[one-users] What happens to JAVA OCA if I turn on certificate based authentication ?

Carlos Martín Sánchez cmartin at opennebula.org
Tue Nov 15 09:51:17 PST 2011


Hi,

2011/11/11 Gian Uberto Lauri <saint at eng.it>

> Sorry, I do not get you. The Client class in Java OCA wants an user name
> and a secret in version 2 and also in version 3 if I am not wrong.
>

Take a look at the javadoc: both parameters can be null, or you can use the
constructor without any parameters:
http://opennebula.org/doc/3.0/oca/java/org/opennebula/client/Client.html#Client%28%29


> So, how does authentication work when I use that such a Client instance to
> contact OpenNebula from within a Java program ?
>
> The Java Program shells out oneuser ? And with which credentials ?
>

The one_auth file is read and sent to the core. It works the same way as
the CLI, looking for the file at $ONE_AUTH or, if it is not set,
$HOME/.one/one_auth. The credentials must be manually set in that file,
preferably with the "oneuser login" command.

I suggest you to take a look at the source code if you need to fully
understand this or any other specific aspect. It is not very big or
complex, and should be easy to read for anyone familiar with OpenNebula:
http://dev.opennebula.org/projects/opennebula/repository/revisions/one-3.0/show/src/oca/java


> Or may I have both base authentication and, say LDAP ? It seems I can't
> have both base and X509 based authentication if I got well the docs from
> release 3.
>

That's right, you can only use one authentication method per user at a
time. But you can have different users each one with a different
authentication driver, if that's what you meant.


> I am asking these questions because I am working on an OCCI front end that
> accepts OVF messages and uses OCA to contact OpenNebula, acting as a sort
> of translator OVF->Template.
>
> Now we are building the authentication part. The OCCI front end uses
> certificates based authentication when receiving an user request, and then
> it must authenticate itself in OpenNebula with an identity matching that of
> the user that did the original request.
>

Good luck!


> Cutting out any other access to OpenNebula rather than this OCCI front-end
> could solve the problem easily, but if I want to let some users access to
> the cloud through Sunstone the original solution does not work well...
>

Regards,
Carlos.

--
Carlos Martín, MSc
Project Engineer
OpenNebula - The Open Source Toolkit for Data Center Virtualization
www.OpenNebula.org | cmartin at opennebula.org |
@OpenNebula<http://twitter.com/opennebula><cmartin at opennebula.org>


2011/11/11 Gian Uberto Lauri <saint at eng.it>

> On 11/11/11 19:05, Carlos Martín Sánchez wrote:
>
>> Hi,
>>
>> It should read the token generated by 'oneuser login' and keep working
>> as usual.
>>
>
> Sorry, I do not get you. The Client class in Java OCA wants an user name
> and a secret in version 2 and also in version 3 if I am not wrong.
>
> So, how does authentication work when I use that such a Client instance to
> contact OpenNebula from within a Java program ?
>
> The Java Program shells out oneuser ? And with which credentials ?
>
> Or may I have both base authentication and, say LDAP ? It seems I can't
> have both base and X509 based authentication if I got well the docs from
> release 3.
>
> I am asking these questions because I am working on an OCCI front end that
> accepts OVF messages and uses OCA to contact OpenNebula, acting as a sort
> of translator OVF->Template.
>
> Now we are building the authentication part. The OCCI front end uses
> certificates based authentication when receiving an user request, and then
> it must authenticate itself in OpenNebula with an identity matching that of
> the user that did the original request.
>
> Cutting out any other access to OpenNebula rather than this OCCI front-end
> could solve the problem easily, but if I want to let some users access to
> the cloud through Sunstone the original solution does not work well...
>
>
>  Regards.
>> --
>> Carlos Martín, MSc
>> Project Engineer
>> OpenNebula - The Open Source Toolkit for Data Center Virtualization
>> www.OpenNebula.org <http://www.OpenNebula.org> | cmartin at opennebula.org
>> <mailto:cmartin at opennebula.org**> | @OpenNebula
>> <http://twitter.com/opennebula**> <mailto:cmartin at opennebula.org**>
>>
>>
>>
>> On Fri, Nov 11, 2011 at 5:20 PM, Gian Uberto Lauri <saint at eng.it
>> <mailto:saint at eng.it>> wrote:
>>
>>    Hello gentlemen!
>>
>>    JAVA OCA Client object relies  on the user/secret authentication. What
>>    happens to OCA  when one turns on an external  mean of authentication,
>>    maybe certificates or LDAP?
>>
>
>
>
> --
> ing. Gian Uberto Lauri
> Ricercatore / Reasearcher
> Laboratorio Ricerca e Sviluppo / Research & Development Lab.
> Area Calcolo Distribuito / Distributed Computation Area
>
> GianUberto.Lauri at eng.it
>
> Engineering Ingegneria Informatica spa
> Corso Stati Uniti 23/C, 35127 Padova (PD)
> Tel. +39-049.8283.571         | main(){printf(&unix["\021%six\**012\0"],
> Fax  +39-049.8283.569             |    (unix)["have"]+"fun"-0x60);}
> Skype: gian.uberto.lauri          |          David Korn, AT&T Bell Labs
> http://www.eng.it                         |          ioccc best One
> Liner, 1987
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20111115/8989b4a2/attachment-0002.htm>


More information about the Users mailing list