[one-dev] XML-RPC API server_* driver

Daniel Molina dmolina at opennebula.org
Wed Jul 30 03:48:28 PDT 2014


Sound good, thank you for the info Emmanuel. Looking forward to seeing the
code


On 30 July 2014 12:44, Emmanuel Mathot <emmanuel.mathot at terradue.com> wrote:

> We are developing an API library for .Net framework. Soon available in
> OpenSource on Github.
>
> Cheers,
>
>  Emmanuel Mathot
> www.terradue.com
>
>
>
> On 30 Jul 2014, at 12:37, Daniel Molina <dmolina at opennebula.org> wrote:
>
> Great!!. May I ask what kind of tool/integration are you building on top
> OpenNebula?
>
> Cheers
>
>
> On 30 July 2014 09:49, Cesare Rossi <cesare.rossi at terradue.com> wrote:
>
>> Dear Daniel,
>>
>> thank you for your support. We found that the problem was the encryption
>> made on the client side. Now it works perfectly.
>>
>> Thank you again
>>
>> Cheers
>>
>>
>> Cesare Rossi
>> Terradue
>> Rome, Italy | Oxford, UK
>> http://www.terradue.com
>>
>>
>>
>> On 29 Jul 2014, at 12:23, Daniel Molina <dmolina at opennebula.org> wrote:
>>
>> Could you check the password you are using to encrypt (password+sha1) is
>> the same that oned uses to decrypt (oneuser show)
>>
>> [oneadmin at node1 ~]$ oneuser show serveradmin | grep PASS
>> PASSWORD        : 3412...
>> [oneadmin at node1 ~]$ cat .one/sunstone_auth
>> serveradmin:7f9f...
>> [oneadmin at node1 ~]$ echo -n "7f9f..." | sha1sum
>> 3412...  -
>>
>> Also the problem could be that the token is (base64) encoded after being
>> encrypted:
>>
>> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L90
>>
>> and before being decrypted it's decoded:
>>
>> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L142
>>
>> Cheers
>>
>>
>> On 29 July 2014 12:01, Emmanuel Mathot <emmanuel.mathot at terradue.com>
>> wrote:
>>
>>> Here is the log output:
>>>
>>> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG I 5 Command
>>> execution fail: /var/lib/one/remotes/auth/server_cipher/authenticate
>>> serveradmin [secret] ****
>>>
>>> Mon Jul 28 16:37:48 2014 [AuM][I]: Command execution fail:
>>> /var/lib/one/remotes/auth/server_cipher/authenticate
>>> serveradmin [secret] ****
>>> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG D 5
>>> authenticate: Authenticating serveradmin, with
>>> password [secret] (4zj727qqns0xXEHWPBq4tJ2nRSyqom1KtWx5QBueF54I33c1y0fIuymmkn84TMP9)
>>>
>>> Mon Jul 28 16:37:48 2014 [AuM][I]: authenticate: Authenticating
>>> serveradmin, with
>>> password [secret] (4zj727qqns0xXEHWPBq4tJ2nRSyqom1KtWx5QBueF54I33c1y0fIuymmkn84TMP9)
>>> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG E 5 bad decrypt
>>>
>>> Mon Jul 28 16:37:48 2014 [AuM][I]: bad decrypt
>>> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG I 5 ExitCode:
>>> 255
>>>
>>>
>>>  Emmanuel Mathot
>>> www.terradue.com
>>>
>>>
>>> <PastedGraphic-1.tiff>
>>>
>>> On 29 Jul 2014, at 11:06, Daniel Molina <dmolina at opennebula.org> wrote:
>>>
>>>  Hi Enguerran,
>>>
>>> What error message are you getting in oned.log after trying to connect?
>>>
>>> Cheers
>>>
>>>
>>>  On 28 July 2014 17:16, Enguerran Boissier <
>>> enguerran.boissier at terradue.com> wrote:
>>>
>>>> Hello Daniel,
>>>> Thanks for your answer, unfortunately we still don't manage to connect
>>>> with a server_* user on the behalf of another normal user.
>>>> This is basically what we do, let us know if we do something wrong:
>>>>
>>>> {
>>>>   string expires = DateTime.Now.Subtract(new DateTime(1970,1,1,0,0,0,
>>>> DateTimeKind.Utc)).TotalSeconds + 3600 + "";
>>>>   string token_encrypted = Encrypt(this.AdminUsername + ":" +
>>>> this.TargetUsername + ":" + expires, this.AdminPassword);
>>>>   //this.AdminUsername = server_* user name
>>>>   //this.TargetUsername = normal user name (target user)
>>>>   //this.AdminPassword = server_* user password (SHA1 encrypted)
>>>>   //Encrypt do the equivalent of the AES 256 CBC openssl encryption (cf
