[one-users] Sunstone and x509 Authentication

Daniel Molina dmolina at opennebula.org
Fri Dec 16 08:44:07 PST 2011 

On 16 December 2011 16:08, Steven Timm <timm at fnal.gov> wrote:
> On Fri, 16 Dec 2011, Daniel Molina wrote:
>
>> Dear Farooq,
>>
>> I think the problem is the driver assigned to serveradmin (x509), you
>> must change it to server_x509 [1]. Otherwise it will not use the
>> certificates specified in server_x509_auht.conf. x509 driver should be
>> used by regular users and not by the "server" user.
>>
>> So there are two users in this scenario:
>> 1. The user that is trying to authenticate using Sunstone. This user
>> should have the driver x509 and his DN as password.
>> 2. The user used by Sunstone sever (serveradmin) to interact with
>> OpenNebula. This user should have the driver server_x509 and his
>> server certificate DNas password.
>
>
> Then  the documentation of the oneuser command should be modified
> to indicate that server_x509 is a legal option in the
> oneuser chauth subcommand.  It's not listed either in the command
> usage or on the web page.

The legal values for the auth driver are defined in the oned.conf. But
yes, maybe we should add this information to the oneuser help.
arguments  = "--authn ssh,x509,ldap,server_cipher,server_x509"

>
> Also, what about the oneadmin user, user 0.. should that be server_x509 too
> or should that still be x509 driver?
>

If you want to use oneadmin through sunstone you have to set x509
driver for him (as a regular user), so he can login through sunstone
and the cli. The server_x509 should be only used by the serveradmin
user.

> [root at fgitb317 one]# oneuser show 1
>
> USER 1 INFORMATION
> ID             : 1
> NAME           : serveradmin
> GROUP          : 0
> PASSWORD       : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov
>
> AUTH_DRIVER    : x509

It must be "server_x509"

> ENABLED        : Yes
>
> USER TEMPLATE
>
> [root at fgitb317 one]#
> [root at fgitb317 one]# oneuser show 0
> USER 0 INFORMATION
> ID             : 0
> NAME           : oneadmin
> GROUP          : 0
> PASSWORD       : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov
>
> AUTH_DRIVER    : x509
> ENABLED        : Yes
>
> USER TEMPLATE
>
> [root at fgitb317 one]#
>
>   * chauth <userid> <auth> [<password>]
>        Changes the User's auth driver
>        valid options: read_file, sha1, ssh, x509, key, cert, driver
>
>
>
>
>>
>> Also, you should check that the (unix) user running oned and
>> sunstone-server has permission to read the certificates specified in
>> server_x509_auth.conf.
>>
>> BTW it would be nice to use the same thread for issues related to the
>> x509 configuration instead of opening new ones, so other users can
>> benefit from it.
>>
>> Kind Regards
>>
>> [1]
>> http://lists.opennebula.org/pipermail/users-opennebula.org/2011-December/007233.html
>>
>> ------->8-------------------------
>> If you want to configure x509 authentication in sunstone these are the
>> main steps (beside the apache configuration):
>>
>> Option A:
>> --------------
>> * Sunstone configuration
>> - auth: x509
>> - core_auth: cipher
>>
>> The server will authenticate on behalf of other user using the
>> "serveradmin" user and symmetric encription to generate the token that
>> contains the client username.
>>
>> * Configuration: This is the default behavior and no configuration is
>> needed.
>> - $VAR_LOCATION//.one/sunstone_auth should contain the credentials of
>> the serveradmin user that will be used to encrypt the token
>> - oneuser list should show a serveradmin user with server_cipher auth
>> driver defined.
>>
>> Option B:
>> --------------
>> * Sunstone configuration
>> - auth: x509
>> - core_auth: x509
>>
>> The server will authenticate on behalf of other user using the
>> "serveradmin" user and server certificates to generate the token that
>> contains the client username.
>>
>> * Configuration:
>>
>> http://www.opennebula.org/documentation:rel3.2:cloud_auth?&#x509_encryption
>> - change serveradmin driver to server_x509 instead of server_cipher
>> - edit /etc/one/auth/server_x509_auth.conf to specify the serveradmin
>> user and the server certificates to encrypt the token
>>
>>
>> In both cases the browser will interact with Apache and will
>> authenticate the user. The sunstone server will send this information
>> to OpenNebula using one of the previous options.
>> ------------------8<-------------------
>>
>>
>> On 16 December 2011 00:13, Faarooq Lowe <lowe at fnal.gov> wrote:
>>>
>>> We are still having problems getting sunstone to work with x509
>>> authentication.
>>>
>>> Could someone please advise?
>>>
>>> Here is what we have
>>>
>>> sunstone-server.conf
>>>
>>> # Server Configuration
>>> :host: 127.0.0.1
>>> :port: 9869
>>>
>>> # Authentication driver for incomming requests
>>> #   sunstone, for OpenNebula's user-password scheme
>>> #   x509, for x509 certificates based authentication
>>> #:auth: sunstone
>>> :auth: x509
>>>
>>> # Authentication driver to communicate with OpenNebula core
>>> #   cipher, for symmetric cipher encryption of tokens
>>> #   x509, for x509 certificate encryption of tokens
>>> #:core_auth: server_cipher
>>> :core_auth: x509
>>>
>>> # Life-time in seconds for token renewal (that used to handle OpenNebula
>>> auths)
>>> :token_expiration_delta: 1800
>>>
>>> server_x509_auth.conf
>>>
>>> # User to be used for x509 server authentication
>>>
>>> :srv_user: serveradmin
>>>
>>> # Path to the certificate used by the OpenNebula Services
>>> # Certificates must be in PEM format
>>>
>>> :one_cert: "/etc/grid-security/hostcert.pem"
>>> :one_key: "/etc/grid-security/hostkey.pem"
>>>
>>> serveradmin information
>>>
>>> -bash-3.2$ oneuser show 1
>>> USER 1 INFORMATION
>>> ID             : 1
>>> NAME           : serveradmin
>>> GROUP          : 0
>>> PASSWORD       : <DN with no spaces>
>>> AUTH_DRIVER    : x509
>>> ENABLED        : Yes
>>>
>>> USER TEMPLATE
>>>
>>> Logs
>>>
>>> oned.log
>>>
>>> Thu Dec 15 17:04:28 2011 [AuM][E]: Auth Error: undefined method
>>> `public_key'
>>> for nil:NilClass
>>>
>>> sunstone.log
>>>
>>> 131.225.168.168 - - [15/Dec/2011 17:03:26] "GET / HTTP/1.1" 200 1384
>>> 0.0037
>>> 131.225.168.168 - - [15/Dec/2011 17:04:28] "POST /login HTTP/1.1" 500 61
>>> 0.0802
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>
>>
>>
>>
>
> --
> ------------------------------------------------------------------
> Steven C. Timm, Ph.D  (630) 840-8525
> timm at fnal.gov  http://home.fnal.gov/~timm/
> Fermilab Computing Division, Scientific Computing Facilities,
> Grid Facilities Department, FermiGrid Services Group, Group Leader.
> Lead of FermiCloud project.
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>



-- 
Daniel Molina
Project Engineer
OpenNebula - The Open Source Toolkit for Data Center Virtualization
www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula

More information about the Users mailing list