[one-users] Sunstone and x509 Authentication

Steven Timm timm at fnal.gov
Fri Dec 16 08:55:12 PST 2011 

On Fri, 16 Dec 2011, Daniel Molina wrote:

> On 16 December 2011 16:08, Steven Timm <timm at fnal.gov> wrote:
>> On Fri, 16 Dec 2011, Daniel Molina wrote:
>>
>>> Dear Farooq,
>>>
>>> I think the problem is the driver assigned to serveradmin (x509), you
>>> must change it to server_x509 [1]. Otherwise it will not use the
>>> certificates specified in server_x509_auht.conf. x509 driver should be
>>> used by regular users and not by the "server" user.
>>>
>>> So there are two users in this scenario:
>>> 1. The user that is trying to authenticate using Sunstone. This user
>>> should have the driver x509 and his DN as password.
>>> 2. The user used by Sunstone sever (serveradmin) to interact with
>>> OpenNebula. This user should have the driver server_x509 and his
>>> server certificate DNas password.
>>
>>
>> Then  the documentation of the oneuser command should be modified
>> to indicate that server_x509 is a legal option in the
>> oneuser chauth subcommand.  It's not listed either in the command
>> usage or on the web page.
>
> The legal values for the auth driver are defined in the oned.conf. But
> yes, maybe we should add this information to the oneuser help.
> arguments  = "--authn ssh,x509,ldap,server_cipher,server_x509"
>

In our oned.conf we currently have
AUTH_MAD = [
     executable = "one_auth_mad",
     arguments  = "--authn x509,server_x509"
]

There is at least one web page that says it should still be
x509,server

Which is right?

