Access Key Authentication

Access key authentication provides an alternative to the security credentials of a node user or system user. Because an access key is restricted to its own storage (local or cloud), it allows access control and usage reporting to be segregated by storage. This offers significant benefits to multi-tenant service providers and enterprise installations with multiple departments. Access key authentication supports Aspera client products, such as Desktop Client, Point-to-Point Client, Enterprise Server, Connect, and Drive. It also supports Faspex, Shares, and Aspera Files. For details about using access key authentication with these products, see the documentation for these products.

Node Access through SSH and HTTPS

A node (a transfer server) is accessed over SSH or HTTPS:

Access through SSH and HTTPS use various types of authentication:

Creating and Testing Access Keys

Set up a node user and associate it with a system user by running the asnodeadmin command, as in the following example, where asp1 is the node user, aspera is the node user's password, and xfer is the system user. Then run asnodeadmin again to reload asperanoded. Running asnodeadmin requires root or administrator permissions.

# /opt/aspera/bin/asnodeadmin -a -u asp1 -p aspera -x xfer
# /opt/aspera/bin/asnodeadmin --reload 

Run curl commands as in the following examples to create access keys. To create an access key with local storage, run the following:

$ curl -d @access_key-make-local.json -ki -u 'asp1:aspera' https://localhost:9092/access_keys

where:

-d @access_key-make-local.json
Indicates the next argument is the data to send. The "@" indentifies access_key-make-local.json as a file containing the data, in this case, a JSON payload file.
-i
Includes the HTTP header in the output.
-k
Allows curl to perform "insecure" SSL connections and transfers.
-u 'asp1:aspera'
Specifies the user name asp1 and password aspera to use for server authentication.
https://localhost:9092/access_keys
Indicates where to store the access keys.

Create an access key with cloud storage for Swift:

$ curl -d @access_key-make-swift.json -ki -u 'asp1:aspera' https://localhost:9092/access_keys

Check the access keys:

$ curl -ki -u asp1:aspera https://localhost:9092/access_keys
HTTP/1.1 200 OK
Cache: no-cache
Connection: close
Content-Type: application/json; charset=utf-8

[
{
"id" : "diDeuFLcpG9IYdsvxj0SCq4mOohNJTKvp5Q2nRWjDgIA",
"uri" : "file:////home/asp1/data",
"file_id" : "1",
"token_verification_key" : null,
"license" : null,
"storage" : {
    "type" : "local",
    "path" : "/home/asp1/data"
}
},
{
"id" : "Yc6Q4VuvaYA9mMRf55NyNsiVGC-HHSBh0FTuqMH8aHsA",
"uri" : "swift://sjc01.objectstorage.softlayer.net/wallball",
"file_id" : "1",
"token_verification_key" : null,
"license" : null,
"storage" : {
    "type" : "softlayer_swift",
    "path" : "/",
    "container" : "wallball",
    "credentials" : {
    "authentication_endpoint" : "https://sjc01.objectstorage.softlayer.net/auth/v1.0",
    "username" : "IBMOS303446-2%3AIBM303446",
    "api_key" : "e0a8987b571cca4e475c8dd816c2d2db71b6d6e060f2a75ce23b1832c12d6706"
    }
}
}
]

Test whether you can browse the storage for each key. To specify the user (-u) enter the access key ID.

Testing the local storage:

$ curl -ki -u 'diDeuFLcpG9IYdsvxj0SCq4mOohNJTKvp5Q2nRWjDgIA:aspera' https://localhost:9092/files/1/files

Testing the Swift storage:

$ curl -ki -u 'Yc6Q4VuvaYA9mMRf55NyNsiVGC-HHSBh0FTuqMH8aHsA:aspera' https://localhost:9092/files/1/files

