[one-users] Sunstone and x509 Authentication

Steven Timm timm at fnal.gov
Fri Dec 16 07:08:08 PST 2011


On Fri, 16 Dec 2011, Daniel Molina wrote:

> Dear Farooq,
>
> I think the problem is the driver assigned to serveradmin (x509), you
> must change it to server_x509 [1]. Otherwise it will not use the
> certificates specified in server_x509_auht.conf. x509 driver should be
> used by regular users and not by the "server" user.
>
> So there are two users in this scenario:
> 1. The user that is trying to authenticate using Sunstone. This user
> should have the driver x509 and his DN as password.
> 2. The user used by Sunstone sever (serveradmin) to interact with
> OpenNebula. This user should have the driver server_x509 and his
> server certificate DNas password.

Then  the documentation of the oneuser command should be modified
to indicate that server_x509 is a legal option in the
oneuser chauth subcommand.  It's not listed either in the command
usage or on the web page.

Also, what about the oneadmin user, user 0.. should that be server_x509 
too or should that still be x509 driver?

[root at fgitb317 one]# oneuser show 1
USER 1 INFORMATION
ID             : 1
NAME           : serveradmin
GROUP          : 0
PASSWORD       : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov
AUTH_DRIVER    : x509
ENABLED        : Yes

USER TEMPLATE

[root at fgitb317 one]#
[root at fgitb317 one]# oneuser show 0
USER 0 INFORMATION
ID             : 0
NAME           : oneadmin
GROUP          : 0
PASSWORD       : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov
AUTH_DRIVER    : x509
ENABLED        : Yes

USER TEMPLATE

[root at fgitb317 one]#

    * chauth <userid> <auth> [<password>]
         Changes the User's auth driver
         valid options: read_file, sha1, ssh, x509, key, cert, driver



>
> Also, you should check that the (unix) user running oned and
> sunstone-server has permission to read the certificates specified in
> server_x509_auth.conf.
>
> BTW it would be nice to use the same thread for issues related to the
> x509 configuration instead of opening new ones, so other users can
> benefit from it.
>
> Kind Regards
>
> [1] http://lists.opennebula.org/pipermail/users-opennebula.org/2011-December/007233.html
>
> ------->8-------------------------
> If you want to configure x509 authentication in sunstone these are the
> main steps (beside the apache configuration):
>
> Option A:
> --------------
> * Sunstone configuration
> - auth: x509
> - core_auth: cipher
>
> The server will authenticate on behalf of other user using the
> "serveradmin" user and symmetric encription to generate the token that
> contains the client username.
>
> * Configuration: This is the default behavior and no configuration is needed.
> - $VAR_LOCATION//.one/sunstone_auth should contain the credentials of
> the serveradmin user that will be used to encrypt the token
> - oneuser list should show a serveradmin user with server_cipher auth
> driver defined.
>
> Option B:
> --------------
> * Sunstone configuration
> - auth: x509
> - core_auth: x509
>
> The server will authenticate on behalf of other user using the
> "serveradmin" user and server certificates to generate the token that
> contains the client username.
>
> * Configuration:
> http://www.opennebula.org/documentation:rel3.2:cloud_auth?&#x509_encryption
> - change serveradmin driver to server_x509 instead of server_cipher
> - edit /etc/one/auth/server_x509_auth.conf to specify the serveradmin
> user and the server certificates to encrypt the token
>
>
> In both cases the browser will interact with Apache and will
> authenticate the user. The sunstone server will send this information
> to OpenNebula using one of the previous options.
> ------------------8<-------------------
>
>
> On 16 December 2011 00:13, Faarooq Lowe <lowe at fnal.gov> wrote:
>> We are still having problems getting sunstone to work with x509
>> authentication.
>>
>> Could someone please advise?
>>
>> Here is what we have
>>
>> sunstone-server.conf
>>
>> # Server Configuration
>> :host: 127.0.0.1
>> :port: 9869
>>
>> # Authentication driver for incomming requests
>> #   sunstone, for OpenNebula's user-password scheme
>> #   x509, for x509 certificates based authentication
>> #:auth: sunstone
>> :auth: x509
>>
>> # Authentication driver to communicate with OpenNebula core
>> #   cipher, for symmetric cipher encryption of tokens
>> #   x509, for x509 certificate encryption of tokens
>> #:core_auth: server_cipher
>> :core_auth: x509
>>
>> # Life-time in seconds for token renewal (that used to handle OpenNebula
>> auths)
>> :token_expiration_delta: 1800
>>
>> server_x509_auth.conf
>>
>> # User to be used for x509 server authentication
>>
>> :srv_user: serveradmin
>>
>> # Path to the certificate used by the OpenNebula Services
>> # Certificates must be in PEM format
>>
>> :one_cert: "/etc/grid-security/hostcert.pem"
>> :one_key: "/etc/grid-security/hostkey.pem"
>>
>> serveradmin information
>>
>> -bash-3.2$ oneuser show 1
>> USER 1 INFORMATION
>> ID             : 1
>> NAME           : serveradmin
>> GROUP          : 0
>> PASSWORD       : <DN with no spaces>
>> AUTH_DRIVER    : x509
>> ENABLED        : Yes
>>
>> USER TEMPLATE
>>
>> Logs
>>
>> oned.log
>>
>> Thu Dec 15 17:04:28 2011 [AuM][E]: Auth Error: undefined method `public_key'
>> for nil:NilClass
>>
>> sunstone.log
>>
>> 131.225.168.168 - - [15/Dec/2011 17:03:26] "GET / HTTP/1.1" 200 1384 0.0037
>> 131.225.168.168 - - [15/Dec/2011 17:04:28] "POST /login HTTP/1.1" 500 61
>> 0.0802
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
>
>

-- 
------------------------------------------------------------------
Steven C. Timm, Ph.D  (630) 840-8525
timm at fnal.gov  http://home.fnal.gov/~timm/
Fermilab Computing Division, Scientific Computing Facilities,
Grid Facilities Department, FermiGrid Services Group, Group Leader.
Lead of FermiCloud project.


More information about the Users mailing list