On 16 December 2011 17:55, Steven Timm <t...@fnal.gov> wrote: > On Fri, 16 Dec 2011, Daniel Molina wrote: > >> On 16 December 2011 16:08, Steven Timm <t...@fnal.gov> wrote: >>> >>> On Fri, 16 Dec 2011, Daniel Molina wrote: >>> >>>> Dear Farooq, >>>> >>>> I think the problem is the driver assigned to serveradmin (x509), you >>>> must change it to server_x509 [1]. Otherwise it will not use the >>>> certificates specified in server_x509_auht.conf. x509 driver should be >>>> used by regular users and not by the "server" user. >>>> >>>> So there are two users in this scenario: >>>> 1. The user that is trying to authenticate using Sunstone. This user >>>> should have the driver x509 and his DN as password. >>>> 2. The user used by Sunstone sever (serveradmin) to interact with >>>> OpenNebula. This user should have the driver server_x509 and his >>>> server certificate DNas password. >>> >>> >>> >>> Then the documentation of the oneuser command should be modified >>> to indicate that server_x509 is a legal option in the >>> oneuser chauth subcommand. It's not listed either in the command >>> usage or on the web page. >> >> >> The legal values for the auth driver are defined in the oned.conf. But >> yes, maybe we should add this information to the oneuser help. >> arguments = "--authn ssh,x509,ldap,server_cipher,server_x509" >> > > In our oned.conf we currently have > AUTH_MAD = [ > executable = "one_auth_mad", > arguments = "--authn x509,server_x509" > ] > > There is at least one web page that says it should still be > x509,server > > Which is right?
These values correspond with the following directories: http://dev.opennebula.org/projects/opennebula/repository/revisions/master/show/src/authm_mad/remotes So "--authn x509,server_x509" is the right one. Could you point me to the URL which is wrong to fix it? Kind regards. > > Steve Timm > > > > >>> >>> Also, what about the oneadmin user, user 0.. should that be server_x509 >>> too >>> or should that still be x509 driver? >>> >> >> If you want to use oneadmin through sunstone you have to set x509 >> driver for him (as a regular user), so he can login through sunstone >> and the cli. The server_x509 should be only used by the serveradmin >> user. >> >>> [root@fgitb317 one]# oneuser show 1 >>> >>> USER 1 INFORMATION >>> ID : 1 >>> NAME : serveradmin >>> GROUP : 0 >>> PASSWORD : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov >>> >>> AUTH_DRIVER : x509 >> >> >> It must be "server_x509" >> >>> ENABLED : Yes >>> >>> USER TEMPLATE >>> >>> [root@fgitb317 one]# >>> [root@fgitb317 one]# oneuser show 0 >>> USER 0 INFORMATION >>> ID : 0 >>> NAME : oneadmin >>> GROUP : 0 >>> PASSWORD : /DC=org/DC=doegrids/OU=Services/CN=fgitb317.fnal.gov >>> >>> AUTH_DRIVER : x509 >>> ENABLED : Yes >>> >>> USER TEMPLATE >>> >>> [root@fgitb317 one]# >>> >>> * chauth <userid> <auth> [<password>] >>> Changes the User's auth driver >>> valid options: read_file, sha1, ssh, x509, key, cert, driver >>> >>> >>> >>> >>>> >>>> Also, you should check that the (unix) user running oned and >>>> sunstone-server has permission to read the certificates specified in >>>> server_x509_auth.conf. >>>> >>>> BTW it would be nice to use the same thread for issues related to the >>>> x509 configuration instead of opening new ones, so other users can >>>> benefit from it. >>>> >>>> Kind Regards >>>> >>>> [1] >>>> >>>> http://lists.opennebula.org/pipermail/users-opennebula.org/2011-December/007233.html >>>> >>>> ------->8------------------------- >>>> If you want to configure x509 authentication in sunstone these are the >>>> main steps (beside the apache configuration): >>>> >>>> Option A: >>>> -------------- >>>> * Sunstone configuration >>>> - auth: x509 >>>> - core_auth: cipher >>>> >>>> The server will authenticate on behalf of other user using the >>>> "serveradmin" user and symmetric encription to generate the token that >>>> contains the client username. >>>> >>>> * Configuration: This is the default behavior and no configuration is >>>> needed. >>>> - $VAR_LOCATION//.one/sunstone_auth should contain the credentials of >>>> the serveradmin user that will be used to encrypt the token >>>> - oneuser list should show a serveradmin user with server_cipher auth >>>> driver defined. >>>> >>>> Option B: >>>> -------------- >>>> * Sunstone configuration >>>> - auth: x509 >>>> - core_auth: x509 >>>> >>>> The server will authenticate on behalf of other user using the >>>> "serveradmin" user and server certificates to generate the token that >>>> contains the client username. >>>> >>>> * Configuration: >>>> >>>> >>>> http://www.opennebula.org/documentation:rel3.2:cloud_auth?