[one-users] user management

Ruben S. Montero rubensm at dacya.ucm.es
Wed Oct 21 12:51:33 PDT 2009

Hi Shi,

Thank you very much for your great feedback.

About the "To hash or not to hash $ONE_AUTH file" issue. You are
probably right here.
We have filed an issue for this, and we will take care of this for 1.4.2.

About the "oneadmin account". You are right again, the current
approach is not too elegant. As part of 1.4.2 we have also in mind to
extend the user management module in OpenNebula, so it can be
integrated with other authorization/authentication systems, include
user roles (so different users can use the admin role) and so on. As
part of this development campaign we will improve the creation of the
oneadmin account.



[1] http://dev.opennebula.org/issues/163

On Wed, Oct 21, 2009 at 4:10 PM, Shi Jin <jinzishuai at gmail.com> wrote:
> Hi Tino,
> Thank you very much.
> I agree with you that if the one_auth file is stolen, it gives out the
> same permission either hashed or not.
> However, the hashed password makes it a lot harder for somebody to
> remember the password with a quick glimpse of the file.
> Also, people tend to use the same password for many things. If the
> plain text one_auth is stolen, it can cause damage a lot bigger than
> just in OpenNebula.
> If one_auth is only used once to store the oneadmin password. Would it
> be better the system asks for this password on the command line when
> it is first started. Of course I could manually delete the one_auth
> file after the startup. By this way it seems to be more elegant.
> I agree that SSL encryption is more important than hashing the access key.
> Shi
> On Wed, Oct 21, 2009 at 7:42 AM, Tino Vazquez <tinova at fdi.ucm.es> wrote:
>> Hi Shi Jin,
>> Storing the password in a hash in the one_auth file wouldn't help a
>> lot since if the file is stolen it can be used in the very same way.
>> This file protection is based on unix file permissions. This file for
>> the 'oned' process is just needed the first time it runs because it
>> sets the 'oneadmin' password, but after the first run it can be
>> erased.
>> About having the access key hashed in the EC2 service, it is not in
>> our short term roadmap. What it is, though, is documentation
>> explaining how to set up the EC2 service using SSL, so the
>> communication were the secret and access key are passed will be
>> encrypted.
>> Hope this helps,
>> -Tino
>> --
>> Constantino Vázquez, Grid Technology Engineer/Researcher:
>> http://www.dsa-research.org/tinova
>> DSA Research Group: http://dsa-research.org
>> Globus GridWay Metascheduler: http://www.GridWay.org
>> OpenNebula Virtual Infrastructure Engine: http://www.OpenNebula.org
>> On Wed, Oct 21, 2009 at 1:18 AM, Shi Jin <jinzishuai at gmail.com> wrote:
>>> Hi there,
>>> I have a couple of questions regarding user management in OpenNebula.
>>> 1. I just updated the subversion code and found out the ONE_AUTH has
>>> already been used to point to a file to maintain the
>>> <username>:<password> combo, which I think is better than an
>>> environment variable. However, the plain text password is still
>>> stored. I am wondering whether it is better to actually store the
>>> hashed password instead, just like  what's stored in the database and
>>> what "oneuser list" gives. Also, if we only want to start the
>>> OpenNebula service on a machine, not to run any command, do we really
>>> need to setup this environment variable? I tried without in "one
>>> start". I got an error message about it but the service seems to be
>>> running already.
>>> 2. In AWS EC2, both the access key and the secret key  are hashed. I
>>> tried to use the econe API and found out only the secret key is hashed
>>> while the access key is still the plain text username. For security
>>> considerations, I think hashing both keys like EC2 is a better
>>> solution and I don't think it is that technically more challenge. Am I
>>> right about this?
>>> I would love to learn whether the above issues are within OpenNebula
>>> roadmap. Thank you very much.
>>> --
>>> Shi Jin, Ph.D.
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
> --
> Shi Jin, Ph.D.
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org

 Dr. Ruben Santiago Montero
 Associate Professor
 Distributed System Architecture Group (http://dsa-research.org)

 URL:    http://dsa-research.org/doku.php?id=people:ruben
 Weblog: http://blog.dsa-research.org/?author=7

 GridWay, http://www.gridway.org
 OpenNebula, http://www.opennebula.org

More information about the Users mailing list