Access Key Authentication
Access key authentication provides an alternative to the security credentials of a node user or system user. Because an access key is restricted to its own storage (local or cloud), it allows access control and usage reporting to be segregated by storage. This offers significant benefits to multi-tenant service providers, and enterprise installations with multiple departments. Access key authentication supports Aspera client products, such as Desktop Client, Point-to-Point Client, Enterprise Server, Connect, and Drive. It also supports Faspex, Shares, and Aspera Files. For details about using access key authentication with these products, see the documentation for these products.
Node Access through SSH and HTTPS
A node (a transfer server) is accessed over SSH or HTTPS:
- SSH services are best suited for access when all computers are part of the same administrative domain (in the same organization and with the same administrators).
- HTTPS is best suited for services offered to arbitrary clients or the Internet at large.
Access through SSH and HTTPS use various types of authentication:
- SSH services (ascp and async)
- SSH user and password or user and key
- Token - SSH authentication bypass using the Aspera web private key protected by requiring an authorization token (ATM).
- Access key - SSH authentication bypass using the Aspera web private key protected by requiring an access key and secret.
- HTTPS (Node API)
- Basic authentication using a node user and password.
- Basic authentication using an access key and secret.
- Access keys cannot be used by users with docroots. If a docroot is configured (in aspera.conf), access key creation and use will fail.
- A restriction is required. No restriction results in failure.
- Although access keys can be created with no storage, using that access key with a transfer will result in failure.
Creating and Testing Access Keys
Set up a node user, associate it with a system user, and reload
asperanoded by running the following commands. In the examples below,
asp1
is the node user, aspera
is the node user's
password, and xfer
is the system user. Running
asnodeadmin requires root or admin permissions.
# /opt/aspera/bin/asnodeadmin -a -u asp1 -p aspera -x xfer
# /opt/aspera/bin/asnodeadmin --reload
To create access keys, run curl commands as in the following examples. Curl is included in many Unix-based operating systems. To check if it is installed, enter curl on the command line. If it is not installed, download it from the Curl website: https://curl.haxx.se/download.html.
To create an access key with local storage, run the following:
# curl -d @access_key-make-local.json -ki -u asp1:aspera https://localhost:9092/access_keys
where:
-d @access_key-make-local.json
- Indicates the next argument is the data to send. The "
@
" identifies access_key-make-local.json as a file containing the data, in this case, a JSON payload file. For an example of the text to include in access_key-make-local.json and examples of access key files for other types of storage, see below. -i
- Includes the HTTP header in the output.
-k
- Allows curl to perform "insecure" SSL connections and transfers.
-u 'asp1:aspera'
- Specifies the user name
asp1
and passwordaspera
to use for server authentication. https://localhost:9092/access_keys
- Indicates where to store the access keys.
Similarly, to create an access key with cloud storage for Swift you specify a different JSON payload file:
# curl -d @access_key-make-swift.json -ki -u asp1:aspera https://localhost:9092/access_keys
Examples of JSON payload files for various storage types:
- access_key-make-local.json
-
{ "secret" : "aspera", "storage" : { "type" : "local", "path" : "/home/asp1/data" } }
- access_key-make-aws.json
-
{ "secret" : "aspera", "storage" : { "type" : "aws_s3", "path" : "/", "endpoint" : "s3.amazonaws.com", "bucket" : "aspera-demo", "storage_class" : "STANDARD", "server_side_encryption" : null, "credentials" : { "access_key_id" : "AKI...............KHQ", "secret_access_key" : "KScx...............................PHcm1" } } }
- access_key-make-azure-sas.json
-
{ "secret" : "aspera", "storage" : { "type" : "azure_sas", "path" : "/", "credentials" : { "shared_access_signature" : "https://asperadev.blob.core.windows.net/temp?sv=2014-02-14&sr=c&sig=yfew...79uXE%3D&st=2015-07-29T07%3A00%3A00Z&se=2018-08-06T07%3A00%3A00Z&sp=rwdl" } } }
