[one-dev] XML-RPC API server_* driver

Daniel Molina dmolina at opennebula.org
Tue Jul 29 03:23:00 PDT 2014


Could you check the password you are using to encrypt (password+sha1) is
the same that oned uses to decrypt (oneuser show)

[oneadmin at node1 ~]$ oneuser show serveradmin | grep PASS
PASSWORD        : 3412...
[oneadmin at node1 ~]$ cat .one/sunstone_auth
serveradmin:7f9f...
[oneadmin at node1 ~]$ echo -n "7f9f..." | sha1sum
3412...  -

Also the problem could be that the token is (base64) encoded after being
encrypted:
https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L90

and before being decrypted it's decoded:
https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L142

Cheers


On 29 July 2014 12:01, Emmanuel Mathot <emmanuel.mathot at terradue.com> wrote:

> Here is the log output:
>
> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG I 5 Command
> execution fail: /var/lib/one/remotes/auth/server_cipher/authenticate
> serveradmin [secret] ****
>
> Mon Jul 28 16:37:48 2014 [AuM][I]: Command execution fail:
> /var/lib/one/remotes/auth/server_cipher/authenticate
> serveradmin [secret] ****
> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG D 5 authenticate:
> Authenticating serveradmin, with
> password [secret] (4zj727qqns0xXEHWPBq4tJ2nRSyqom1KtWx5QBueF54I33c1y0fIuymmkn84TMP9)
>
> Mon Jul 28 16:37:48 2014 [AuM][I]: authenticate: Authenticating
> serveradmin, with
> password [secret] (4zj727qqns0xXEHWPBq4tJ2nRSyqom1KtWx5QBueF54I33c1y0fIuymmkn84TMP9)
> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG E 5 bad decrypt
>
> Mon Jul 28 16:37:48 2014 [AuM][I]: bad decrypt
> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG I 5 ExitCode: 255
>
>
>  Emmanuel Mathot
> www.terradue.com
>
>
>
> On 29 Jul 2014, at 11:06, Daniel Molina <dmolina at opennebula.org> wrote:
>
> Hi Enguerran,
>
> What error message are you getting in oned.log after trying to connect?
>
> Cheers
>
>
> On 28 July 2014 17:16, Enguerran Boissier <enguerran.boissier at terradue.com
> > wrote:
>
>> Hello Daniel,
>> Thanks for your answer, unfortunately we still don't manage to connect
>> with a server_* user on the behalf of another normal user.
>> This is basically what we do, let us know if we do something wrong:
>>
>> {
>>   string expires = DateTime.Now.Subtract(new DateTime(1970,1,1,0,0,0,
>> DateTimeKind.Utc)).TotalSeconds + 3600 + "";
>>   string token_encrypted = Encrypt(this.AdminUsername + ":" +
>> this.TargetUsername + ":" + expires, this.AdminPassword);
>>   //this.AdminUsername = server_* user name
>>   //this.TargetUsername = normal user name (target user)
>>   //this.AdminPassword = server_* user password (SHA1 encrypted)
>>   //Encrypt do the equivalent of the AES 256 CBC openssl encryption (cf
>> https://gist.github.com/scottlowe/1411917, we just removed the salt part)
>>   session_SHA = this.AdminUsername + ":" + this.TargetUsername + ":" +
>> token_encrypted;
>>   //session_SHA is the token used to authenticate on a request
>> }
>>
>> Thanks
>> Best regards
>>
>>
>>
>>
>>  Enguerran Boissier
>> www.terradue.com
>>
>> <t2uk.png>
>>
>> On 28 Jul 2014, at 10:45, Daniel Molina <dmolina at opennebula.org> wrote:
>>
>> Hi Cesare,
>>
>> The server_* authentication is a special method where a user can
>> authenticate on behalf of other user. This method was included in
>> OpenNebula for scenarios such as an Apache server configured to use x509
>> certificates, Apache has already authenticated the user and we just encrypt
>> a token with the serveradmin credentials and OpenNebula will decrypt the
>> token and will perform all the actions as the target_username.
>>
>> Users using the server_* auth method are special users and should not
>> have any resource.
>>
>> You can see an example on how Sunstone uses this method:
>> A user logs in:
>>
>> https://github.com/OpenNebula/one/blob/master/src/sunstone/sunstone-server.rb#L169
>> do_auth is called to authenticate the user:
>>
>> https://github.com/OpenNebula/one/blob/master/src/cloud/common/CloudAuth/SunstoneCloudAuth.rb#L18
>> a token is generated using the server_* method
>>
>> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L85
>> this info is sent to one and then checked by the auth driver:
>>
>> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L110
>>
>> Hope this helps
>>
>> http://docs.opennebula.org/4.6/administration/sunstone_gui/cloud_auth.html
>>
>>
>>
>>
>> On 25 July 2014 12:39, Cesare Rossi <cesare.rossi at terradue.com> wrote:
>>
>>> Dear All,
>>>
>>> we are interacting with the XML-RPC API. We are trying to perform the
>>> special authentication method available with the users' drivers
>>> *server_cipher* or *server_x509 *(i.e. using
>>> username:target_username:secret), but it seems not working.
>>>
>>> The question is: is it possible to use with that API such kind of users
>>> ? If yes, how ?
>>>
>>> Thanks in advance,
>>>
>>> Cheers
>>>
>>>  Cesare Rossi
>>> Terradue
>>> Rome, Italy | Oxford, UK
>>> http://www.terradue.com
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Dev mailing list
>>> Dev at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
>>>
>>>
>>
>>
>> --
>> --
>> Daniel Molina
>> Project Engineer
>> OpenNebula - Flexible Enterprise Cloud Made Simple
>> www.OpenNebula.org <http://www.opennebula.org/> | dmolina at opennebula.org
>> | @OpenNebula
>>
>>
>>
>
>
> --
> --
> Daniel Molina
> Project Engineer
> OpenNebula - Flexible Enterprise Cloud Made Simple
> www.OpenNebula.org <http://www.opennebula.org/> | dmolina at opennebula.org
> | @OpenNebula
>
>
>


-- 
--
Daniel Molina
Project Engineer
OpenNebula - Flexible Enterprise Cloud Made Simple
www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/dev-opennebula.org/attachments/20140729/9f59a473/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PastedGraphic-1.tiff
Type: image/tiff
Size: 14754 bytes
Desc: not available
URL: <http://lists.opennebula.org/pipermail/dev-opennebula.org/attachments/20140729/9f59a473/attachment-0001.tiff>


More information about the Dev mailing list