[one-users] questions on sunstone and serveradmin with x509

Daniel Molina dmolina at opennebula.org
Thu Jul 19 04:12:37 PDT 2012


Hi Hyunwoo,

On 18 July 2012 23:57, Hyun Woo Kim <hyunwoo at fnal.gov> wrote:

> Dear ONe developers,
>
> (We are using OpenNebula 3.2)
>
> We are using SunStone GUI with my x509 certificate imported in my
> browser(firefox or chrome)
> which means etc/sunstone-server.conf  is configured in the following way,
>    :auth: x509
>    :core_auth: x509
>
> We also configured so that serveramin uses server_x509.
>
> The manual says that
> for serveradmin who uses server_x509 driver,
> a special-format token will be created which contains
> serveradmin:target_username:secret.
>
> I have two questions:
> 1. I would like to know where this token can be found.
>     I guess if I explicitly do "oneuser login serveradmin   ",
>     it will be created somewhere such as /var/lib/one/.one,
>    but in my situation, I do not do it but only use SunStone GUI..
>

This token is dynamically generated in the server and sent to OpenNebula;
no file is required.


>
> 2. When I enable the following line in
> remotes/auth/server_x509/authenticate,
> OpenNebula.log_debug("Authenticating #{user}, with password #{pass}
> (#{secret})")
>     oned.log shows the secret part.
>   When I perform base64 twice on the secret and then rsa-decode,
>   I see serveradmin:serveradmin:1342645861,
>  not     serveradmin:target_user:1342645861,
> I think this can be expected as server_x509_auth.rb shows,
>   def login_token(expire, target_user=nil)
>         target_user ||= @options[:srv_user]
>         token_txt   =   "#{@options[:srv_user]}:#{target_user}:#{expire}"
>    How can I enable SunStone to pass target_user (who uses SS with a
> certificate) to login_token?
>

There are some actions that are executed as serveradmin (i.e: retrieving
the userpool to authenticate), that's why you get serveradmin as
target_user in some cases.

BTW, updating to OpenNebula 3.6 is recommended since lot of things have
been fixed and improved

Hope this helps.

Cheers

-- 
Daniel Molina
Project Engineer
OpenNebula - The Open Source Solution for Data Center Virtualization
www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20120719/94b5dc1e/attachment-0002.htm>


More information about the Users mailing list