- access_key-make-azure.json
-
{ "secret" : "aspera", "storage" : { "type" : "azure", "container": "temp", "path" : "/", "credentials" : { "storage_endpoint" : "blob.core.windows.net", "account" : "asperadev", "key" : "1XWGPGsn7.................................QObRmSQ==" } } }
- access_key-make-swift.json
-
{ "secret" : "aspera", "storage" : { "type" : "softlayer_swift", "path" : "/", "container" : "wallball", "credentials" : { "authentication_endpoint" : "https://sjc01.objectstorage.service.networklayer.com/auth/v1.0", "username" : "IBMOS303446-2:IBM303446", "api_key" : "e0a8987...................................2d6706" } } }
To view a list the access keys, run the following command:
# curl -ki -u asp1:aspera https://localhost:9092/access_keys
The command returns output similar to the following. In the example below, the first access key listed is one created for local storage and the second is for swift storage, with the text copied from the access key file:
HTTP/1.1 200 OK
Cache: no-cache
Connection: close
Content-Type: application/json; charset=utf-8
[
{
"id" : "diDeuFLcpG9IYdsvxj0SCq4mOohNJTKvp5Q2nRWjDgIA",
"uri" : "file:////home/asp1/data",
"file_id" : "1",
"token_verification_key" : null,
"license" : null,
"storage" : {
"type" : "local",
"path" : "/home/asp1/data"
}
},
{
"id" : "Yc6Q4VuvaYA9mMRf55NyNsiVGC-HHSBh0FTuqMH8aHsA",
"uri" : "swift://sjc01.objectstorage.softlayer.net/wallball",
"file_id" : "1",
"token_verification_key" : null,
"license" : null,
"storage" : {
"type" : "softlayer_swift",
"path" : "/",
"container" : "wallball",
"credentials" : {
"authentication_endpoint" : "https://sjc01.objectstorage.softlayer.net/auth/v1.0",
"username" : "IBMOS303446-2%3AIBM303446",
"api_key" : "e0a8987b571cca4e475c8dd816c2d2db71b6d6e060f2a75ce23b1832c12d6706"
}
}
}
]
To test whether you can browse the storage for each key, run the following commands. To
specify the user (-u
) enter the access key ID.
Testing the local storage:
# curl -ki -u diDeuFLcpG9IYdsvxj0SCq4mOohNJTKvp5Q2nRWjDgIA:aspera https://localhost:9092/files/1/files
Testing the Swift storage:
# curl -ki -u Yc6Q4VuvaYA9mMRf55NyNsiVGC-HHSBh0FTuqMH8aHsA:aspera https://localhost:9092/files/1/files
Client-Server Authentication Using Basic Authentication with Access Key
Basic authentication is used by Aspera Faspex and Aspera Shares.
- On the server, create a system user
xfer
and configure the user for token authorization, as described in Setting Up Token Authorization. - Create an access key for the storage type, as described in Creating and Testing Access Keys above.
- Obtain the id of the access key corresponding to the storage type by running the
following command, where
-u asp1:aspera
specifies the node username and password:# curl -ki -u asp1:aspera https://localhost:9092/access_keys
- Create a basic auth token by encoding the
access_key_id:secret
in base64.# echo -n diDeuFLcpG9IYdsvxj0SCq4mOohNJTKvp5Q2nRWjDgIA:aspera | base64
The basic auth token looks similar to the following:
ZGlEZXVGTGNwRzlJWWRzdnhqMFNDcTRtT29oTkpUS3ZwNVEyblJXakRnSUE6YXNwZXJh
If the basic auth token breaks across lines in the output, rerun the command using the-w0
option to remove the line break. For example:# echo -n diDeuFLcpG9IYdsvxj0SCq4mOohNJTKvp5Q2nRWjDgIA:aspera | base64 -w0
- Set the basic auth token as an environment variable by running the following
command:
# export ASPERA_SCP_TOKEN="Basic ZGlEZXVGTGNwRzlJWWRzdnhqMFNDcTRtT29oTkpUS3ZwNVEyblJXakRnSUE6YXNwZXJh"
To upload a file using access keys and basic auth, use the following syntax:
# ascp [--tags='{"aspera":{"node":{access_key":"access_key_id", "file_id":"value"}}}'] --mode=send --host=127.0.0.1 --user=username -i path/to/private_key_file -d filename directory
Where the path to the private key file is the following:
/opt/aspera/var/aspera_tokenauth_id_rsa
The directory
can be /
to indicate the top of the
access key storage, or /directory
to indicate a subdirectory. For
example:
# ascp --tags='{"aspera":{"node":{access_key":"diDeuFLcpG9IYdsvxj0SCq4mOohNJTKvp5Q2nRWjDgIA", "file_id":"1"}}}' --mode=send --host=127.0.0.1 --user=xfer -i /opt/aspera/var/aspera_tokenauth_id_rsa -d testfile03 /tmp
The tags are optional. The tag "file_id":"1"
can be used to indicate the
top of the access key storage.
Client-Server Authentication Using Bearer Token and File IDs
Bearer token authentication is a requirement for Aspera Files.
Server setup:
- Create a private/public key pair.
$ openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:4096 $ openssl rsa -pubout -in private_key.pem -out public_key.pem
These commands create the private key file private_key.pem and the public key file public_key.pem/
- Use the node user to create an access key, as described in Creating and Testing Access Keys above. This access key cannot be used by any other Aspera authentication system.
- Obtain the id of the access key corresponding to the storage type by running the
following
command:
$ curl -ki -u asp1:aspera https://localhost:9092/access_keys
- Set the public key as the 'token verification key' of the access key. "JSON encode" the
public key text (convert it into a single line with new lines indicated by
\r\n
) and use it in the following command:$ curl -X PUT -ki -u diDeuFLcpG9IYdsvxj0SCq4mOohNJTKvp5Q2nRWjDgIA -d '{"token_verification_key":"-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMLkM2xiSPWjj4NxBHUa0m2ZAm\r\niog3JM3VEMW6rhE6LUtXM1KxRawih5pyD8OuGOAUTZmw7mnL3Cbebdzmc+CuqEkS\r\nkFJrYWCzNgQcRxc9v+XKk0YN8BZvMDmrSInmNQ5TPfG3sz4KJcf9QMJ\/TsR3rfns\r\nRYar\/IDoOTbgJgGQkwIDAQAB\r\n-----END PUBLIC KEY-----"}'
- Create a JSON file containing the bearer token payload and save it as
bearer_token.json.
{ "user_id": "luke@aspera.us", "scope": "node.diDeuFLcpG9IYdsvxj0SCq4mOohNJTKvp5Q2nRWjDgIA:all", "expires_at": "" "group_ids": [], }
Ensure that the file does not end with a new line. If it does, truncate it to size - 1. For example, if the file is 154 lines with the new line, the command to remove the new line is as follows:$ truncate bearer_token.json --size 153
- Create a signature for the
token.
$ sudo openssl dgst -sha512 -sign private_key.pem bearer_token.json | base64 > signature
- Create the signed
token.
$ cat bearer_token.json > bearer_token.json.signed $ echo "==SIGNATURE==" >> bearer_token.json.signed $ cat signature >> bearer_token.json.signed
- Inspect the
token:
$ cat token-bearer-luke@aspera.us.json { "user_id": "luke@aspera.us", "scope": "node.diDeuFLcpG9IYdsvxj0SCq4mOohNJTKvp5Q2nRWjDgIA:all", "expires_at": "" "group_ids": [], } ==SIGNATURE== YJixqw+5VjsGGIgOavoPdbhgr+1r9VGrKxBjAjV9mcMti0OJorbY7svIokz4 WLkszV5guz539nwcQCdiuISeGlBrJYMKfludCGP8MGxl8PaiZzJfzii6FWtm K+4BhXlMDN4JIK+cAPL/zkdMu71mO2n8XcPOfXQv9HkUO8NXxl0ue7fDYnX6 +eB4GekGK7Latgfw2HBAyBSYKq8k7uiWOWC2/7qZDXXclei70OJR7zhe3wSR FhR3yhfusz97XS5Zj2+nlfxE4hxw5sZrhQDqcp3vQwl26arMNI16vvuTZBY2 LUFY6f4mVmKmrz7hSGt1Gz9liO6jTImIYHmthzZ1TQ==
- Construct the final bearer
token:
$ cat bearer_token.json.signed | openssl zlib | base64 -w0 > bearer_token.json.sig.z.b64
- Create permissions for user ID (access ID)
luke@aspera.us
to the top level of the storage.$ curl -d '{"file_id":"1", "access_type":"user","access_id":"luke@aspera.us","access_level":"edit"}' \ -ki -u diDeuFLcpG9IYdsvxj0SCq4mOohNJTKvp5Q2nRWjDgIA:aspera https://localhost:9092/permissions HTTP/1.1 200 OK Cache: no-cache Connection: close Content-Type: application/json; charset=utf-8 { "id" : "1", "file_id" : "1" }