>>>> https://gist.github.com/scottlowe/1411917, we just removed the salt
>>>> part)
>>>>   session_SHA = this.AdminUsername + ":" + this.TargetUsername + ":" +
>>>> token_encrypted;
>>>>   //session_SHA is the token used to authenticate on a request
>>>> }
>>>>
>>>> Thanks
>>>> Best regards
>>>>
>>>>
>>>>
>>>>
>>>>  Enguerran Boissier
>>>> www.terradue.com
>>>>
>>>> <t2uk.png>
>>>>
>>>> On 28 Jul 2014, at 10:45, Daniel Molina <dmolina at opennebula.org> wrote:
>>>>
>>>> Hi Cesare,
>>>>
>>>> The server_* authentication is a special method where a user can
>>>> authenticate on behalf of other user. This method was included in
>>>> OpenNebula for scenarios such as an Apache server configured to use x509
>>>> certificates, Apache has already authenticated the user and we just encrypt
>>>> a token with the serveradmin credentials and OpenNebula will decrypt the
>>>> token and will perform all the actions as the target_username.
>>>>
>>>> Users using the server_* auth method are special users and should not
>>>> have any resource.
>>>>
>>>> You can see an example on how Sunstone uses this method:
>>>> A user logs in:
>>>>
>>>> https://github.com/OpenNebula/one/blob/master/src/sunstone/sunstone-server.rb#L169
>>>> do_auth is called to authenticate the user:
>>>>
>>>> https://github.com/OpenNebula/one/blob/master/src/cloud/common/CloudAuth/SunstoneCloudAuth.rb#L18
>>>> a token is generated using the server_* method
>>>>
>>>> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L85
>>>> this info is sent to one and then checked by the auth driver:
>>>>
>>>> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L110
>>>>
>>>> Hope this helps
>>>>
>>>>
>>>> http://docs.opennebula.org/4.6/administration/sunstone_gui/cloud_auth.html
>>>>
>>>>
>>>>
>>>>
>>>> On 25 July 2014 12:39, Cesare Rossi <cesare.rossi at terradue.com> wrote:
>>>>
>>>>> Dear All,
>>>>>
>>>>> we are interacting with the XML-RPC API. We are trying to perform the
>>>>> special authentication method available with the users' drivers
>>>>> *server_cipher* or *server_x509 *(i.e. using
>>>>> username:target_username:secret), but it seems not working.
>>>>>
>>>>> The question is: is it possible to use with that API such kind of
>>>>> users ? If yes, how ?
>>>>>
>>>>> Thanks in advance,
>>>>>
>>>>> Cheers
>>>>>
>>>>>  Cesare Rossi
>>>>> Terradue
>>>>> Rome, Italy | Oxford, UK
>>>>> http://www.terradue.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Dev mailing list
>>>>> Dev at lists.opennebula.org
>>>>> http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> --
>>>> Daniel Molina
>>>> Project Engineer
>>>> OpenNebula - Flexible Enterprise Cloud Made Simple
>>>> www.OpenNebula.org <http://www.opennebula.org/> |
>>>> dmolina at opennebula.org | @OpenNebula
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> --
>>> Daniel Molina
>>> Project Engineer
>>> OpenNebula - Flexible Enterprise Cloud Made Simple
>>> www.OpenNebula.org <http://www.opennebula.org/> | dmolina at opennebula.org
>>> | @OpenNebula
>>>
>>>
>>>
>>
>>
>> --
>> --
>> Daniel Molina
>> Project Engineer
>> OpenNebula - Flexible Enterprise Cloud Made Simple
>> www.OpenNebula.org <http://www.opennebula.org/> | dmolina at opennebula.org
>> | @OpenNebula
>>
>>
>>
>
>
> --
> --
> Daniel Molina
> Project Engineer
> OpenNebula - Flexible Enterprise Cloud Made Simple
> www.OpenNebula.org <http://www.opennebula.org/> | dmolina at opennebula.org
> | @OpenNebula
>
>
>


-- 
--
Daniel Molina
Project Engineer
OpenNebula - Flexible Enterprise Cloud Made Simple
www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/dev-opennebula.org/attachments/20140730/7308a11c/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PastedGraphic-1.tiff
Type: image/tiff
Size: 14754 bytes
Desc: not available
URL: <http://lists.opennebula.org/pipermail/dev-opennebula.org/attachments/20140730/7308a11c/attachment-0001.tiff>


More information about the Dev mailing list