Sound good, thank you for the info Emmanuel. Looking forward to seeing the code
On 30 July 2014 12:44, Emmanuel Mathot <[email protected]> wrote: > We are developing an API library for .Net framework. Soon available in > OpenSource on Github. > > Cheers, > > Emmanuel Mathot > www.terradue.com > > > > On 30 Jul 2014, at 12:37, Daniel Molina <[email protected]> wrote: > > Great!!. May I ask what kind of tool/integration are you building on top > OpenNebula? > > Cheers > > > On 30 July 2014 09:49, Cesare Rossi <[email protected]> wrote: > >> Dear Daniel, >> >> thank you for your support. We found that the problem was the encryption >> made on the client side. Now it works perfectly. >> >> Thank you again >> >> Cheers >> >> >> Cesare Rossi >> Terradue >> Rome, Italy | Oxford, UK >> http://www.terradue.com >> >> >> >> On 29 Jul 2014, at 12:23, Daniel Molina <[email protected]> wrote: >> >> Could you check the password you are using to encrypt (password+sha1) is >> the same that oned uses to decrypt (oneuser show) >> >> [oneadmin@node1 ~]$ oneuser show serveradmin | grep PASS >> PASSWORD : 3412... >> [oneadmin@node1 ~]$ cat .one/sunstone_auth >> serveradmin:7f9f... >> [oneadmin@node1 ~]$ echo -n "7f9f..." | sha1sum >> 3412... - >> >> Also the problem could be that the token is (base64) encoded after being >> encrypted: >> >> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L90 >> >> and before being decrypted it's decoded: >> >> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L142 >> >> Cheers >> >> >> On 29 July 2014 12:01, Emmanuel Mathot <[email protected]> >> wrote: >> >>> Here is the log output: >>> >>> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG I 5 Command >>> execution fail: /var/lib/one/remotes/auth/server_cipher/authenticate >>> serveradmin [secret] **** >>> >>> Mon Jul 28 16:37:48 2014 [AuM][I]: Command execution fail: >>> /var/lib/one/remotes/auth/server_cipher/authenticate >>> serveradmin [secret] **** >>> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG D 5 >>> authenticate: Authenticating serveradmin, with >>> password [secret] >>> (4zj727qqns0xXEHWPBq4tJ2nRSyqom1KtWx5QBueF54I33c1y0fIuymmkn84TMP9) >>> >>> Mon Jul 28 16:37:48 2014 [AuM][I]: authenticate: Authenticating >>> serveradmin, with >>> password [secret] >>> (4zj727qqns0xXEHWPBq4tJ2nRSyqom1KtWx5QBueF54I33c1y0fIuymmkn84TMP9) >>> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG E 5 bad decrypt >>> >>> Mon Jul 28 16:37:48 2014 [AuM][I]: bad decrypt >>> Mon Jul 28 16:37:48 2014 [AuM][D]: Message received: LOG I 5 ExitCode: >>> 255 >>> >>> >>> Emmanuel Mathot >>> www.terradue.com >>> >>> >>> <PastedGraphic-1.tiff> >>> >>> On 29 Jul 2014, at 11:06, Daniel Molina <[email protected]> wrote: >>> >>> Hi Enguerran, >>> >>> What error message are you getting in oned.log after trying to connect? >>> >>> Cheers >>> >>> >>> On 28 July 2014 17:16, Enguerran Boissier < >>> [email protected]> wrote: >>> >>>> Hello Daniel, >>>> Thanks for your answer, unfortunately we still don't manage to connect >>>> with a server_* user on the behalf of another normal user. >>>> This is basically what we do, let us know if we do something wrong: >>>> >>>> { >>>> string expires = DateTime.Now.Subtract(new DateTime(1970,1,1,0,0,0, >>>> DateTimeKind.Utc)).TotalSeconds + 3600 + ""; >>>> string token_encrypted = Encrypt(this.AdminUsername + ":" + >>>> this.TargetUsername + ":" + expires, this.AdminPassword); >>>> //this.AdminUsername = server_* user name >>>> //this.TargetUsername = normal user name (target user) >>>> //this.AdminPassword = server_* user password (SHA1 encrypted) >>>> //Encrypt do the equivalent of the AES 