[one-users] RPC API and PHP (auth pb)

Carlos Martín Sánchez cmartin at opennebula.org
Mon Mar 25 09:25:22 PDT 2013 

Hi,

On Mon, Mar 25, 2013 at 2:48 PM, Nicolas Bélan <nicolas.belan at gmail.com>wrote:

>  Hello,
>
> the problem is that password is in a LDAP tree, and I do not get clear
> user password from the user (got it in SHA1) through web connection.
>
> I only map ldap[uidnumber] to get various other informations (DNS owner,
> SMTP accounting, Support requests and so on).
> I would like to keep avoiding getting clear text password to access
> OpenNebula Interface.
> If it is not possible, I may get access directly to SQL Database, but this
> not what I would like to do first ...
>

In that case serveradmin is the right approach.

I see in your first email that you already found login_token in
server_cipher_auth.rb. Maybe you were not using the same encryption
algorithm, aes-256-cbc?

Regards

PS: Please reply to the list, more people may find it useful...
--
Carlos Martín, MSc
Project Engineer
OpenNebula - The Open-source Solution for Data Center Virtualization
www.OpenNebula.org <http://www.opennebula.org/> | cmartin at opennebula.org |
@OpenNebula <http://twitter.com/opennebula>



> Regards,
> nicolas.
>
> Le 25/03/2013 11:29, Carlos Martín Sánchez a écrit :
>
> Hi,
>
>  The serveradmin users allows more secure communications, and advanced
> authentication scenarios, like browser certificates [1]. But if you are
> building a simple user interface, you might want to keep things simple and
> use the 'username:password' session token for your xmlrpc requests.
>
>  Regards
>
>  [1] http://opennebula.org/documentation:rel3.8:sunstone#x509_auth
> --
> Carlos Martín, MSc
> Project Engineer
> OpenNebula - The Open-source Solution for Data Center Virtualization
> www.OpenNebula.org | cmartin at opennebula.org | @OpenNebula<http://twitter.com/opennebula>
>
>
> On Fri, Mar 22, 2013 at 5:46 PM, Nicolas Bélan <nicolas.belan at gmail.com>wrote:
>
>> Hello,
>>
>> well, i would like to display to user their vm, networks, images and so
>> on, according to the role and access of each user.
>> so i am trying to use as much as possible openNebula rbac and rpc to
>> retrieve only right informations.
>> the step after is to deploy vm as user, not as oneadmin or serveradmin,
>> but directly as "user"
>>
>> the service i am building is a very simplified user interface. the step
>> after for the user is to have access to self service, but to begin, i would
>> like to hide some concepts to make easier cloud access.
>>
>> best regards,
>> nicolas
>> Le 22 mars 2013 à 17:25, Tino Vazquez <tinova at opennebula.org> a écrit :
>>
>> > Hi Nicolas,
>> >
>> > serveradmin is used by Sunstone and related interface services. Did
>> > you try it out with other users (ie, oneadmin)?
>> >
>> > Depending on what type of service you are building, you may be
>> > interested indeed in serveradmin. Could you elaborate a bit more on
>> > that?
>> >
>> > Regards
>> > --
>> > Constantino Vázquez Blanco, PhD, MSc
>> > Project Engineer
>> > OpenNebula - The Open-Source Solution for Data Center Virtualization
>> > www.OpenNebula.org | @tinova79 | @OpenNebula
>> >
>> >
>> > On Fri, Mar 22, 2013 at 4:16 PM, Nicolas Bélan <nicolas.belan at gmail.com>
>> wrote:
>> >> Hello the list,
>> >>
>> >> I am trying (unsuccessfully) to call RPM methods.
>> >>
>> >> The problem is that I can not make my user authenticated by code (while
>> >> it is ok with http://localhost:4567/ui)
>> >> I am using version 3.8.3.
>> >>
>> >> I am trying to user serveradmin:<user>:<password> with it does not work
>> >> as written in the documentation.
>> >> Deeply investigating, I found, in
>> >> /usr/lib/one/ruby/server_cipher_auth.rb that the third part is a token,
>> >> but i am not ruby compliant....
>> >> It seems, If i understand, that:
>> >> a string is built with: "serveradmin:username:time()+expire"
>> >> the serveradmin password is used to create a key.
>> >> This key is then used to cipher (salted ?) the previous string.
>> >> The result is then appended like that:
>> >> "serveradmin:username:cipher(key,serveradmin:username:time()+expire)"
>> >> and sent as the first parameter of the rpc call.
>> >> Am i completely wrong ?
>> >> For example:
>> >>
>> serveradmin:user_example:PWyaJz96iwdYldYoPHXWZYkBMbuvKIEXiTVb0WuAHURYuQ2Dzmhnzjm0JDNCMchB
>> >>
>> >> Using perl, I failed to authenticate user ....
>> >> using tcpdump, it seems that the third part is quite constant during a
>> >> certain laps of time ...
>> >> So, I may be wrong with my time() expire part ....
>> >> Can you help me writing this part of code ? Perl or PHP are welcome ;)
>> >>
>> >> Thank you for you help
>> >>
>> >> Best regards,
>> >> Nicolas.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> Users mailing list
>> >> Users at lists.opennebula.org
>> >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>> >>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130325/9e54bcf3/attachment-0001.htm>

More information about the Users mailing list