Steve Timm



>>
>> Also, what about the oneadmin user, user 0.. should that be server_x509 too
>> or should that still be x509 driver?
>>
>
> If you want to use oneadmin through sunstone you have to set x509
> driver for him (as a regular user), so he can login through sunstone
> and the cli. The server_x509 should be only used by the serveradmin
> user.
>
>> [root at fgitb317 one]# oneuser show 1
>>
>> USER 1 INFORMATION
>> ID             : 1
>> NAME           : serveradmin
>> GROUP          : 0
>> PASSWORD       : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov
>>
>> AUTH_DRIVER    : x509
>
> It must be "server_x509"
>
>> ENABLED        : Yes
>>
>> USER TEMPLATE
>>
>> [root at fgitb317 one]#
>> [root at fgitb317 one]# oneuser show 0
>> USER 0 INFORMATION
>> ID             : 0
>> NAME           : oneadmin
>> GROUP          : 0
>> PASSWORD       : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov
>>
>> AUTH_DRIVER    : x509
>> ENABLED        : Yes
>>
>> USER TEMPLATE
>>
>> [root at fgitb317 one]#
>>
>>   * chauth <userid> <auth> [<password>]
>>        Changes the User's auth driver
>>        valid options: read_file, sha1, ssh, x509, key, cert, driver
>>
>>
>>
>>
>>>
>>> Also, you should check that the (unix) user running oned and
>>> sunstone-server has permission to read the certificates specified in
>>> server_x509_auth.conf.
>>>
>>> BTW it would be nice to use the same thread for issues related to the
>>> x509 configuration instead of opening new ones, so other users can
>>> benefit from it.
>>>
>>> Kind Regards
>>>
>>> [1]
>>> http://lists.opennebula.org/pipermail/users-opennebula.org/2011-December/007233.html
>>>
>>> ------->8-------------------------
>>> If you want to configure x509 authentication in sunstone these are the
>>> main steps (beside the apache configuration):
>>>
>>> Option A:
>>> --------------
>>> * Sunstone configuration
>>> - auth: x509
>>> - core_auth: cipher
>>>
>>> The server will authenticate on behalf of other user using the
>>> "serveradmin" user and symmetric encription to generate the token that
>>> contains the client username.
>>>
>>> * Configuration: This is the default behavior and no configuration is
>>> needed.
>>> - $VAR_LOCATION//.one/sunstone_auth should contain the credentials of
>>> the serveradmin user that will be used to encrypt the token
>>> - oneuser list should show a serveradmin user with server_cipher auth
>>> driver defined.
>>>
>>> Option B:
>>> --------------
>>> * Sunstone configuration
>>> - auth: x509
>>> - core_auth: x509
>>>
>>> The server will authenticate on behalf of other user using the
>>> "serveradmin" user and server certificates to generate the token that
>>> contains the client username.
>>>
>>> * Configuration:
>>>
>>> http://www.opennebula.org/documentation:rel3.2:cloud_auth?&#x509_encryption
>>> - change serveradmin driver to server_x509 instead of server_cipher
>>> - edit /etc/one/auth/server_x509_auth.conf to specify the serveradmin
>>> user and the server certificates to encrypt the token
>>>
>>>
>>> In both cases the browser will interact with Apache and will
>>> authenticate the user. The sunstone server will send this information
>>> to OpenNebula using one of the previous options.
>>> ------------------8<-------------------
>>>
>>>
>>> On 16 December 2011 00:13, Faarooq Lowe <lowe at fnal.gov> wrote:
>>>>
>>>> We are still having problems getting sunstone to work with x509
>>>> authentication.
>>>>
>>>> Could someone please advise?
>>>>
>>>> Here is what we have
>>>>
>>>> sunstone-server.conf
>>>>
>>>> # Server Configuration
>>>> :host: 127.0.0.1
>>>> :port: 9869
>>>>
>>>> # Authentication driver for incomming requests
>>>> #   sunstone, for OpenNebula's user-password scheme
>>>> #   x509, for x509 certificates based authentication
>>>> #:auth: sunstone
>>>> :auth: x509
>>>>
>>>> # Authentication driver to communicate with OpenNebula core
>>>> #   cipher, for symmetric cipher encryption of tokens
>>>> #   x509, for x509 certificate encryption of tokens
>>>> #:core_auth: server_cipher
>>>> :core_auth: x509
>>>>
>>>> # Life-time in seconds for token renewal (that used to handle OpenNebula
>>>> auths)
>>>> :token_expiration_delta: 1800
>>>>
>>>> server_x509_auth.conf
>>>>
>>>> # User to be used for x509 server authentication
>>>>
>>>> :srv_user: serveradmin
>>>>
>>>> # Path to the certificate used by the OpenNebula Services
>>>> # Certificates must be in PEM format
>>>>
>>>> :one_cert: "/etc/grid-security/hostcert.pem"
>>>> :one_key: "/etc/grid-security/hostkey.pem"
>>>>
>>>> serveradmin information
>>>>
>>>> -bash-3.2$ oneuser show 1
>>>> USER 1 INFORMATION
>>>> ID             : 1
>>>> NAME           : serveradmin
>>>> GROUP          : 0
>>>> PASSWORD       : <DN with no spaces>
>>>> AUTH_DRIVER    : x509
>>>> ENABLED        : Yes
>>>>
>>>> USER TEMPLATE
>>>>
>>>> Logs
>>>>
>>>> oned.log
>>>>
>>>> Thu Dec 15 17:04:28 2011 [AuM][E]: Auth Error: undefined method
>>>> `public_key'
>>>> for nil:NilClass
>>>>
>>>> sunstone.log
>>>>
>>>> 131.225.168.168 - - [15/Dec/2011 17:03:26] "GET / HTTP/1.1" 200 1384
>>>> 0.0037
>>>> 131.225.168.168 - - [15/Dec/2011 17:04:28] "POST /login HTTP/1.1" 500 61
>>>> 0.0802
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opennebula.org
>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>
>>>
>>>
>>>
>>>
>>
>> --
>> ------------------------------------------------------------------
>> Steven C. Timm, Ph.D  (630) 840-8525
>> timm at fnal.gov  http://home.fnal.gov/~timm/
>> Fermilab Computing Division, Scientific Computing Facilities,
>> Grid Facilities Department, FermiGrid Services Group, Group Leader.
>> Lead of FermiCloud project.
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>
>
>
>

-- 
------------------------------------------------------------------
Steven C. Timm, Ph.D  (630) 840-8525
timm at fnal.gov  http://home.fnal.gov/~timm/
Fermilab Computing Division, Scientific Computing Facilities,
Grid Facilities Department, FermiGrid Services Group, Group Leader.
Lead of FermiCloud project.

More information about the Users mailing list