Examples of JSON payload files for various storage types:

access_key-make-local.json
{
"id" : "diDeuFLcpG9IYdsvxj0SCq4mOohNJTKvp5Q2nRWjDgIA",
"secret" : "aspera",
"storage" : {
    "type" : "local",
    "path" : "/home/asp1/data"
}
}
access_key-make-aws.json
{
"id" : "AWSQ4VuvaYA9mMRf55NyNsiVGC-HHSBh0FTuqMH8aHsA",
"secret" : "aspera",
"storage" : {
    "type" : "aws_s3",
    "path" : "/",
    "endpoint" : "s3.amazonaws.com",
    "bucket" : "aspera-demo",
    "storage_class" : "STANDARD",
    "server_side_encryption" : null,
    "credentials" : {
        "access_key_id" : "AKI...............KHQ",
        "secret_access_key" : "KScx...............................PHcm1"
    }
}
}
access_key-make-azure-sas.json
{
"secret" : "aspera",
"storage" : {
    "type" : "azure_sas",
    "path" : "/",
    "credentials" : {
        "shared_access_signature" : "https://asperadev.blob.core.windows.net/temp?sv=2014-02-14&sr=c&sig=yfew...79uXE%3D&st=2015-07-29T07%3A00%3A00Z&se=2018-08-06T07%3A00%3A00Z&sp=rwdl"
    }
}
}
access_key-make-azure.json
{
"secret" : "aspera",
"storage" : {
    "type" : "azure",
    "container": "temp",
    "path" : "/",
    "credentials" : {
        "storage_endpoint" : "blob.core.windows.net",
        "account" : "asperadev",
        "key" : "1XWGPGsn7.................................QObRmSQ=="
    }
}
}
access_key-make-swift.json
{
"id" : "Yc6Q4VuvaYA9mMRf55NyNsiVGC-HHSBh0FTuqMH8aHsA",
"secret" : "aspera",
"storage" : {
    "type" : "softlayer_swift",
    "path" : "/",
    "container" : "wallball",
    "credentials" : {
    "authentication_endpoint" : "https://sjc01.objectstorage.service.networklayer.com/auth/v1.0",
    "username" : "IBMOS303446-2:IBM303446",
    "api_key" : "e0a8987...................................2d6706"
    }
}
}

Client-Server Authentication Using Basic Auth with Access Key

Basic authentication is used by Aspera Faspex and Aspera Shares.

Server setup:

  1. Create a node user by running asnodeadmin as described above in Creating and Testing Access Keys.
  2. Identify the storage for this access key, either local or cloud, as described above in Creating and Testing Access Keys.
  3. Create a system user for the SSH bypass (asp1).
    $ cat /opt/aspera/var/aspera_id_dsa.pub > /home/asp1/.ssh/authorized_keys
    chown asp1 /home/asp1/.ssh/*
    chmod 755 /home/asp1/authorized_keys

Server configuration:

When using access key authentication, which includes storage, consider the following:

Creating a basic auth token:

$ echo -n diDeuFLcpG9IYdsvxj0SCq4mOohNJTKvp5Q2nRWjDgIA:aspera | base64
ZGlEZXVGTGNwRzlJWWRzdnhqMFNDcTRtT29oTkpUS3ZwNVEyblJXakRnSUE6YXNwZXJh
$ export ASPERA_SCP_TOKEN="Basic ZGlEZXVGTGNwRzlJWWRzdnhqMFNDcTRtT29oTkpUS3ZwNVEyblJXakRnSUE6YXNwZXJh"

For 3.5 clients:

$ export ASPERA_SCP_TOKEN="Basic ZGlEZXVGTGNwRzlJWWRzdnhqMFNDcTRtT29oTkpUS3ZwNVEyblJXakRnSUE6YXNwZXJh"
$ ascp -i $PWD/asperaweb_id.openssh testfile asp1@node.aspera.us:/
Client-Server Authentication Using Bearer Token and File IDs

Bearer token authentication is a requirement for Aspera Files.

