[one-users] ServerAdmin Authentication String

[Daniel Molina]

Hi Ricardo,


On 27 June 2013 11:11, Ricardo Duarte <rjtd21 at hotmail.com> wrote:

> Hi there,
>
> Can someone explain to me how can I generate the "secret" to use with
> serveradmin impersonation?
>
>      username:target_username:secret
>
> Docs say "The core daemon understands a request with this authentication
> session token as “perform this operation on behalf of target_user”. The
> “secret” part of the token is signed with one of the two mechanisms
> explained below. ", but there is nothing below this statement
>
>     http://opennebula.org/documentation:archives:rel3.8:cloud_auth
>
>
Indeed, the documentation is missing that information.

Basically, the mechanism is as follows:

When creating a new client, you have to provide a token (CloudAuth.rb)
  Client.new(token, XMLRPC_ENDPOINT)

The content of this token is:
  "#{@srv_user}:#{target_user}:#{token64}"
and is generated using the login_token method in server_cipher_auth.rb

and the token64 is generated as follows
    * token64 content: "#{@srv_user}:#{target_user}:#{expire}"
      - "expire" is the token expiration time generated in CloudAuth.rb:
           @token_expiration_time = time_now + EXPIRE_DELTA

    * This token is encrypted using aes-256-cbc

    * After that, the encrypted token is encoded using base64

If you use server_x509 instead, the token64 is generated in the same way
but encrypted using x509 certificates (server_x509_auth.rb)

Hope this helps, if you need further information please do not hesitate to
ask me anything

Cheers

-- 
Join us at OpenNebulaConf2013 <http://opennebulaconf.com/> in Berlin, 24-26
September, 2013
--
Daniel Molina
Project Engineer
OpenNebula - The Open Source Solution for Data Center Virtualization
www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130627/839044a8/attachment-0001.htm>