[one-dev] XML-RPC API server_* driver
Daniel Molina
dmolina at opennebula.org
Tue Jul 29 02:06:31 PDT 2014
Hi Enguerran,
What error message are you getting in oned.log after trying to connect?
Cheers
On 28 July 2014 17:16, Enguerran Boissier <enguerran.boissier at terradue.com>
wrote:
> Hello Daniel,
> Thanks for your answer, unfortunately we still don't manage to connect
> with a server_* user on the behalf of another normal user.
> This is basically what we do, let us know if we do something wrong:
>
> {
> string expires = DateTime.Now.Subtract(new DateTime(1970,1,1,0,0,0,
> DateTimeKind.Utc)).TotalSeconds + 3600 + "";
> string token_encrypted = Encrypt(this.AdminUsername + ":" +
> this.TargetUsername + ":" + expires, this.AdminPassword);
> //this.AdminUsername = server_* user name
> //this.TargetUsername = normal user name (target user)
> //this.AdminPassword = server_* user password (SHA1 encrypted)
> //Encrypt do the equivalent of the AES 256 CBC openssl encryption (cf
> https://gist.github.com/scottlowe/1411917, we just removed the salt part)
> session_SHA = this.AdminUsername + ":" + this.TargetUsername + ":" +
> token_encrypted;
> //session_SHA is the token used to authenticate on a request
> }
>
> Thanks
> Best regards
>
>
>
>
> Enguerran Boissier
> www.terradue.com
>
>
> On 28 Jul 2014, at 10:45, Daniel Molina <dmolina at opennebula.org> wrote:
>
> Hi Cesare,
>
> The server_* authentication is a special method where a user can
> authenticate on behalf of other user. This method was included in
> OpenNebula for scenarios such as an Apache server configured to use x509
> certificates, Apache has already authenticated the user and we just encrypt
> a token with the serveradmin credentials and OpenNebula will decrypt the
> token and will perform all the actions as the target_username.
>
> Users using the server_* auth method are special users and should not have
> any resource.
>
> You can see an example on how Sunstone uses this method:
> A user logs in:
>
> https://github.com/OpenNebula/one/blob/master/src/sunstone/sunstone-server.rb#L169
> do_auth is called to authenticate the user:
>
> https://github.com/OpenNebula/one/blob/master/src/cloud/common/CloudAuth/SunstoneCloudAuth.rb#L18
> a token is generated using the server_* method
>
> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L85
> this info is sent to one and then checked by the auth driver:
>
> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L110
>
> Hope this helps
>
> http://docs.opennebula.org/4.6/administration/sunstone_gui/cloud_auth.html
>
>
>
>
> On 25 July 2014 12:39, Cesare Rossi <cesare.rossi at terradue.com> wrote:
>
>> Dear All,
>>
>> we are interacting with the XML-RPC API. We are trying to perform the
>> special authentication method available with the users' drivers
>> *server_cipher* or *server_x509 *(i.e. using
>> username:target_username:secret), but it seems not working.
>>
>> The question is: is it possible to use with that API such kind of users ?
>> If yes, how ?
>>
>> Thanks in advance,
>>
>> Cheers
>>
>> Cesare Rossi
>> Terradue
>> Rome, Italy | Oxford, UK
>> http://www.terradue.com
>>
>>
>>
>>
>> _______________________________________________
>> Dev mailing list
>> Dev at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
>>
>>
>
>
> --
> --
> Daniel Molina
> Project Engineer
> OpenNebula - Flexible Enterprise Cloud Made Simple
> www.OpenNebula.org <http://www.opennebula.org/> | dmolina at opennebula.org
> | @OpenNebula
>
>
>
--
--
Daniel Molina
Project Engineer
OpenNebula - Flexible Enterprise Cloud Made Simple
www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/dev-opennebula.org/attachments/20140729/39e76813/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: t2uk.png
Type: image/png
Size: 5545 bytes
Desc: not available
URL: <http://lists.opennebula.org/pipermail/dev-opennebula.org/attachments/20140729/39e76813/attachment.png>
More information about the Dev
mailing list