Server setup:

  1. Use the node user to create an access key.
  2. Identify the storage for this access key, either local or cloud, as described above in Creating and Testing Access Keys.
  3. Set the token verification key for the access key.
  4. Create permissions for user ID (access ID) luke@aspera.us.
  5. Give permissions to top-level storage root:
    $ curl -d '{"file_id":"1", "access_type":"user","access_id":"luke@aspera.us","access_level":"edit"}' \
    -ki -u diDeuFLcpG9IYdsvxj0SCq4mOohNJTKvp5Q2nRWjDgIA:aspera https://localhost:9092/permissions
    HTTP/1.1 200 OK
    Cache: no-cache
    Connection: close
    Content-Type: application/json; charset=utf-8
    
    {
      "id" : "1",
      "file_id" : "1"
    }
  6. Inspect the sample token:
    $ cat token-bearer-luke@aspera.us.json
    {
      "user_id": "luke@aspera.us",
      "group_ids": ["eng", "emeryville"],
      "scope": "node.diDeuFLcpG9IYdsvxj0SCq4mOohNJTKvp5Q2nRWjDgIA:all",
      "expires_at": ""
    }
    ==SIGNATURE==
    YJixqw+5VjsGGIgOavoPdbhgr+1r9VGrKxBjAjV9mcMti0OJorbY7svIokz4
    WLkszV5guz539nwcQCdiuISeGlBrJYMKfludCGP8MGxl8PaiZzJfzii6FWtm
    K+4BhXlMDN4JIK+cAPL/zkdMu71mO2n8XcPOfXQv9HkUO8NXxl0ue7fDYnX6
    +eB4GekGK7Latgfw2HBAyBSYKq8k7uiWOWC2/7qZDXXclei70OJR7zhe3wSR
    FhR3yhfusz97XS5Zj2+nlfxE4hxw5sZrhQDqcp3vQwl26arMNI16vvuTZBY2
    LUFY6f4mVmKmrz7hSGt1Gz9liO6jTImIYHmthzZ1TQ==
  7. Create a bearer token:
    $ cat token-bearer-luke@aspera.us.json  | openssl zlib | base64 -    
    w0eJwlkNuOokAARN/5CsMrkx1FLmJisiIjAiIiXoDNZsJAAw3NxYYGZLL/vrr7XCenKvVNTSY0aQD+hBG9nNCI5OBn0NQABz9IQ7+94gRXpH7mzRP4RYMyod8mNCgAfnQQIUD//kc1YVWDl6KsIrCMoALIdh/WqqR5UdMN2dTZ3LnCqtKDfja6mrfZ8nTLlERbLwOE/jeBoYYYNJ9B+xLR1B9qtXI09bA+X04fqxXl6XC49wx/zRpV1RIr6Kpj9JUmmJlh6apiY5CzdXaVitBs4dTSK/zliU2nVfnIUbd93oxXPiEjP5fKPrQ3ESSaA1QkY90zjRiRaKMeF6Y6oMUxgP6oxyOEwvbWFpTBcHLqIlM5cLpmMOH6uH8f88gk4qyw2HLhhkcrdu1O2uUXa3FwBzQlQIwVr3QFigEyp4JcNcR90CZxz+7k9UN2POO+yEUCb9Ztw76Ld19x3RABKD6Xn8QxBfPeOVHb9DR/pDFpRkl0Hd7PWKZE8fDBpUPPNz5ObeUe1vPO7hErBNg8aDOh68jZlz2W2l+2nhBzxbUwCjyKqaO2M3WUELSE7KwVmrcr2nT0Z2f7+S71F+Coqrg=
    

    Or:

    $ sudo /opt/aspera/bin/asnodeadmin --bearer-create --access-key VJDUP5xpdZRjvq7U8i8U-OVTlHR8TWGKHWOM5tKE84MA --user-id tperrie@aspera.us --group-ids eng,emeryville --expires-at 2020-06-23T13:21:58Z | ruby -rzlib -rbase64 -e 'print Zlib.inflate(Base64.decode64(STDIN.read))'