[one-users] Dummy Authentication driver available (for Kerberos authentication and others)?

Steven Timm timm at fnal.gov
Tue Sep 27 18:32:37 PDT 2011

Hi Graeme--

I'm not an OpenNebula developer...our organization currently
has requirements similar to yours except that for some cases
we also allow X.509 authentication.  We had to make the choice
which would be easier to implement and it was one of our developers
who contributed the code for the X.509 plugin.

The authorization/authentication of opennebula is pluggable
so as long as you add the right plugin to it.  In the case of X.509
there's one module to which the command line, sunstone, econe,
and occi all call.

One of the reasons we didn't push to do kerberos instead, is what
it would take to securely push the kerberos credentials across the web.
I'm not familiar with the details of mod_auth_kerb but hopefully it
doesn't send the kerberos password across the web in the clear.  We
have effectively kerberos authentication because we have hooked up
our kerberos server to a SLCS short lived certificate server to
make x.509 certificates based on the kerberos credential.

Steve Timm

On Wed, 28 Sep 2011, Graeme Gillies wrote:

> Hi,
> I am currently evaluating Opennebula 3.0 for use within our
> organization, and one of our security requirements is that all our
> systems use Kerberos authentication where possible.
> I my current deployment scenario, users will be interacting with
> opennebula via sunstone. I see that currently  sunstone supports
> normal form based authentication, and x509 authentication where you
> rely on apache/lighthttpd/whatever in front of sunstone to actually
> authenticate the user (in this case via 2 way SSL auth) and then
> sunstone just accepts the user as authenticated.
> What I'd like to do, is use apache with mod_auth_kerb to authenticate
> users in apache via kerberos, and then have sunstone accept the user
> as authenticated from apache (similar to how the x509 auth works).
> Mod_auth_kerb simply sets the CGI value of REMOTE_USER to the
> authenticated user once authentication is complete, and I'm wondering
> if there is some sort of "dummy" auth module for sunstone that simply
> takes the user as supplied via a header or CGI variable and uses it,
> trusting the layer in front of it to authenticate the user correctly.
> If not, is this something worth me lodging a feature request for? Or
> lodging a feature request to have Kerberos/GSSAPI authentication
> implemented across opennebula in general?
> Regards,
> Graeme
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org

Steven C. Timm, Ph.D  (630) 840-8525
timm at fnal.gov  http://home.fnal.gov/~timm/
Fermilab Computing Division, Scientific Computing Facilities,
Grid Facilities Department, FermiGrid Services Group, Group Leader.
Lead of FermiCloud project.

More information about the Users mailing list