Skip to content

Include Sunstone remote auth doc and apache+passenger+kerberos example#37

Closed
alvarosimon wants to merge 2 commits intoOpenNebula:masterfrom
alvarosimon:sunstone_kerberos
Closed

Include Sunstone remote auth doc and apache+passenger+kerberos example#37
alvarosimon wants to merge 2 commits intoOpenNebula:masterfrom
alvarosimon:sunstone_kerberos

Conversation

@alvarosimon
Copy link
Copy Markdown
Contributor

@alvarosimon alvarosimon commented Oct 27, 2015

This doc PR is related with OpenNebula/one#71, how to Kerberize Sunstone service using remote auth.

@alvarosimon alvarosimon mentioned this pull request Oct 27, 2015
Open
@jfontan
Copy link
Copy Markdown
Contributor

jfontan commented Nov 18, 2015

Cherry picked to branches one-4.14.1 (this should be 4.14.2) and master. Thank you!

@jfontan jfontan closed this Nov 18, 2015
@alvarosimon
Copy link
Copy Markdown
Contributor Author

alvarosimon commented Nov 18, 2015

thanks a lot!

@rsmontero rsmontero reopened this Nov 19, 2015
@rsmontero
Copy link
Copy Markdown
Member

rsmontero commented Nov 19, 2015

Hi Alvaro

Needing to set x509 for remote Auth is something that we'd like to polish. We propose the following approach.

  • Users are created with public driver. The public driver disables the access of the users directly to the XML-RPC API (and SunstoneCloudAuth.rb). This way kerberos users cannot acces the core API. I assume this is the purpose of this change.
$ oneuser create publicuser "new_user@DOMAIN"
  • Update RemoteCloudAuth.rb to use a get_remote_username method instead of get_username. This method will be included in CloudAuth.rb:
 def get_remote_username(password)                                                                 
        @lock.synchronize do                                                                   
            @user_pool.each_with_xpath(                                                        
                "USER[contains(PASSWORD, \"#{password}\")]") do |user|                         
                return user["NAME"] if user["AUTH_DRIVER"] == "public" &&                        
                    user["PASSWORD"] == password
            end                                                                                
        end                                                                                                         
        nil                                                                                       
 end

What do you think?

@alvarosimon
Copy link
Copy Markdown
Contributor Author

alvarosimon commented Nov 19, 2015

Hi @rsmontero

Great!, this is even better! yes I have used x509 driver to include the remote user because I didn't find another way to auth the user, but if you include a generic driver like publicuser that will solve this issue. (and we avoid to use x509 that could be a bit confusing). And of course this driver could be used by Kerberos or any other external auth mechanism handled by the web server.

@alvarosimon
Copy link
Copy Markdown
Contributor Author

alvarosimon commented Nov 19, 2015

$ oneuser create publicuser "new_user@DOMAIN"

just one question, when you use publicuser driver you assume that the username and passwd are the same right?

@rsmontero
Copy link
Copy Markdown
Member

rsmontero commented Nov 19, 2015

sorry is just an auth method. They maybe different
On Nov 19, 2015 12:04 PM, "Álvaro Simón" notifications@github.com wrote:

$ oneuser create publicuser "new_user@DOMAIN"

just one question, when you use publicuser driver you assume that the
username and passwd are the same right?


Reply to this email directly or view it on GitHub
#37 (comment).

@alvarosimon
Copy link
Copy Markdown
Contributor Author

alvarosimon commented Nov 19, 2015

ah ok that's fine, in our case we can have something like this using public
AUTH_DRIVER:

oneuser show 4

USER 4
INFORMATION
ID : 4
NAME : vsc41206
GROUP : users
PASSWORD : vsc41206@HPC.UGENT.BE
AUTH_DRIVER : public
ENABLED : Yes

USER
TEMPLATE
SSH_PUBLIC_KEY="ssh-dss AAAAB3"

2015-11-19 12:07 GMT+01:00 Ruben S. Montero notifications@github.com:

sorry is just an auth method. They maybe different
On Nov 19, 2015 12:04 PM, "Álvaro Simón" notifications@github.com wrote:

$ oneuser create publicuser "new_user@DOMAIN"

just one question, when you use publicuser driver you assume that the
username and passwd are the same right?


Reply to this email directly or view it on GitHub
#37 (comment).


Reply to this email directly or view it on GitHub
#37 (comment).

@rsmontero
Copy link
Copy Markdown
Member

rsmontero commented Nov 19, 2015

Hi Alvaro,

We've update CouldAuth.rb and RemoteAuth.rb to make use of a generic verification method. So now the "get_username" method is moved to each Auth class.

The modifications have been tested with x509 and they works. Could you review the new RemoteAuth method. You can grab the new files here:

Also the new documentation is here

The specific commits if you are interested are:
OpenNebula/one@fd6b67e
OpenNebula/one@bac205d
OpenNebula/one@dc399e0

Thanks!!

@alvarosimon
Copy link
Copy Markdown
Contributor Author

alvarosimon commented Nov 20, 2015

Hi Ruben

This is great!, We will try the new auth in our cluster testbed during the next days using Kerberos and RemoteAuth. Thanks a lot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alvarosimon @jfontan @rsmontero