Authentication process
The REST API services require token-based authentication rather than authentication with a user ID and password.
Users who need to access the IBM Data Cataloging APIs need to get an authentication token first by using their username and password. Then, use that token to get authenticated to the IBM Data Cataloging system to perform various operations by using APIs.
Authentication is achieved in IBM Data Cataloging through the following steps:
- The administrator registers an enterprise domain, which can be either Lightweight Directory
Access Protocol (LDAP) or Cloud Storage Object, with
the authentication service. Registering the enterprise domain with the authentication service
includes the following steps:
- The administrator gets an authentication token by using the credentials. When the administrator (who is in the LDAP domain) logs in to IBM Data Cataloging, the credentials are passed from IBM Data Cataloging to LDAP for authentication. Then, the administrator gets an authentication token by using the credentials.Note: Users from an external LDAP or Cloud Storage Object domain, need to include domain name in the user name as
"<domain>/<user>"to get an authentication token by using the REST APIs. - Register the domain by using the obtained authentication token.
IBM Data Cataloging integrates with both LDAP users and Cloud Storage Object users. Administrators can add the Cloud Storage Object domain to IBM Data Cataloging and the users are imported into IBM Data Cataloging where the administrator can add the users to the appropriate collections.
In this case, the Cloud Storage Object users can either use their user name and password or the Cloud Storage Object native Amazon Simple Storage Service (Amazon S3) access key and secret key pair to get authenticated with the IBM Data Cataloging authentication service to get an authentication token.
Like the users from LDAP domain, the Cloud Storage Object domain users can use this authentication token to access the IBM Data Cataloging services and their scope is restricted to the projects to which they can access.
- The administrator gets an authentication token by using the credentials.
- The administrator adds collections to the authentication service and adds users to these collections by assigning them appropriate roles. The records that the users can see or apply policies to are restricted according to the collections to which they have access.
- The user requests for an authentication token by using their user name and password.
The IBM Data Cataloging RESTful service like DB2WH REST, policy engine, tags, applications, and the various authentication service endpoints require a bearer auth-token to be passed to it in the authorization header.
The authentication token needs to be obtained by using the authentication token service endpoint, which is the endpoint for a user to log in with user name and password credentials, by using HTTP basic authentication. This token then can be used for authorization across various service endpoints. After a user receives the authentication token, it is valid for 1 hour. Using this token, a user can use various IBM Data Cataloging services.
- Users can access the IBM Data Cataloging services by using the authentication token.
For more information, see /auth/v1/token: GET.