Hi Graeme-- I'm not an OpenNebula developer...our organization currently has requirements similar to yours except that for some cases we also allow X.509 authentication. We had to make the choice which would be easier to implement and it was one of our developers who contributed the code for the X.509 plugin.
The authorization/authentication of opennebula is pluggable so as long as you add the right plugin to it. In the case of X.509 there's one module to which the command line, sunstone, econe, and occi all call. One of the reasons we didn't push to do kerberos instead, is what it would take to securely push the kerberos credentials across the web. I'm not familiar with the details of mod_auth_kerb but hopefully it doesn't send the kerberos password across the web in the clear. We have effectively kerberos authentication because we have hooked up our kerberos server to a SLCS short lived certificate server to make x.509 certificates based on the kerberos credential. Steve Timm On Wed, 28 Sep 2011, Graeme Gillies wrote:
Hi, I am currently evaluating Opennebula 3.0 for use within our organization, and one of our security requirements is that all our systems use Kerberos authentication where possible. I my current deployment scenario, users will be interacting with opennebula via sunstone. I see that currently sunstone supports normal form based authentication, and x509 authentication where you rely on apache/lighthttpd/whatever in front of sunstone to actually authenticate the user (in this case via 2 way SSL auth) and then sunstone just accepts the user as authenticated. What I'd like to do, is use apache with mod_auth_kerb to authenticate users in apache via kerberos, and then have sunstone accept the user as authenticated from apache (similar to how the x509 auth works). Mod_auth_kerb simply sets the CGI value of REMOTE_USER to the authenticated user once authentication is complete, and I'm wondering if there is some sort of "dummy" auth module for sunstone that simply takes the user as supplied via a header or CGI variable and uses it, trusting the layer in front of it to authenticate the user correctly. If not, is this something worth me lodging a feature request for? Or lodging a feature request to have Kerberos/GSSAPI authentication implemented across opennebula in general? Regards, Graeme _______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
-- ------------------------------------------------------------------ Steven C. Timm, Ph.D (630) 840-8525 [email protected] http://home.fnal.gov/~timm/ Fermilab Computing Division, Scientific Computing Facilities, Grid Facilities Department, FermiGrid Services Group, Group Leader. Lead of FermiCloud project. _______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