256 CBC openssl encryption (cf >>>> https://gist.github.com/scottlowe/1411917, we just removed the salt >>>> part) >>>> session_SHA = this.AdminUsername + ":" + this.TargetUsername + ":" + >>>> token_encrypted; >>>> //session_SHA is the token used to authenticate on a request >>>> } >>>> >>>> Thanks >>>> Best regards >>>> >>>> >>>> >>>> >>>> Enguerran Boissier >>>> www.terradue.com >>>> >>>> <t2uk.png> >>>> >>>> On 28 Jul 2014, at 10:45, Daniel Molina <[email protected]> wrote: >>>> >>>> Hi Cesare, >>>> >>>> The server_* authentication is a special method where a user can >>>> authenticate on behalf of other user. This method was included in >>>> OpenNebula for scenarios such as an Apache server configured to use x509 >>>> certificates, Apache has already authenticated the user and we just encrypt >>>> a token with the serveradmin credentials and OpenNebula will decrypt the >>>> token and will perform all the actions as the target_username. >>>> >>>> Users using the server_* auth method are special users and should not >>>> have any resource. >>>> >>>> You can see an example on how Sunstone uses this method: >>>> A user logs in: >>>> >>>> https://github.com/OpenNebula/one/blob/master/src/sunstone/sunstone-server.rb#L169 >>>> do_auth is called to authenticate the user: >>>> >>>> https://github.com/OpenNebula/one/blob/master/src/cloud/common/CloudAuth/SunstoneCloudAuth.rb#L18 >>>> a token is generated using the server_* method >>>> >>>> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L85 >>>> this info is sent to one and then checked by the auth driver: >>>> >>>> https://github.com/OpenNebula/one/blob/master/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb#L110 >>>> >>>> Hope this helps >>>> >>>> >>>> http://docs.opennebula.org/4.6/administration/sunstone_gui/cloud_auth.html >>>> >>>> >>>> >>>> >>>> On 25 July 2014 12:39, Cesare Rossi <[email protected]> wrote: >>>> >>>>> Dear All, >>>>> >>>>> we are interacting with the XML-RPC API. We are trying to perform the >>>>> special authentication method available with the users' drivers >>>>> *server_cipher* or *server_x509 *(i.e. using >>>>> username:target_username:secret), but it seems not working. >>>>> >>>>> The question is: is it possible to use with that API such kind of >>>>> users ? If yes, how ? >>>>> >>>>> Thanks in advance, >>>>> >>>>> Cheers >>>>> >>>>> Cesare Rossi >>>>> Terradue >>>>> Rome, Italy | Oxford, UK >>>>> http://www.terradue.com >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] >>>>> http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org >>>>> >>>>> >>>> >>>> >>>> -- >>>> -- >>>> Daniel Molina >>>> Project Engineer >>>> OpenNebula - Flexible Enterprise Cloud Made Simple >>>> www.OpenNebula.org <http://www.opennebula.org/> | >>>> [email protected] | @OpenNebula >>>> >>>> >>>> >>> >>> >>> -- >>> -- >>> Daniel Molina >>> Project Engineer >>> OpenNebula - Flexible Enterprise Cloud Made Simple >>> www.OpenNebula.org <http://www.opennebula.org/> | [email protected] >>> | @OpenNebula >>> >>> >>> >> >> >> -- >> -- >> Daniel Molina >> Project Engineer >> OpenNebula - Flexible Enterprise Cloud Made Simple >> www.OpenNebula.org <http://www.opennebula.org/> | [email protected] >> | @OpenNebula >> >> >> > > > -- > -- > Daniel Molina > Project Engineer > OpenNebula - Flexible Enterprise Cloud Made Simple > www.OpenNebula.org <http://www.opennebula.org/> | [email protected] > | @OpenNebula > > > -- -- Daniel Molina Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org | [email protected] | @OpenNebula
_______________________________________________ Dev mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
