Here is the log output:

Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG I 5 Command execution 
fail: /var/lib/one/remotes/auth/server_cipher/authenticate serveradmin [secret] 
****

Mon Jul 28 16:37:48 2014 [AuM][I]: Command execution fail: 
/var/lib/one/remotes/auth/server_cipher/authenticate serveradmin [secret] ****
Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG D 5 authenticate: 
Authenticating serveradmin, with password [secret] 
(4zj727qqns0xXEHWPBq4tJ2nRSyqom1KtWx5QBueF54I33c1y0fIuymmkn84TMP9)

Mon Jul 28 16:37:48 2014 [AuM][I]: authenticate: Authenticating serveradmin, 
with password [secret] 
(4zj727qqns0xXEHWPBq4tJ2nRSyqom1KtWx5QBueF54I33c1y0fIuymmkn84TMP9)
Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG E 5 bad decrypt

Mon Jul 28 16:37:48 2014 [AuM][I]: bad decrypt
Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG I 5 ExitCode: 255


Emmanuel Mathot
www.terradue.com




On 29 Jul 2014, at 11:06, Daniel Molina <[email protected]> wrote:

> Hi Enguerran,
> 
> What error message are you getting in oned.log after trying to connect?
> 
> Cheers
> 
> 
> On 28 July 2014 17:16, Enguerran Boissier <[email protected]> 
> wrote:
> Hello Daniel,
> Thanks for your answer, unfortunately we still don't manage to connect with a 
> server_* user on the behalf of another normal user.
> This is basically what we do, let us know if we do something wrong:
> 
> { 
>   string expires = DateTime.Now.Subtract(new DateTime(1970,1,1,0,0,0, 
> DateTimeKind.Utc)).TotalSeconds + 3600 + "";
>   string token_encrypted = Encrypt(this.AdminUsername + ":" + 
> this.TargetUsername + ":" + expires, this.AdminPassword);
>   //this.AdminUsername = server_* user name
>   //this.TargetUsername = normal user name (target user)
>   //this.AdminPassword = server_* user password (SHA1 encrypted)
>   //Encrypt do the equivalent of the AES 256 CBC openssl encryption (cf 
> https://gist.github.com/scottlowe/1411917, we just removed the salt part)
>   session_SHA = this.AdminUsername + ":" + this.TargetUsername + ":" + 
> token_encrypted;
>   //session_SHA is the token used to authenticate on a request
> }
> 
> Thanks
> Best regards
> 
> 
> 
> 
> Enguerran Boissier
> www.terradue.com
> 
> <t2uk.png>
> 
> On 28 Jul 2014, at 10:45, Daniel Molina <[email protected]> wrote:
> 
>> Hi Cesare,
>> 
>> The server_* authentication is a special method where a user can 
>> authenticate on behalf of other user. This method was included in OpenNebula 
>> for scenarios such as an Apache server configured to use x509 certificates, 
>> Apache has already authenticated the user and we just encrypt a token with 
>> the serveradmin credentials and OpenNebula will decrypt the token and will 
>> perform all the actions as the target_username.
>> 
>> Users using the server_* auth method are special users and should not have 
>> any resource.
>> 
>> You can see an example on how Sunstone uses this method:
>> A user logs in:
>> https://github.com/OpenNebula/one/blob/master/src/sunstone/sunstone-server.rb#L169
>> do_auth is called to authenticate the user:
>> https://github.com/OpenNebula/one/blob/master/src/cloud/common/CloudAuth/SunstoneCloudAuth.rb#L18
>> a token is generated using the server_* method
>> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L85
>> this info is sent to one and then checked by the auth driver:
>> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L110
>> 
>> Hope this helps
>> 
>> http://docs.opennebula.org/4.6/administration/sunstone_gui/cloud_auth.html
>> 
>> 
>> 
>> 
>> On 25 July 2014 12:39, Cesare Rossi <[email protected]> wrote:
>> Dear All,
>> 
>> we are interacting with the XML-RPC API. We are trying to perform the 
>> special authentication method available with the users' drivers 
>> server_cipher or server_x509 (i.e. using username:target_username:secret), 
>> but it seems not working.
>> 
>> The question is: is it possible to use with that API such kind of users ? If 
>> yes, how ?
>> 
>> Thanks in advance,
>> 
>> Cheers
>> 
>> Cesare Rossi
>> Terradue
>> Rome, Italy | Oxford, UK
>> http://www.terradue.com
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Dev mailing list
>> [email protected]
>> http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
>> 
>> 
>> 
>> 
>> -- 
>> --
>> Daniel Molina
>> Project Engineer
>> OpenNebula - Flexible Enterprise Cloud Made Simple
>> www.OpenNebula.org | [email protected] | @OpenNebula
> 
> 
> 
> 
> -- 
> --
> Daniel Molina
> Project Engineer
> OpenNebula - Flexible Enterprise Cloud Made Simple
> www.OpenNebula.org | [email protected] | @OpenNebula

_______________________________________________
Dev mailing list
[email protected]
http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org

Reply via email to