[one-users] Error starting the one service for version 1.3.8 and subversion

Ruben S. Montero rubensm at dacya.ucm.es
Sat Aug 1 03:41:41 PDT 2009


Hi,

Yes this password is totally different from the ssh authentication
process. The username passowrd are meant to authenticate within the
OpenNebula system not with the cluster nodes (authorized_keys file is
still used). In 1.4 we have multiple users (check the oneuser
commands), each
user can ONLY manage their own VMs and Virtual Networks, so for
example you can not shutdown the VM of other user (unless you are
oneadmin). The ONE_AUTH token is used to athenticate and authorize
your request.

Take a look at
http://www.opennebula.org/doku.php?id=documentation:rel1.4:cg#opennebula_users


Cheers

Ruben

On Sat, Aug 1, 2009 at 2:54 AM, Shi Jin<jinzishuai at gmail.com> wrote:
> Thanks.
> This sounds better but for the security centric people they may still
> scream with a plain text password file.
> Anyway, could you please explain a bit on why we need a plain text
> password in the first place?
> In the 1.2.x version, we didn't need it and everything is done via the
> ssh without password (via authorized_keys file).
> One might argue that it is in fact the same file level protection here
> but at least one can not know the password itself even if it is
> breached.
> I don't think this will affect us in a very significant way but I am
> curious about it.
> Thank you very much.
>
> Shi
>
> On Fri, Jul 31, 2009 at 5:50 PM, Ruben S. Montero<rubensm at dacya.ucm.es> wrote:
>> Hi,
>>
>> Yes you are totally right storing a password in an env variable
>> presents serious security risks. This is an issue of the current beta,
>> we plan to move ONE_AUTH to point to a file that contains the
>> user:password token. This file must be protected with the standard
>> file system mechanisms.
>>
>> Does it makes sense to you?
>>
>> Cheers!
>>
>> Ruben
>>
>> On Fri, Jul 31, 2009 at 9:50 PM, Shi Jin<jinzishuai at gmail.com> wrote:
>>> Thank you very much Tino.
>>> Indeed, I have to set ONE_AUTH=oneadmin:<password>  to get one start
>>> to work properly.
>>> I only set it to oneadmin before and it didn't work.
>>> However, isn't this a serious security hole?
>>> Am I missing something here?
>>>
>>> Thanks.
>>>
>>> Shi
>>>
>>> On Fri, Jul 31, 2009 at 10:39 AM, Tino Vazquez<tinova at fdi.ucm.es> wrote:
>>>> Hi Shi Jin,
>>>>
>>>> This looks like a DB issue. Please delete your
>>>> $ONE_LOCATION/var/one.db and try running OpenNebula again.
>>>>
>>>> Also, make sure that $ONE_AUTH variable is set for oneadmin user.
>>>>
>>>> Hope it helps,
>>>>
>>>> -Tino
>>>>
>>>> --
>>>> Constantino Vázquez, Grid Technology Engineer/Researcher:
>>>> http://www.dsa-research.org/tinova
>>>> DSA Research Group: http://dsa-research.org
>>>> Globus GridWay Metascheduler: http://www.GridWay.org
>>>> OpenNebula Virtual Infrastructure Engine: http://www.OpenNebula.org
>>>>
>>>>
>>>>
>>>> On Fri, Jul 31, 2009 at 5:22 AM, Shi Jin<jinzishuai at gmail.com> wrote:
>>>>> Hi there,
>>>>>
>>>>> I wanted to try the version 1.3.8 and was able to build the source
>>>>> code both from the tar ball and the subversion source tree.
>>>>> However, when I tried to start the service, I got
>>>>> oneadmin at xubuntu:~$ one start
>>>>> terminate called without an active exception
>>>>> Error executing /opt/ONE138/bin/oned.
>>>>>
>>>>> This is something I haven't seen in the 1.2.x versions. Please advice
>>>>> on what could be wrong here.
>>>>> Thank you very much.
>>>>>
>>>>>
>>>>> --
>>>>> Shi Jin, Ph.D.
>>>>> VP Technology and CTO
>>>>> VrSTORM Inc.
>>>>> 108 Advanced Technology Centre
>>>>> 9650-20 Ave, Edmonton, AB T6N 1G1
>>>>> Office Phone: 780-497-8676
>>>>> Cell Phone: 780-964-8778
>>>>> Email: shiJ at vrstorm.com
>>>>> http://www.vrstorm.com/
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.opennebula.org
>>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opennebula.org
>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>
>>
>>
>>
>> --
>> +---------------------------------------------------------------+
>>  Dr. Ruben Santiago Montero
>>  Associate Professor
>>  Distributed System Architecture Group (http://dsa-research.org)
>>
>>  URL:    http://dsa-research.org/doku.php?id=people:ruben
>>  Weblog: http://blog.dsa-research.org/?author=7
>>
>>  GridWay, http://www.gridway.org
>>  OpenNebula, http://www.opennebula.org
>> +---------------------------------------------------------------+
>>
>
>
>
> --
> Shi Jin, Ph.D.
>



-- 
+---------------------------------------------------------------+
 Dr. Ruben Santiago Montero
 Associate Professor
 Distributed System Architecture Group (http://dsa-research.org)

 URL:    http://dsa-research.org/doku.php?id=people:ruben
 Weblog: http://blog.dsa-research.org/?author=7

 GridWay, http://www.gridway.org
 OpenNebula, http://www.opennebula.org
+---------------------------------------------------------------+



More information about the Users mailing list