Great!!. May I ask what kind of tool/integration are you building on top OpenNebula?
Cheers On 30 July 2014 09:49, Cesare Rossi <cesare.ro...@terradue.com> wrote: > Dear Daniel, > > thank you for your support. We found that the problem was the encryption > made on the client side. Now it works perfectly. > > Thank you again > > Cheers > > > Cesare Rossi > Terradue > Rome, Italy | Oxford, UK > http://www.terradue.com > > > > On 29 Jul 2014, at 12:23, Daniel Molina <dmol...@opennebula.org> wrote: > > Could you check the password you are using to encrypt (password+sha1) is > the same that oned uses to decrypt (oneuser show) > > [oneadmin@node1 ~]$ oneuser show serveradmin | grep PASS > PASSWORD : 3412... > [oneadmin@node1 ~]$ cat .one/sunstone_auth > serveradmin:7f9f... > [oneadmin@node1 ~]$ echo -n "7f9f..." | sha1sum > 3412... - > > Also the problem could be that the token is (base64) encoded after being > encrypted: > > https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L90 > > and before being decrypted it's decoded: > > https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L142 > > Cheers > > > On 29 July 2014 12:01, Emmanuel Mathot <emmanuel.mat...@terradue.com> > wrote: > >> Here is the log output: >> >> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG I 5 Command >> execution fail: /var/lib/one/remotes/auth/server_cipher/authenticate >> serveradmin [secret] **** >> >> Mon Jul 28 16:37:48 2014 [AuM][I]: Command execution fail: >> /var/lib/one/remotes/auth/server_cipher/authenticate >> serveradmin [secret] **** >> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG D 5 >> authenticate: Authenticating serveradmin, with >> password [secret] >> (4zj727qqns0xXEHWPBq4tJ2nRSyqom1KtWx5QBueF54I33c1y0fIuymmkn84TMP9) >> >> Mon Jul 28 16:37:48 2014 [AuM][I]: authenticate: Authenticating >> serveradmin, with >> password [secret] >> (4zj727qqns0xXEHWPBq4tJ2nRSyqom1KtWx5QBueF54I33c1y0fIuymmkn84TMP9) >> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG E 5 bad decrypt >> >> Mon Jul 28 16:37:48 2014 [AuM][I]: bad decrypt >> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG I 5 ExitCode: 255 >> >> >> Emmanuel Mathot >> www.terradue.com >> >> >> <PastedGraphic-1.tiff> >> >> On 29 Jul 2014, at 11:06, Daniel Molina <dmol...@opennebula.org> wrote: >> >> Hi Enguerran, >> >> What error message are you getting in oned.log after trying to connect? >> >> Cheers >> >> >> On 28 July 2014 17:16, Enguerran Boissier < >> enguerran.boiss...@terradue.com> wrote: >> >>> Hello Daniel, >>> Thanks for your answer, unfortunately we still don't manage to connect >>> with a server_* user on the behalf of another normal user. >>> This is basically what we do, let us know if we do something wrong: >>> >>> { >>> string expires = DateTime.Now.Subtract(new DateTime(1970,1,1,0,0,0, >>> DateTimeKind.Utc)).TotalSeconds + 3600 + ""; >>> string token_encrypted = Encrypt(this.AdminUsername + ":" + >>> this.TargetUsername + ":" + expires, this.AdminPassword); >>> //this.AdminUsername = server_* user name >>> //this.TargetUsername = normal user name (target user) >>> //this.AdminPassword = server_* user password (SHA1 encrypted) >>> //Encrypt do the equivalent of the AES 256 CBC openssl encryption (cf >>> https://gist.github.com/scottlowe/1411917, we just removed the salt >>> part) >>> session_SHA = this.AdminUsername + ":" + this.TargetUsername + ":" + >>> token_encrypted; >>> //session_SHA is the token used to authenticate on a request >>> } >>> >>> Thanks >>> Best regards >>> >>> >>> >>> >>> Enguerran Boissier >>> www.terradue.com >>> >>> <t2uk.png> >>> >>> On 28 Jul 2014, at 10:45, Daniel Molina <dmol...@opennebula.org> wrote: >>> >>> Hi Cesare, >>> >>> The server_* authentication is a special method where a user can >>> authenticate on behalf of other user. This method was included in >>> OpenNebula for scenarios such as an Apache server configured to use x509 >>> certificates, Apache has already authenticated the user and we just encrypt >>> a token with the serveradmin credentials and OpenNebula will decrypt the >>> token and will perform all the actions as the target_username. >>> >>> Users using the server_* auth method are special users and should not >>> have any resource. >>> >>> You can see an example on how Sunstone uses this method: >>> A user logs in: >>> >>> https://github.com/OpenNebula/one/blob/master/src/sunstone/sunstone-server.rb#L169 >>> do_auth is called to authenticate the user: >>> >>> https://github.com/OpenNebula/one/blob/master/src/cloud/common/CloudAuth/SunstoneCloudAuth.rb#L18 >>> a token is generated using the server_* method >>> >>> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L85 >>> this info is sent to one and then checked by the auth driver: >>> >>> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L110 >>> >>> Hope this helps >>> >>> >>> http://docs.opennebula.org/4.6/administration/sunstone_gui/cloud_auth.html >>> >>> >>> >>> >>> On 25 July 2014 12:39, Cesare Rossi <cesare.ro...@terradue.com> wrote: >>> >>>> Dear All, >>>> >>>> we are interacting with the XML-RPC API. We are trying to perform the >>>> special authentication method available with the users' drivers >>>> *server_cipher* or *server_x509 *(i.e. using >>>> username:target_username:secret), but it seems not working. >>>> >>>> The question is: is it possible to use with that API such kind of users >>>> ? If yes, how ? >>>> >>>> Thanks in advance, >>>> >>>> Cheers >>>> >>>> Cesare Rossi >>>> Terradue >>>> Rome, Italy | Oxford, UK >>>> http://www.terradue.com >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> Dev@lists.opennebula.org >>>> http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org >>>> >>>> >>> >>> >>> -- >>> -- >>> Daniel Molina >>> Project Engineer >>> OpenNebula - Flexible Enterprise Cloud Made Simple >>> www.OpenNebula.org <http://www.opennebula.org/> | dmol...@opennebula.org >>> | @OpenNebula >>> >>> >>> >> >> >> -- >> -- >> Daniel Molina >> Project Engineer >> OpenNebula - Flexible Enterprise Cloud Made Simple >> www.OpenNebula.org <http://www.opennebula.org/> | dmol...@opennebula.org >> | @OpenNebula >> >> >> > > > -- > -- > Daniel Molina > Project Engineer > OpenNebula - Flexible Enterprise Cloud Made Simple > www.OpenNebula.org <http://www.opennebula.org/> | dmol...@opennebula.org > | @OpenNebula > > > -- -- Daniel Molina Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org | dmol...@opennebula.org | @OpenNebula
_______________________________________________ Dev mailing list Dev@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