ԉ_encryption >>>> - change serveradmin driver to server_x509 instead of server_cipher >>>> - edit /etc/one/auth/server_x509_auth.conf to specify the serveradmin >>>> user and the server certificates to encrypt the token >>>> >>>> >>>> In both cases the browser will interact with Apache and will >>>> authenticate the user. The sunstone server will send this information >>>> to OpenNebula using one of the previous options. >>>> ------------------8<------------------- >>>> >>>> >>>> On 16 December 2011 00:13, Faarooq Lowe <l...@fnal.gov> wrote: >>>>> >>>>> >>>>> We are still having problems getting sunstone to work with x509 >>>>> authentication. >>>>> >>>>> Could someone please advise? >>>>> >>>>> Here is what we have >>>>> >>>>> sunstone-server.conf >>>>> >>>>> # Server Configuration >>>>> :host: 127.0.0.1 >>>>> :port: 9869 >>>>> >>>>> # Authentication driver for incomming requests >>>>> # sunstone, for OpenNebula's user-password scheme >>>>> # x509, for x509 certificates based authentication >>>>> #:auth: sunstone >>>>> :auth: x509 >>>>> >>>>> # Authentication driver to communicate with OpenNebula core >>>>> # cipher, for symmetric cipher encryption of tokens >>>>> # x509, for x509 certificate encryption of tokens >>>>> #:core_auth: server_cipher >>>>> :core_auth: x509 >>>>> >>>>> # Life-time in seconds for token renewal (that used to handle >>>>> OpenNebula >>>>> auths) >>>>> :token_expiration_delta: 1800 >>>>> >>>>> server_x509_auth.conf >>>>> >>>>> # User to be used for x509 server authentication >>>>> >>>>> :srv_user: serveradmin >>>>> >>>>> # Path to the certificate used by the OpenNebula Services >>>>> # Certificates must be in PEM format >>>>> >>>>> :one_cert: "/etc/grid-security/hostcert.pem" >>>>> :one_key: "/etc/grid-security/hostkey.pem" >>>>> >>>>> serveradmin information >>>>> >>>>> -bash-3.2$ oneuser show 1 >>>>> USER 1 INFORMATION >>>>> ID : 1 >>>>> NAME : serveradmin >>>>> GROUP : 0 >>>>> PASSWORD : <DN with no spaces> >>>>> AUTH_DRIVER : x509 >>>>> ENABLED : Yes >>>>> >>>>> USER TEMPLATE >>>>> >>>>> Logs >>>>> >>>>> oned.log >>>>> >>>>> Thu Dec 15 17:04:28 2011 [AuM][E]: Auth Error: undefined method >>>>> `public_key' >>>>> for nil:NilClass >>>>> >>>>> sunstone.log >>>>> >>>>> 131.225.168.168 - - [15/Dec/2011 17:03:26] "GET / HTTP/1.1" 200 1384 >>>>> 0.0037 >>>>> 131.225.168.168 - - [15/Dec/2011 17:04:28] "POST /login HTTP/1.1" 500 >>>>> 61 >>>>> 0.0802 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Users mailing list >>>>> Users@lists.opennebula.org >>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> -- >>> ------------------------------------------------------------------ >>> Steven C. Timm, Ph.D (630) 840-8525 >>> t...@fnal.gov http://home.fnal.gov/~timm/ >>> Fermilab Computing Division, Scientific Computing Facilities, >>> Grid Facilities Department, FermiGrid Services Group, Group Leader. >>> Lead of FermiCloud project. >>> _______________________________________________ >>> Users mailing list >>> Users@lists.opennebula.org >>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >>> >> >> >> >> > > -- > ------------------------------------------------------------------ > Steven C. Timm, Ph.D (630) 840-8525 > t...@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division, Scientific Computing Facilities, > Grid Facilities Department, FermiGrid Services Group, Group Leader. > Lead of FermiCloud project. > > _______________________________________________ > Users mailing list > Users@lists.opennebula.org > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org > -- Daniel Molina Project Engineer OpenNebula - The Open Source Toolkit for Data Center Virtualization www.OpenNebula.org | dmol...@opennebula.org | @OpenNebula _______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
