108 Posts
0
2312
REST API security
Hi,
Is there a way to do REST calls without passing in the password in clear text? I can't find anything other than using the settings.cfg file and you still have to put the password in as plain text. It's simple enough to hash a password and it should be simple enough to add an API key but I can't seem to find anything in the documentation.
ankur.patel
286 Posts
0
April 29th, 2020 14:00
This is something one of our developers recommended
https://pypi.org/project/keyring/
ankur.patel
286 Posts
0
April 28th, 2020 09:00
What are you using to send REST calls?
https://www.middlewareinventory.com/blog/how-to-avoid-or-hide-clear-text-username-and-password-in-curl/
I use postman and it does not type passwords in clear text.
ThomDaleyPPI
108 Posts
0
April 28th, 2020 12:00
It's a Python script and it's not interactive. It's scheduled to kick off once a day. I'd just prefer not to have the password sitting in plain text on the server.
ankur.patel
286 Posts
0
April 29th, 2020 06:00
What do you think about having a file with the credentials that only your user has access to?
config.py
username = "xy"
password = "abcd"
main.py
import config
login(config.username, config.password)
ankur.patel
286 Posts
0
April 29th, 2020 10:00
Since this is more of a API "flaw" and not VPLEX specific Im not sure what VPLEX could add on its roadmap. This is no different than if you tried to do API calls to your array under VPLEX.
ThomDaleyPPI
108 Posts
0
April 29th, 2020 10:00
Hi Ankur,
That's not a bad idea. I'll work on that for now. Can you tell me if there are any plans on the road-map to add this feature?
ThomDaleyPPI
108 Posts
0
April 29th, 2020 12:00
I wouldn't call it a flaw so much in that over the wire communications are secured through HTTPS. I guess I thought maybe something like an API key or somehow have the system accept a hash instead of a clear text password. Thanks for replying.
ThomDaleyPPI
108 Posts
0
April 30th, 2020 04:00
This is perfect! Tell your developer I said thanks.