[one-users] Sunstone and x509 Authentication

Daniel Molina dmolina at opennebula.org
Fri Dec 16 09:34:34 PST 2011


On 16 December 2011 17:55, Steven Timm <timm at fnal.gov> wrote:
> On Fri, 16 Dec 2011, Daniel Molina wrote:
>
>> On 16 December 2011 16:08, Steven Timm <timm at fnal.gov> wrote:
>>>
>>> On Fri, 16 Dec 2011, Daniel Molina wrote:
>>>
>>>> Dear Farooq,
>>>>
>>>> I think the problem is the driver assigned to serveradmin (x509), you
>>>> must change it to server_x509 [1]. Otherwise it will not use the
>>>> certificates specified in server_x509_auht.conf. x509 driver should be
>>>> used by regular users and not by the "server" user.
>>>>
>>>> So there are two users in this scenario:
>>>> 1. The user that is trying to authenticate using Sunstone. This user
>>>> should have the driver x509 and his DN as password.
>>>> 2. The user used by Sunstone sever (serveradmin) to interact with
>>>> OpenNebula. This user should have the driver server_x509 and his
>>>> server certificate DNas password.
>>>
>>>
>>>
>>> Then  the documentation of the oneuser command should be modified
>>> to indicate that server_x509 is a legal option in the
>>> oneuser chauth subcommand.  It's not listed either in the command
>>> usage or on the web page.
>>
>>
>> The legal values for the auth driver are defined in the oned.conf. But
>> yes, maybe we should add this information to the oneuser help.
>> arguments  = "--authn ssh,x509,ldap,server_cipher,server_x509"
>>
>
> In our oned.conf we currently have
> AUTH_MAD = [
>    executable = "one_auth_mad",
>    arguments  = "--authn x509,server_x509"
> ]
>
> There is at least one web page that says it should still be
> x509,server
>
> Which is right?

These values correspond with the following directories:
http://dev.opennebula.org/projects/opennebula/repository/revisions/master/show/src/authm_mad/remotes

So "--authn x509,server_x509" is the right one.

Could you point me to the URL which is wrong to fix it?

Kind regards.

