API Auth Changes with Recent Security Patches (anti-CSRF token)

Question

I'm posting this to help anyone using the API and sessioncookie tokens for scripts, so you don't bang you head against the wall like I did wondering what happened.  I did read the patch README and made a mental note of the IMPACTS section concerning anti-CSRF tokens and custom API work, but the note ended up getting lost in the filing cabinet.  For OneFS v8.0.0.4, this concerns patch-211980, but it will affect the other versions with their similar patches as well. Once a month I run a Perl script against the Isilon to gather basic metrics on storage use by various areas/departments and email to management.  I am using Session Cookies for authentication (docu66301 - Isilon OneFS version 8.0.0 API Reference starting on page 17).  It gave an 'ERROR authorization required' this month.  As noted in the README, I needed to take a look at https://support.emc.com/kb/517421 which describes the new requirement for a custom header (X-CSRF-Token) and a referer of the node you are running against. In Perl I'm using the REST::Client module, so after isolating the new token, I had to add the following two headers to my calls:   $client->addHeader('X-CSRF-Token', $isicsrf);   $client->addHeader('Referer', $host); I kept the session cookie token as a 'cookie' (this didn't change):   $client->GET($cluster_stats . '?key=' . $key_ibt,{ 'Cookie'=>$isisessid }); Something to watch for: The session cookie token is expected (or accepted) in format 'isisessid=biglongtokkenvalue' while the anti-CSRF token is required to be just the 'biglongtokenvalue' (you have to strip off the 'isicrsf=' part before assigning it to the custom header X-CSRF-Token). I hope this helps someone.

Tim681 · Answer

Thanks. This was huge for me as I was trying to write some .Net code and I kept getting '401' error messages when trying to do a GET on "session/1/session" using my cookie session. I didn't have access to any of the README notes - just the API documentation online. Initially testing on a VM things worked fine, but when switching to our production Isilon, that's when I started getting the authorization errors. I was always wondering when creating the cookie for the very first time what the 'isicsrf' value was for. It wasn't mentioned in the API documentation so I just ignored it.

For any others that may need a start, here is what I used to get session info (GET "session/1/session") about my current cookie.

CookieID - the value of 'isisessid=xxxxxx' from the cookie

CookieCSRF - the value of 'yyyyyy' from the cookie with the 'isicsrf=' removed

isilonUrl - the address of your isilon - 'https://1.1.1.1:8080'

using (var client = new HttpClient(new HttpClientHandler { UseCookies = false }))

{

client.DefaultRequestHeaders.Add("Cookie", CookieID);

client.DefaultRequestHeaders.Add("X-CSRF-Token", CookieCSRF);

client.DefaultRequestHeaders.Add("Referer", isilonUrl);

var response = await client.GetAsync(

isilonUrl + "/session/1/session");

response.EnsureSuccessStatusCode();

//get the session information

var body = await response.Content.ReadAsStringAsync();

}

apalomet · Answer

This helped me a lot. Thanks.

For the ones using curl, to get the Cookie is like this one below:

curl --location --request POST ' https://10.1.1.1:8080/session/1/session' \

--header 'Content-Type: application/json' \

--data-raw '{

"username" : "user" ,

"password" : "password" ,

"services" : [ "platform" ]

} '

From your response you get the cookie data to be used for consequent curls. Like this below for instance: (values are examples, not my actual ones).

curl --location --request GET ' https://10.1.1.1:8080/platform/3/cluster/version' \

--header 'Cookie: isisessid=98fe7d6c-543b-2a1f-0987-e654d3cb21a0' \

--header 'X-CSRF-Token: 987dc6b5-a432-1f09-e876-543d2c10b9a8' \

--header 'Referer: https://10.1.1.1:8080/'

Isilon

Was this post helpful?