Hi,<br><br>2011/11/11 Gian Uberto Lauri <span dir="ltr"><<a href="mailto:saint@eng.it">saint@eng.it</a>></span><br><blockquote style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;" class="gmail_quote">
Sorry, I do not get you. The Client class in Java OCA wants an user name
and a secret in version 2 and also in version 3 if I am not wrong.<br></blockquote><div><br>Take a look at the javadoc: both parameters can be null, or you can use the constructor without any parameters:<br><a href="http://opennebula.org/doc/3.0/oca/java/org/opennebula/client/Client.html#Client%28%29">http://opennebula.org/doc/3.0/oca/java/org/opennebula/client/Client.html#Client%28%29</a><br>
</div><blockquote style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;" class="gmail_quote">
So, how does authentication work when I use that such a Client instance to contact OpenNebula from within a Java program ?<br><br>
The Java Program shells out oneuser ? And with which credentials ?<br></blockquote><div><br>The one_auth file is read and sent to the core. It works the same way as the CLI, looking for the file at $ONE_AUTH or, if it is not set, $HOME/.one/one_auth. The credentials must be manually set in that file, preferably with the "oneuser login" command.<br>
<br>I suggest you to take a look at the source code if you need to fully understand this or any other specific aspect. It is not very big or complex, and should be easy to read for anyone familiar with OpenNebula:<br><a href="http://dev.opennebula.org/projects/opennebula/repository/revisions/one-3.0/show/src/oca/java">http://dev.opennebula.org/projects/opennebula/repository/revisions/one-3.0/show/src/oca/java</a><br>
</div><blockquote style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;" class="gmail_quote">
Or may I have both base authentication and, say LDAP ? It seems I can't
have both base and X509 based authentication if I got well the docs from
release 3.<br></blockquote><div><br>That's right, you can only use one authentication method per user at a time. But you can have different users each one with a different authentication driver, if that's what you meant.<br>
<br></div><blockquote style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;" class="gmail_quote">
I am asking these questions because I am working on an OCCI front end
that accepts OVF messages and uses OCA to contact OpenNebula, acting as a
sort of translator OVF->Template.<br><br>
Now we are building the authentication part. The OCCI front end uses
certificates based authentication when receiving an user request, and
then it must authenticate itself in OpenNebula with an identity matching
that of the user that did the original request.<br></blockquote><div><br>Good luck!<br> <br></div><blockquote style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;" class="gmail_quote">
Cutting out any other access to OpenNebula rather than this OCCI
front-end could solve the problem easily, but if I want to let some
users access to the cloud through Sunstone the original solution does
not work well...<br></blockquote><div><br>Regards,<br>Carlos. <br></div>
<br clear="all"><span style="border-collapse:collapse;color:rgb(136, 136, 136);font-family:arial,sans-serif;font-size:13px">--<br>Carlos Martín, MSc<br>Project Engineer<br>OpenNebula - The Open Source Toolkit for Data Center Virtualization<br>
<a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:cmartin@opennebula.org" target="_blank">cmartin@opennebula.org</a> | <a href="http://twitter.com/opennebula" target="_blank">@OpenNebula</a></span><span style="border-collapse:collapse;color:rgb(136, 136, 136);font-family:arial, sans-serif;font-size:13px"><a href="mailto:cmartin@opennebula.org" style="color:rgb(42, 93, 176)" target="_blank"></a></span><br>
<br><br><div class="gmail_quote">2011/11/11 Gian Uberto Lauri <span dir="ltr"><<a href="mailto:saint@eng.it">saint@eng.it</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On 11/11/11 19:05, Carlos Martín Sánchez wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
It should read the token generated by 'oneuser login' and keep working<br>
as usual.<br>
</blockquote>
<br></div>
Sorry, I do not get you. The Client class in Java OCA wants an user name and a secret in version 2 and also in version 3 if I am not wrong.<br>
<br>
So, how does authentication work when I use that such a Client instance to contact OpenNebula from within a Java program ?<br>
<br>
The Java Program shells out oneuser ? And with which credentials ?<br>
<br>
Or may I have both base authentication and, say LDAP ? It seems I can't have both base and X509 based authentication if I got well the docs from release 3.<br>
<br>
I am asking these questions because I am working on an OCCI front end that accepts OVF messages and uses OCA to contact OpenNebula, acting as a sort of translator OVF->Template.<br>
<br>
Now we are building the authentication part. The OCCI front end uses certificates based authentication when receiving an user request, and then it must authenticate itself in OpenNebula with an identity matching that of the user that did the original request.<br>
<br>
Cutting out any other access to OpenNebula rather than this OCCI front-end could solve the problem easily, but if I want to let some users access to the cloud through Sunstone the original solution does not work well...<br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
Regards.<br>
--<br>
Carlos Martín, MSc<br>
Project Engineer<br>
OpenNebula - The Open Source Toolkit for Data Center Virtualization<br>
</div><a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> <<a href="http://www.OpenNebula.org" target="_blank">http://www.OpenNebula.org</a>> | <a href="mailto:cmartin@opennebula.org" target="_blank">cmartin@opennebula.org</a><br>
<mailto:<a href="mailto:cmartin@opennebula.org" target="_blank">cmartin@opennebula.org</a><u></u>> | @OpenNebula<br>
<<a href="http://twitter.com/opennebula" target="_blank">http://twitter.com/opennebula</a><u></u>> <mailto:<a href="mailto:cmartin@opennebula.org" target="_blank">cmartin@opennebula.org</a><u></u>><div class="im">
<br>
<br>
<br>
On Fri, Nov 11, 2011 at 5:20 PM, Gian Uberto Lauri <<a href="mailto:saint@eng.it" target="_blank">saint@eng.it</a><br></div><div class="im">
<mailto:<a href="mailto:saint@eng.it" target="_blank">saint@eng.it</a>>> wrote:<br>
<br>
Hello gentlemen!<br>
<br>
JAVA OCA Client object relies on the user/secret authentication. What<br>
happens to OCA when one turns on an external mean of authentication,<br>
maybe certificates or LDAP?<br>
</div></blockquote><div class="HOEnZb"><div class="h5">
<br>
<br>
<br>
-- <br>
ing. Gian Uberto Lauri<br>
Ricercatore / Reasearcher<br>
Laboratorio Ricerca e Sviluppo / Research & Development Lab.<br>
Area Calcolo Distribuito / Distributed Computation Area<br>
<br>
<a href="mailto:GianUberto.Lauri@eng.it" target="_blank">GianUberto.Lauri@eng.it</a><br>
<br>
Engineering Ingegneria Informatica spa<br>
Corso Stati Uniti 23/C, 35127 Padova (PD)<br>
Tel. <a href="tel:%2B39-049.8283.571" value="+390498283571" target="_blank">+39-049.8283.571</a> | main(){printf(&unix["\021%six\<u></u>012\0"],<br>
Fax <a href="tel:%2B39-049.8283.569" value="+390498283569" target="_blank">+39-049.8283.569</a> | (unix)["have"]+"fun"-0x60);}<br>
Skype: gian.uberto.lauri | David Korn, AT&T Bell Labs<br>
<a href="http://www.eng.it" target="_blank">http://www.eng.it</a> | ioccc best One Liner, 1987<br>
</div></div></blockquote></div><br>