Hello Daniel,
Thanks for your answer, unfortunately we still don't manage to connect with a
server_* user on the behalf of another normal user.
This is basically what we do, let us know if we do something wrong:
{
string expires = DateTime.Now.Subtract(new DateTime(1970,1,1,0,0,0,
DateTimeKind.Utc)).TotalSeconds + 3600 + "";
string token_encrypted = Encrypt(this.AdminUsername + ":" +
this.TargetUsername + ":" + expires, this.AdminPassword);
//this.AdminUsername = server_* user name
//this.TargetUsername = normal user name (target user)
//this.AdminPassword = server_* user password (SHA1 encrypted)
//Encrypt do the equivalent of the AES 256 CBC openssl encryption (cf
https://gist.github.com/scottlowe/1411917, we just removed the salt part)
session_SHA = this.AdminUsername + ":" + this.TargetUsername + ":" +
token_encrypted;
//session_SHA is the token used to authenticate on a request
}
Thanks
Best regards
Enguerran Boissier
www.terradue.com
On 28 Jul 2014, at 10:45, Daniel Molina <[email protected]> wrote:
> Hi Cesare,
>
> The server_* authentication is a special method where a user can authenticate
> on behalf of other user. This method was included in OpenNebula for scenarios
> such as an Apache server configured to use x509 certificates, Apache has
> already authenticated the user and we just encrypt a token with the
> serveradmin credentials and OpenNebula will decrypt the token and will
> perform all the actions as the target_username.
>
> Users using the server_* auth method are special users and should not have
> any resource.
>
> You can see an example on how Sunstone uses this method:
> A user logs in:
> https://github.com/OpenNebula/one/blob/master/src/sunstone/sunstone-server.rb#L169
> do_auth is called to authenticate the user:
> https://github.com/OpenNebula/one/blob/master/src/cloud/common/CloudAuth/SunstoneCloudAuth.rb#L18
> a token is generated using the server_* method
> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L85
> this info is sent to one and then checked by the auth driver:
> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L110
>
> Hope this helps
>
> http://docs.opennebula.org/4.6/administration/sunstone_gui/cloud_auth.html
>
>
>
>
> On 25 July 2014 12:39, Cesare Rossi <[email protected]> wrote:
> Dear All,
>
> we are interacting with the XML-RPC API. We are trying to perform the special
> authentication method available with the users' drivers server_cipher or
> server_x509 (i.e. using username:target_username:secret), but it seems not
> working.
>
> The question is: is it possible to use with that API such kind of users ? If
> yes, how ?
>
> Thanks in advance,
>
> Cheers
>
> Cesare Rossi
> Terradue
> Rome, Italy | Oxford, UK
> http://www.terradue.com
>
>
>
>
> _______________________________________________
> Dev mailing list
> [email protected]
> http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
>
>
>
>
> --
> --
> Daniel Molina
> Project Engineer
> OpenNebula - Flexible Enterprise Cloud Made Simple
> www.OpenNebula.org | [email protected] | @OpenNebula
_______________________________________________
Dev mailing list
[email protected]
http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org