[one-users] core_auth in sunstone

Daniel Molina dmolina at opennebula.org
Tue Dec 13 09:17:32 PST 2011 

Hi Steven,

On 13 December 2011 15:57, Steven Timm <timm at fnal.gov> wrote:
> On Tue, 13 Dec 2011, Daniel Molina wrote:
>
>> Hi Farooq,
>>
>> On 12 December 2011 19:04, Faarooq Lowe <lowe at fnal.gov> wrote:
>>>
>>> What is the core_auth setting for in sunstone-server.conf?  There isn't
>>> any
>>> reference to it in the documentation.
>>
>>
>> This parameter defines the method used by the server to interact with
>> OpenNebula, the available methods are "cipher" and "x509". You can
>> find more information about this in the following links:
>>
>> http://www.opennebula.org/documentation:rel3.2:external_auth
>> http://www.opennebula.org/documentation:rel3.2:cloud_auth
>
>
> It would be helpful to mention this variable in the sunstone docs.
> Right now the sunstone configuration guide says nothing about it.

These variable are defined in the sunstone-server.conf table [1], I
have added more information to this table to clarify these values.

[1] http://www.opennebula.org/documentation:rel3.2:sunstone?&#sunstone-serverconf

If you want to configure x509 authentication in sunstone these are the
main steps (beside the apache configuration):

Option A:
--------------
* Sunstone configuration
  - auth: x509
  - core_auth: cipher

The server will authenticate on behalf of other user using the
"serveradmin" user and symmetric encription to generate the token that
contains the client username.

* Configuration: This is the default behavior and no configuration is needed.
- $VAR_LOCATION//.one/sunstone_auth should contain the credentials of
the serveradmin user that will be used to encrypt the token
- oneuser list should show a serveradmin user with server_cipher auth
driver defined.

Option B:
--------------
* Sunstone configuration
  - auth: x509
  - core_auth: x509

The server will authenticate on behalf of other user using the
"serveradmin" user and server certificates to generate the token that
contains the client username.

* Configuration:
http://www.opennebula.org/documentation:rel3.2:cloud_auth?&#x509_encryption
- change serveradmin driver to server_x509 instead of server_cipher
- edit /etc/one/auth/server_x509_auth.conf to specify the serveradmin
user and the server certificates to encrypt the token


In both cases the browser will interact with Apache and will
authenticate the user. The sunstone server will send this information
to OpenNebula using one of the previous options.

>
> Also, should the regular :auth: field in the sunstone server
> config be x509 or server_x509?  Docs indicate x509.
>

x509 is the right one.

These values are defined inside the CloudAuth.rb file:

    # These are the authentication methods for the user requests
    AUTH_MODULES = {
        "occi"     => 'OCCICloudAuth',
        "sunstone" => 'SunstoneCloudAuth' ,
        "ec2"      => 'EC2CloudAuth',
        "x509"     => 'X509CloudAuth'
    }

    # These are the authentication modules for the OpenNebula requests
    # Each entry is an array with the filename  for require and class name
    # to instantiate the object.
    AUTH_CORE_MODULES = {
       "cipher" => [ 'server_cipher_auth', 'ServerCipherAuth' ],
       "x509"   => [ 'server_x509_auth',   'ServerX509Auth' ]
    }

>
>>
>>>
>>> Also when we launch sunstone-server there is reference to a user.  Which
>>> user is used for sunstone and where is that user set?

In Option A the user is defined in $VAR_LOCATION//.one/sunstone_auth.
In Option B the user is defined in /etc/one/auth/server_x509_auth.conf

BTW I am preparing a post in order to clarify all this configuration,

Hope this helps, if you have any doubts do not hesitate to ask me.

>>
>>
>> There is a new system user, named 'serveradmin'. It is created by the
>> core at bootstrap, or by the onedb upgrade command. This user is used
>> by the Sunstone, OCCI and EC2 servers to interact with OpenNebula. For
>> more information:
>>
>> http://www.opennebula.org/documentation:rel3.2:compatibility
>> http://www.opennebula.org/documentation:rel3.2:manage_users
>>
>> Hope this helps.
>
>
> We have the serveradmin user created as specified in the
> documentation above, but what we need to know
> is--is there any place we have to specify it in the sunstone config file?
>
>
>
> \
>>
>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>
>>
>>
>>
>
> --
> ------------------------------------------------------------------
> Steven C. Timm, Ph.D  (630) 840-8525
> timm at fnal.gov  http://home.fnal.gov/~timm/
> Fermilab Computing Division, Scientific Computing Facilities,
> Grid Facilities Department, FermiGrid Services Group, Group Leader.
> Lead of FermiCloud project.
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>



-- 
Daniel Molina
Project Engineer
OpenNebula - The Open Source Toolkit for Data Center Virtualization
www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula

More information about the Users mailing list