[one-dev] XML-RPC API server_* driver

Daniel Molina dmolina at opennebula.org
Wed Jul 30 03:37:46 PDT 2014 

Great!!. May I ask what kind of tool/integration are you building on top
OpenNebula?

Cheers


On 30 July 2014 09:49, Cesare Rossi <cesare.rossi at terradue.com> wrote:

> Dear Daniel,
>
> thank you for your support. We found that the problem was the encryption
> made on the client side. Now it works perfectly.
>
> Thank you again
>
> Cheers
>
>
> Cesare Rossi
> Terradue
> Rome, Italy | Oxford, UK
> http://www.terradue.com
>
>
>
> On 29 Jul 2014, at 12:23, Daniel Molina <dmolina at opennebula.org> wrote:
>
> Could you check the password you are using to encrypt (password+sha1) is
> the same that oned uses to decrypt (oneuser show)
>
> [oneadmin at node1 ~]$ oneuser show serveradmin | grep PASS
> PASSWORD        : 3412...
> [oneadmin at node1 ~]$ cat .one/sunstone_auth
> serveradmin:7f9f...
> [oneadmin at node1 ~]$ echo -n "7f9f..." | sha1sum
> 3412...  -
>
> Also the problem could be that the token is (base64) encoded after being
> encrypted:
>
> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L90
>
> and before being decrypted it's decoded:
>
> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L142
>
> Cheers
>
>
> On 29 July 2014 12:01, Emmanuel Mathot <emmanuel.mathot at terradue.com>
> wrote:
>
>> Here is the log output:
>>
>> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG I 5 Command
>> execution fail: /var/lib/one/remotes/auth/server_cipher/authenticate
>> serveradmin [secret] ****
>>
>> Mon Jul 28 16:37:48 2014 [AuM][I]: Command execution fail:
>> /var/lib/one/remotes/auth/server_cipher/authenticate
>> serveradmin [secret] ****
>> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG D 5
>> authenticate: Authenticating serveradmin, with
>> password [secret] (4zj727qqns0xXEHWPBq4tJ2nRSyqom1KtWx5QBueF54I33c1y0fIuymmkn84TMP9)
>>
>> Mon Jul 28 16:37:48 2014 [AuM][I]: authenticate: Authenticating
>> serveradmin, with
>> password [secret] (4zj727qqns0xXEHWPBq4tJ2nRSyqom1KtWx5QBueF54I33c1y0fIuymmkn84TMP9)
>> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG E 5 bad decrypt
>>
>> Mon Jul 28 16:37:48 2014 [AuM][I]: bad decrypt
>> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG I 5 ExitCode: 255
>>
>>
>>  Emmanuel Mathot
>> www.terradue.com
>>
>>
>> <PastedGraphic-1.tiff>
>>
>> On 29 Jul 2014, at 11:06, Daniel Molina <dmolina at opennebula.org> wrote:
>>
>>  Hi Enguerran,
>>
>> What error message are you getting in oned.log after trying to connect?
>>
>> Cheers
>>
>>
>>  On 28 July 2014 17:16, Enguerran Boissier <
>> enguerran.boissier at terradue.com> wrote:
>>
>>> Hello Daniel,
>>> Thanks for your answer, unfortunately we still don't manage to connect
>>> with a server_* user on the behalf of another normal user.
>>> This is basically what we do, let us know if we do something wrong:
>>>
>>> {
>>>   string expires = DateTime.Now.Subtract(new DateTime(1970,1,1,0,0,0,
>>> DateTimeKind.Utc)).TotalSeconds + 3600 + "";
>>>   string token_encrypted = Encrypt(this.AdminUsername + ":" +
>>> this.TargetUsername + ":" + expires, this.AdminPassword);
>>>   //this.AdminUsername = server_* user name
>>>   //this.TargetUsername = normal user name (target user)
>>>   //this.AdminPassword = server_* user password (SHA1 encrypted)
>>>   //Encrypt do the equivalent of the AES 256 CBC openssl encryption (cf
