[one-users] One, occi, and x509 authentication

Daniel Molina dmolina at opennebula.org
Wed Nov 23 06:47:29 PST 2011 

Dear Ruben,

On 23 November 2011 09:46, Ruben Diez <rdiez at cesga.es> wrote:
> Hi:
>
> According with the documentation at
> http://opennebula.org/documentation:rel3.0:x509_auth#opennebula_configuration_for_using_x509_with_the_public_cloud_servers_and_sunstone
> seems that when x509 authentication is used, both OpenNebula and all public
> cloud servers can't use the plain authentication.....
>

It is not recommended because there are security issues if both
systems are activated, but you can use them at the same time. .

In OpenNebula 3.0 if you want to authenticate using x509 certificates
you have to activate the AUTH_MAD driver specifying the different
drivers you want to use.

AUTH_MAD = [
    executable = "one_auth_mad",
    arguments = " --authn server,x509"
]

The user will specify the method he wants to use to authenticate
against OpenNebula in each request adding this information to the
token that is sent to ONE.

TOKEN: "username:x509:signedtoken"
TOKEN: "username:server:signedtoken"

If a user wants to authenticate using x509, his password must contain
the certificate's DN. The x509 configuration for Public servers
requires a new layer to handle the certificate authentication (i.e.
Apache). The user will add his certificate to the browser and Apache
will validate it, after that Sunstone server will retrieve the user
whose password contains the certificate's DN.

If the plain method is activated along with the previous ones, a user
with access to the OpenNebula XMLRPC API could generate a token using
the plain method containing the user certificate's DN and will be
authenticated as that user.

TOKEN: "username:plain:/DC=es/O=one/CN=user|/DC=us/O=two/CN=user"

Therefore if you want to activate both methods, the XMLRPC API should
be exposed in a trusted environment, otherwise a person could connect
on behalf of another user if he knows his DN.

To sum up if you want to use both methods you should:
1. Configure OCCI Server to use x509 authentication. Users cannot
bypass the authentication system (changing the auth method) because
the token is generated by the Server.
2. Sunstone can be exposed publicly using the basic authentication
because the token is also generated by the Server.
3. Keep XMLRPC API in a trusted environment.

These problems have been resolved for OpenNebula 3.2. In this new
version the authentication method is associated to the user instead of
being specified in the request by the user. During this week we will
publish a new post in a our blog showing the new behavior.

If you have any doubts do not hesitate to ask us.

Kind regards.


> We would desire ONLY the occi server to use x509 authentication, but ALL
> other stuff (one, sunstone) remains using the plain method....
>
> Is this possible ?
>
> Regards
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>



-- 
Daniel Molina
Project Engineer
OpenNebula - The Open Source Toolkit for Data Center Virtualization
www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula

More information about the Users mailing list