>
> Steve Timm
>
>
>
>
>>>
>>> Also, what about the oneadmin user, user 0.. should that be server_x509
>>> too
>>> or should that still be x509 driver?
>>>
>>
>> If you want to use oneadmin through sunstone you have to set x509
>> driver for him (as a regular user), so he can login through sunstone
>> and the cli. The server_x509 should be only used by the serveradmin
>> user.
>>
>>> [root at fgitb317 one]# oneuser show 1
>>>
>>> USER 1 INFORMATION
>>> ID             : 1
>>> NAME           : serveradmin
>>> GROUP          : 0
>>> PASSWORD       : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov
>>>
>>> AUTH_DRIVER    : x509
>>
>>
>> It must be "server_x509"
>>
>>> ENABLED        : Yes
>>>
>>> USER TEMPLATE
>>>
>>> [root at fgitb317 one]#
>>> [root at fgitb317 one]# oneuser show 0
>>> USER 0 INFORMATION
>>> ID             : 0
>>> NAME           : oneadmin
>>> GROUP          : 0
>>> PASSWORD       : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov
>>>
>>> AUTH_DRIVER    : x509
>>> ENABLED        : Yes
>>>
>>> USER TEMPLATE
>>>
>>> [root at fgitb317 one]#
>>>
>>>   * chauth <userid> <auth> [<password>]
>>>        Changes the User's auth driver
>>>        valid options: read_file, sha1, ssh, x509, key, cert, driver
>>>
>>>
>>>
>>>
>>>>
>>>> Also, you should check that the (unix) user running oned and
>>>> sunstone-server has permission to read the certificates specified in
>>>> server_x509_auth.conf.
>>>>
>>>> BTW it would be nice to use the same thread for issues related to the
>>>> x509 configuration instead of opening new ones, so other users can
>>>> benefit from it.
>>>>
>>>> Kind Regards
>>>>
>>>> [1]
>>>>
>>>> http://lists.opennebula.org/pipermail/users-opennebula.org/2011-December/007233.html
>>>>
>>>> ------->8-------------------------
>>>> If you want to configure x509 authentication in sunstone these are the
>>>> main steps (beside the apache configuration):
>>>>
>>>> Option A:
>>>> --------------
>>>> * Sunstone configuration
>>>> - auth: x509
>>>> - core_auth: cipher
>>>>
>>>> The server will authenticate on behalf of other user using the
>>>> "serveradmin" user and symmetric encription to generate the token that
>>>> contains the client username.
>>>>
>>>> * Configuration: This is the default behavior and no configuration is
>>>> needed.
>>>> - $VAR_LOCATION//.one/sunstone_auth should contain the credentials of
>>>> the serveradmin user that will be used to encrypt the token
>>>> - oneuser list should show a serveradmin user with server_cipher auth
>>>> driver defined.
>>>>
>>>> Option B:
>>>> --------------
>>>> * Sunstone configuration
>>>> - auth: x509
>>>> - core_auth: x509
>>>>
>>>> The server will authenticate on behalf of other user using the
>>>> "serveradmin" user and server certificates to generate the token that
>>>> contains the client username.
>>>>
>>>> * Configuration:
>>>>
>>>>
>>>> http://www.opennebula.org/documentation:rel3.2:cloud_auth?&#x509_encryption
>>>> - change serveradmin driver to server_x509 instead of server_cipher
>>>> - edit /etc/one/auth/server_x509_auth.conf to specify the serveradmin
>>>> user and the server certificates to encrypt the token
>>>>
>>>>
>>>> In both cases the browser will interact with Apache and will
>>>> authenticate the user. The sunstone server will send this information
>>>> to OpenNebula using one of the previous options.
>>>> ------------------8<-------------------
>>>>
>>>>
>>>> On 16 December 2011 00:13, Faarooq Lowe <lowe at fnal.gov> wrote:
>>>>>
>>>>>
>>>>> We are still having problems getting sunstone to work with x509
>>>>> authentication.
>>>>>
>>>>> Could someone please advise?
>>>>>
>>>>> Here is what we have
>>>>>
>>>>> sunstone-server.conf
>>>>>
>>>>> # Server Configuration
>>>>> :host: 127.0.0.1
>>>>> :port: 9869
>>>>>
>>>>> # Authentication driver for incomming requests
>>>>> #   sunstone, for OpenNebula's user-password scheme
>>>>> #   x509, for x509 certificates based authentication
>>>>> #:auth: sunstone
>>>>> :auth: x509
>>>>>
>>>>> # Authentication driver to communicate with OpenNebula core
>>>>> #   cipher, for symmetric cipher encryption of tokens
>>>>> #   x509, for x509 certificate encryption of tokens
>>>>> #:core_auth: server_cipher
>>>>> :core_auth: x509
>>>>>
>>>>> # Life-time in seconds for token renewal (that used to handle
>>>>> OpenNebula
>>>>> auths)
>>>>> :token_expiration_delta: 1800
>>>>>
>>>>> server_x509_auth.conf
>>>>>
>>>>> # User to be used for x509 server authentication
>>>>>
>>>>> :srv_user: serveradmin
>>>>>
>>>>> # Path to the certificate used by the OpenNebula Services
>>>>> # Certificates must be in PEM format
>>>>>
>>>>> :one_cert: "/etc/grid-security/hostcert.pem"
>>>>> :one_key: "/etc/grid-security/hostkey.pem"
>>>>>
>>>>> serveradmin information
>>>>>
>>>>> -bash-3.2$ oneuser show 1
>>>>> USER 1 INFORMATION
>>>>> ID             : 1
>>>>> NAME           : serveradmin
>>>>> GROUP          : 0
>>>>> PASSWORD       : <DN with no spaces>
>>>>> AUTH_DRIVER    : x509
>>>>> ENABLED        : Yes
>>>>>
>>>>> USER TEMPLATE
>>>>>
>>>>> Logs
>>>>>
>>>>> oned.log
>>>>>
>>>>> Thu Dec 15 17:04:28 2011 [AuM][E]: Auth Error: undefined method
>>>>> `public_key'
>>>>> for nil:NilClass
>>>>>
>>>>> sunstone.log
>>>>>
>>>>> 131.225.168.168 - - [15/Dec/2011 17:03:26] "GET / HTTP/1.1" 200 1384
>>>>> 0.0037
>>>>> 131.225.168.168 - - [15/Dec/2011 17:04:28] "POST /login HTTP/1.1" 500
>>>>> 61
>>>>> 0.0802
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.opennebula.org
>>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> ------------------------------------------------------------------
>>> Steven C. Timm, Ph.D  (630) 840-8525
>>> timm at fnal.gov  http://home.fnal.gov/~timm/
>>> Fermilab Computing Division, Scientific Computing Facilities,
>>> Grid Facilities Department, FermiGrid Services Group, Group Leader.
>>> Lead of FermiCloud project.
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>
>>
>>
>>
>>
>
> --
> ------------------------------------------------------------------
> Steven C. Timm, Ph.D  (630) 840-8525
> timm at fnal.gov  http://home.fnal.gov/~timm/
> Fermilab Computing Division, Scientific Computing Facilities,
> Grid Facilities Department, FermiGrid Services Group, Group Leader.
> Lead of FermiCloud project.
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>



-- 
Daniel Molina
Project Engineer
OpenNebula - The Open Source Toolkit for Data Center Virtualization
www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula



More information about the Users mailing list