To test the access key, run the following command to browse the top directory of the access key:
# curl -i -u diDeuFLcpG9IYdsvxj0SCq4mOohNJTKvp5Q2nRWjDgIA:aspera https://localhost:9092/files/1
To test the bearer token, run the following to browse the top directory of the access key:
# curl -ki -H "Authorization: Bearer eJwVkNmuolgARd/5DF/pKhlFTG7SCMikzIOeSqXCqCBwmKdK/3t7n/faKzv7L7Ib+7T7kye7064c3+m/Yd+kXfhz7Hf/ILs+hk36SWqYpD9rUXP7baWfPbteSmDUWUwl69bVszYUhC6zjgKMt6xXF447fVtPYVl+W9Klybu0/xMOHxWB4YcfOPGDwFwMP9H4iWLBN/Ts4Nh8dvS706/fyH/I15ejSDrnerb49YXwc7G0Fg4r8lIsJEfzHfM62tKkQWhL0WHNyMoebry5tqxoRXtBaettpiRt6vVyXwX+I342cXcVqLoIkGv5CASI8no+SoILb0LBzI8COrIkvArR3nIY9NA2FdQQRn1B8Yo1l5YmUxyA7pGgMhpr5sHF01UCNeKp74irWafha14TQvSI7dWb5CXBm4xNaYZOmSkynCQj49wluJS6ZPEwzjpZrRTyZeFuRzSTcFBztdgQNroCMFpGvArg0+RcM7DuTKBig2Yaoe9gCk9ukgS3yc555uaqiuOaU1zL/PWuev1lCPDM1mkjm449Mm6kSRJnT3lgYGWuWArwgBCBuiXuWagHqn9rDtO0bG8/k/loTEOEj1JR1cCZzSkApJveBPQ+b8klTZCXPXTeSzG1IYD5mV16zBzoTaLQAtBRqep4Lsr0Pr29vWE/R4EnkgIWQJVpVz/KuIPvE/7gjG1om/QTCVuxIXR+tAgg+mm5b3LQU0s2W+/btUInqNlbqNqa2WUFcfAEJ4wyp8M+h6RxW1oUd6krLy7imWrjCqltR+Uoj0ePh/JgnZc6L807YztmeM7J9nAzrps8C6wh2w9VkK6Eqa6mv6wvA70z/QbsJDmXFtBh14A7og80JqsPGkKOOr4moX9KyoG54JTSwf3EBxw2FvtjwDTP54NvcE14VcA3o3eQLQ2RF758jGJ2jamH+PxC/gc1nBpn" -H "X-Aspera-AccessKey: diDeuFLcpG9IYdsvxj0SCq4mOohNJTKvp5Q2nRWjDgIA" https://localhost:9092/files/1
Both of these tests should return a list of files and directories in the top directory.
To do a simple upload using the bearer token, set the bearer token as an environment variable and run an ascp transfer specifying the access key:
# export ASPERA_SCP_TOKEN="Bearer eJwVkNmuolgARd/5DF/pKhlFTG7SCMikzIOeSqXCqCBwmKdK/3t7n/faKzv7L7Ib+7T7kye7064c3+m/Yd+kXfhz7Hf/ILs+hk36SWqYpD9rUXP7baWfPbteSmDUWUwl69bVszYUhC6zjgKMt6xXF447fVtPYVl+W9Klybu0/xMOHxWB4YcfOPGDwFwMP9H4iWLBN/Ts4Nh8dvS706/fyH/I15ejSDrnerb49YXwc7G0Fg4r8lIsJEfzHfM62tKkQWhL0WHNyMoebry5tqxoRXtBaettpiRt6vVyXwX+I342cXcVqLoIkGv5CASI8no+SoILb0LBzI8COrIkvArR3nIY9NA2FdQQRn1B8Yo1l5YmUxyA7pGgMhpr5sHF01UCNeKp74irWafha14TQvSI7dWb5CXBm4xNaYZOmSkynCQj49wluJS6ZPEwzjpZrRTyZeFuRzSTcFBztdgQNroCMFpGvArg0+RcM7DuTKBig2Yaoe9gCk9ukgS3yc555uaqiuOaU1zL/PWuev1lCPDM1mkjm449Mm6kSRJnT3lgYGWuWArwgBCBuiXuWagHqn9rDtO0bG8/k/loTEOEj1JR1cCZzSkApJveBPQ+b8klTZCXPXTeSzG1IYD5mV16zBzoTaLQAtBRqep4Lsr0Pr29vWE/R4EnkgIWQJVpVz/KuIPvE/7gjG1om/QTCVuxIXR+tAgg+mm5b3LQU0s2W+/btUInqNlbqNqa2WUFcfAEJ4wyp8M+h6RxW1oUd6krLy7imWrjCqltR+Uoj0ePh/JgnZc6L807YztmeM7J9nAzrps8C6wh2w9VkK6Eqa6mv6wvA70z/QbsJDmXFtBh14A7og80JqsPGkKOOr4moX9KyoG54JTSwf3EBxw2FvtjwDTP54NvcE14VcA3o3eQLQ2RF758jGJ2jamH+PxC/gc1nBpn"
# ascp --tags='{"aspera":{"node":{"access_key":"diDeuFLcpG9IYdsvxj0SCq4mOohNJTKvp5Q2nRWjDgIA","file_id":"1"}}}' -mode=send --host=hostname --user=xfer -i /opt/aspera/var/aspera_tokenauth_id_rsa -d testfile01 /