Start a Conversation


This post is more than 5 years old



June 1st, 2016 09:00

REST API and Security

Hello, anyone using the REST API to call CLI operations in a secure fashion? Using CURL, etc it looks like you need a password file or to place the credentials in plain text in the command. This is not allowed in my environment. Currently I am using SSH Public/Private key to run some snapshot refresh commands for backup purposes. In 4.0.4 the remove-snapshot-set command changed and doesn't work from SSH. Support has pointed me to the REST API for now while they look at correcting the function of this command in a patch or new release. REST is a new learning curve me (no programming background), and I don't see a very secure way to pass/save the credentials using something like CURL at this time.

64 Posts

June 1st, 2016 22:00

The good news is that we expect to release a hotfix next week to resolve the issue you've hit with some commands not working correctly via non-interactive SSH.  What's more, as this is just an XMS issue there's no need to upgrade the array to get the fix - you can just upgrade the XMS.

That said, using the REST API is generally a better way to automate things rather than via the CLI. If you haven't already seen them, you may want to have a read through my blog posts on using the API - Using the XtremIO REST API - Part 1

Specifically around authentication, fundamentally using a password is no more or less secure than using an SSH key file.  Both are basically tokens that allow the same level of access to the array as each other.  People fundamentally think of an ssh key as being more secure than a password, but in practice it's really not.

However you do need to take some basic steps to protect the password (just like you have to do to protect your ssh key!).  Using curl isn't idea for many reasons, with one of those being that you normally pass the password on the command-line, which can be visible to others on the system (eg, by running "ps" at exactly the right time). Thankfully there is a way around this - use the -K option to curl which allows you to put some of the options, specifically the username/password, in a file (much like the way the ssh key is in a file!) and then they won't be visible to anyone else on the system.

Or even better, use a real scripting language like Python/Perl/etc!

No Events found!