[one-users] user management

Tino Vazquez tinova at fdi.ucm.es
Wed Oct 21 06:42:56 PDT 2009


Hi Shi Jin,

Storing the password in a hash in the one_auth file wouldn't help a
lot since if the file is stolen it can be used in the very same way.
This file protection is based on unix file permissions. This file for
the 'oned' process is just needed the first time it runs because it
sets the 'oneadmin' password, but after the first run it can be
erased.

About having the access key hashed in the EC2 service, it is not in
our short term roadmap. What it is, though, is documentation
explaining how to set up the EC2 service using SSL, so the
communication were the secret and access key are passed will be
encrypted.

Hope this helps,

-Tino

--
Constantino Vázquez, Grid Technology Engineer/Researcher:
http://www.dsa-research.org/tinova
DSA Research Group: http://dsa-research.org
Globus GridWay Metascheduler: http://www.GridWay.org
OpenNebula Virtual Infrastructure Engine: http://www.OpenNebula.org



On Wed, Oct 21, 2009 at 1:18 AM, Shi Jin <jinzishuai at gmail.com> wrote:
> Hi there,
>
> I have a couple of questions regarding user management in OpenNebula.
> 1. I just updated the subversion code and found out the ONE_AUTH has
> already been used to point to a file to maintain the
> <username>:<password> combo, which I think is better than an
> environment variable. However, the plain text password is still
> stored. I am wondering whether it is better to actually store the
> hashed password instead, just like  what's stored in the database and
> what "oneuser list" gives. Also, if we only want to start the
> OpenNebula service on a machine, not to run any command, do we really
> need to setup this environment variable? I tried without in "one
> start". I got an error message about it but the service seems to be
> running already.
>
> 2. In AWS EC2, both the access key and the secret key  are hashed. I
> tried to use the econe API and found out only the secret key is hashed
> while the access key is still the plain text username. For security
> considerations, I think hashing both keys like EC2 is a better
> solution and I don't think it is that technically more challenge. Am I
> right about this?
>
> I would love to learn whether the above issues are within OpenNebula
> roadmap. Thank you very much.
>
>
> --
> Shi Jin, Ph.D.
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>


More information about the Users mailing list