID);

                    client.DefaultRequestHeaders.Add("X-CSRF-Token", CookieCSRF);

                    client.DefaultRequestHeaders.Add("Referer", isilonUrl);

                    var response = await client.GetAsync(

                        isilonUrl + "/session/1/session");

                    response.EnsureSuccessStatusCode();

                    //get the session information

                    var body = await response.Content.ReadAsStringAsync();

                }