>>> https://gist.github.com/scottlowe/1411917, we just removed the salt
>>> part)
>>>   session_SHA = this.AdminUsername + ":" + this.TargetUsername + ":" +
>>> token_encrypted;
>>>   //session_SHA is the token used to authenticate on a request
>>> }
>>>
>>> Thanks
>>> Best regards
>>>
>>>
>>>
>>>
>>>  Enguerran Boissier
>>> www.terradue.com
>>>
>>> <t2uk.png>
>>>
>>> On 28 Jul 2014, at 10:45, Daniel Molina <dmolina at opennebula.org> wrote:
>>>
>>> Hi Cesare,
>>>
>>> The server_* authentication is a special method where a user can
>>> authenticate on behalf of other user. This method was included in
>>> OpenNebula for scenarios such as an Apache server configured to use x509
>>> certificates, Apache has already authenticated the user and we just encrypt
>>> a token with the serveradmin credentials and OpenNebula will decrypt the
>>> token and will perform all the actions as the target_username.
>>>
>>> Users using the server_* auth method are special users and should not
>>> have any resource.
>>>
>>> You can see an example on how Sunstone uses this method:
>>> A user logs in:
>>>
>>> https://github.com/OpenNebula/one/blob/master/src/sunstone/sunstone-server.rb#L169
>>> do_auth is called to authenticate the user:
>>>
>>> https://github.com/OpenNebula/one/blob/master/src/cloud/common/CloudAuth/SunstoneCloudAuth.rb#L18
>>> a token is generated using the server_* method
>>>
>>> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L85
>>> this info is sent to one and then checked by the auth driver:
>>>
>>> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L110
>>>
>>> Hope this helps
>>>
>>>
>>> http://docs.opennebula.org/4.6/administration/sunstone_gui/cloud_auth.html
>>>
>>>
>>>
>>>
>>> On 25 July 2014 12:39, Cesare Rossi <cesare.rossi at terradue.com> wrote:
>>>
>>>> Dear All,
>>>>
>>>> we are interacting with the XML-RPC API. We are trying to perform the
>>>> special authentication method available with the users' drivers
>>>> *server_cipher* or *server_x509 *(i.e. using
>>>> username:target_username:secret), but it seems not working.
>>>>
>>>> The question is: is it possible to use with that API such kind of users
>>>> ? If yes, how ?
>>>>
>>>> Thanks in advance,
>>>>
>>>> Cheers
>>>>
>>>>  Cesare Rossi
>>>> Terradue
>>>> Rome, Italy | Oxford, UK
>>>> http://www.terradue.com
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Dev mailing list
>>>> Dev at lists.opennebula.org
>>>> http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
>>>>
>>>>
>>>
>>>
>>> --
>>> --
>>> Daniel Molina
>>> Project Engineer
>>> OpenNebula - Flexible Enterprise Cloud Made Simple
>>> www.OpenNebula.org <http://www.opennebula.org/> | dmolina at opennebula.org
>>> | @OpenNebula
>>>
>>>
>>>
>>
>>
>> --
>> --
>> Daniel Molina
>> Project Engineer
>> OpenNebula - Flexible Enterprise Cloud Made Simple
>> www.OpenNebula.org <http://www.opennebula.org/> | dmolina at opennebula.org
>> | @OpenNebula
>>
>>
>>
>
>
> --
> --
> Daniel Molina
> Project Engineer
> OpenNebula - Flexible Enterprise Cloud Made Simple
> www.OpenNebula.org <http://www.opennebula.org/> | dmolina at opennebula.org
> | @OpenNebula
>
>
>


-- 
--
Daniel Molina
Project Engineer
OpenNebula - Flexible Enterprise Cloud Made Simple
www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/dev-opennebula.org/attachments/20140730/acc5ffcf/attachment-0001.htm>

More information about the Dev mailing list