[one-users] questions on sunstone and serveradmin with x509
Daniel Molina
dmolina at opennebula.org
Thu Jul 19 04:12:37 PDT 2012
Hi Hyunwoo,
On 18 July 2012 23:57, Hyun Woo Kim <hyunwoo at fnal.gov> wrote:
> Dear ONe developers,
>
> (We are using OpenNebula 3.2)
>
> We are using SunStone GUI with my x509 certificate imported in my
> browser(firefox or chrome)
> which means etc/sunstone-server.conf is configured in the following way,
> :auth: x509
> :core_auth: x509
>
> We also configured so that serveramin uses server_x509.
>
> The manual says that
> for serveradmin who uses server_x509 driver,
> a special-format token will be created which contains
> serveradmin:target_username:secret.
>
> I have two questions:
> 1. I would like to know where this token can be found.
> I guess if I explicitly do "oneuser login serveradmin ",
> it will be created somewhere such as /var/lib/one/.one,
> but in my situation, I do not do it but only use SunStone GUI..
>
This token is dynamically generated in the server and sent to OpenNebula;
no file is required.
>
> 2. When I enable the following line in
> remotes/auth/server_x509/authenticate,
> OpenNebula.log_debug("Authenticating #{user}, with password #{pass}
> (#{secret})")
> oned.log shows the secret part.
> When I perform base64 twice on the secret and then rsa-decode,
> I see serveradmin:serveradmin:1342645861,
> not serveradmin:target_user:1342645861,
> I think this can be expected as server_x509_auth.rb shows,
> def login_token(expire, target_user=nil)
> target_user ||= @options[:srv_user]
> token_txt = "#{@options[:srv_user]}:#{target_user}:#{expire}"
> How can I enable SunStone to pass target_user (who uses SS with a
> certificate) to login_token?
>
There are some actions that are executed as serveradmin (i.e: retrieving
the userpool to authenticate), that's why you get serveradmin as
target_user in some cases.
BTW, updating to OpenNebula 3.6 is recommended since lot of things have
been fixed and improved
Hope this helps.
Cheers
--
Daniel Molina
Project Engineer
OpenNebula - The Open Source Solution for Data Center Virtualization
www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20120719/94b5dc1e/attachment-0002.htm>
More information about the Users
mailing list