Hello Daniel,
Thanks for your answer, unfortunately we still don't manage to connect with a 
server_* user on the behalf of another normal user.
This is basically what we do, let us know if we do something wrong:

{ 
  string expires = DateTime.Now.Subtract(new DateTime(1970,1,1,0,0,0, 
DateTimeKind.Utc)).TotalSeconds + 3600 + "";
  string token_encrypted = Encrypt(this.AdminUsername + ":" + 
this.TargetUsername + ":" + expires, this.AdminPassword);
  //this.AdminUsername = server_* user name
  //this.TargetUsername = normal user name (target user)
  //this.AdminPassword = server_* user password (SHA1 encrypted)
  //Encrypt do the equivalent of the AES 256 CBC openssl encryption (cf 
https://gist.github.com/scottlowe/1411917, we just removed the salt part)
  session_SHA = this.AdminUsername + ":" + this.TargetUsername + ":" + 
token_encrypted;
  //session_SHA is the token used to authenticate on a request
}

Thanks
Best regards




Enguerran Boissier
www.terradue.com



On 28 Jul 2014, at 10:45, Daniel Molina <[email protected]> wrote:

> Hi Cesare,
> 
> The server_* authentication is a special method where a user can authenticate 
> on behalf of other user. This method was included in OpenNebula for scenarios 
> such as an Apache server configured to use x509 certificates, Apache has 
> already authenticated the user and we just encrypt a token with the 
> serveradmin credentials and OpenNebula will decrypt the token and will 
> perform all the actions as the target_username.
> 
> Users using the server_* auth method are special users and should not have 
> any resource.
> 
> You can see an example on how Sunstone uses this method:
> A user logs in:
> https://github.com/OpenNebula/one/blob/master/src/sunstone/sunstone-server.rb#L169
> do_auth is called to authenticate the user:
> https://github.com/OpenNebula/one/blob/master/src/cloud/common/CloudAuth/SunstoneCloudAuth.rb#L18
> a token is generated using the server_* method
> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L85
> this info is sent to one and then checked by the auth driver:
> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L110
> 
> Hope this helps
> 
> http://docs.opennebula.org/4.6/administration/sunstone_gui/cloud_auth.html
> 
> 
> 
> 
> On 25 July 2014 12:39, Cesare Rossi <[email protected]> wrote:
> Dear All,
> 
> we are interacting with the XML-RPC API. We are trying to perform the special 
> authentication method available with the users' drivers server_cipher or 
> server_x509 (i.e. using username:target_username:secret), but it seems not 
> working.
> 
> The question is: is it possible to use with that API such kind of users ? If 
> yes, how ?
> 
> Thanks in advance,
> 
> Cheers
> 
> Cesare Rossi
> Terradue
> Rome, Italy | Oxford, UK
> http://www.terradue.com
> 
> 
> 
> 
> _______________________________________________
> Dev mailing list
> [email protected]
> http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
> 
> 
> 
> 
> -- 
> --
> Daniel Molina
> Project Engineer
> OpenNebula - Flexible Enterprise Cloud Made Simple
> www.OpenNebula.org | [email protected] | @OpenNebula

_______________________________________________
Dev mailing list
[email protected]
http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org

Reply via email to