diff --git a/source/administration/sunstone_gui/suns_auth.rst b/source/administration/sunstone_gui/suns_auth.rst index fb35534513..6d53cc2ca8 100644 --- a/source/administration/sunstone_gui/suns_auth.rst +++ b/source/administration/sunstone_gui/suns_auth.rst @@ -80,6 +80,35 @@ Note that OpenNebula will not verify that the user is holding a valid certificat .. warning:: Sunstone x509 auth method only handles the authentication of the user at the time of login. Authentication of the user certificate is a complementary setup, which can rely on Apache. +remote Auth +--------- + +This method is similar to x509 auth. It performs the login to OpenNebula based on a Kerberos ``REMOTE_USER``. The ``USER@DOMAIN`` is extracted from ``REMOTE_USER`` variable and matched to the password value in the user database. + +The user password has to be changed running one of the following commands: + +.. code:: + + oneuser chauth new_user x509 "new_user@DOMAIN" + +New users with this authentication method should be created as follows: + +.. code:: + + oneuser create new_user "new_user@DOMAIN" --driver x509 + +To enable this login method, set the ``:auth:`` option of ``/etc/one/sunstone-server.conf`` to ``remote``: + +.. code:: + + :auth: remote + +The login screen will not display the username and password fields anymore, as all information is fetched from Kerberos server or a remote authentication service. + +Note that OpenNebula will not verify that the user is holding a valid Kerberos ticket at the time of login: this is expected to be done by the external container of the Sunstone server (normally Apache), whose job is to tell the user's browser that the site requires a valid ticket to login. + +.. warning:: Sunstone remote auth method only handles the authentication of the user at the time of login. Authentication of the remote ticket is a complementary setup, which can rely on Apache. + Configuring a SSL Proxy ======================= @@ -180,7 +209,7 @@ You will need to configure a new virtual host in nginx. Depending on the operati server { listen 80; server_name cloudserver.org; - + ### Permanent redirect to HTTPS (optional) return 301 https://$server_name:8443; } @@ -189,7 +218,7 @@ You will need to configure a new virtual host in nginx. Depending on the operati server { listen 8443; server_name cloudserver.org; - + ### SSL Parameters ssl on; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; diff --git a/source/administration/sunstone_gui/sunstone.rst b/source/administration/sunstone_gui/sunstone.rst index 4d7d5a2573..d1f4f72c9c 100644 --- a/source/administration/sunstone_gui/sunstone.rst +++ b/source/administration/sunstone_gui/sunstone.rst @@ -86,7 +86,7 @@ Available options are: +---------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | :env | Excution environment for Sunstone. ``dev``, Instead of pulling the minified js all the files will be pulled (app/main.js). Check the :ref:`Building from Source ` guide in the docs, for details on how to run Sunstone in development. ``prod``, the minified js will be used (dist/main.js) | +---------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| :auth | Authentication driver for incoming requests. Possible values are ``sunstone``, ``opennebula`` and ``x509``. Check :ref:`authentication methods ` for more info | +| :auth | Authentication driver for incoming requests. Possible values are ``sunstone``, ``opennebula``, ``remote`` and ``x509``. Check :ref:`authentication methods ` for more info | +---------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | :core\_auth | Authentication driver to communicate with OpenNebula core. Possible values are ``x509`` or ``cipher``. Check :ref:`cloud\_auth ` for more information | +---------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/source/advanced_administration/scalability/suns_advance.rst b/source/advanced_administration/scalability/suns_advance.rst index 40220b5d24..98b64020d3 100644 --- a/source/advanced_administration/scalability/suns_advance.rst +++ b/source/advanced_administration/scalability/suns_advance.rst @@ -140,7 +140,6 @@ Next thing we have to do is configure the virtual host that will run our Sunston Now the configuration should be ready, restart -or reload apache configuration- to start the application and point to the virtual host to check if everything is running. - Running Sunstone behind nginx SSL Proxy --------------------------------------- @@ -184,6 +183,40 @@ And this is the changes that have to be made to sunstone-server.conf: If using a selfsigned cert, the connection to VNC window in Sunstone will fail, either get a real cert, or manually accept the selfsigned cert in your browser before trying it with Sunstone. Now, VNC sessions should show "encrypted" in the title. +Running Sunstone with Passenger using FreeIPA/Kerberos auth in Apache +--------------------------------------------------------------------- + +It is also possible to use Sunstone ``remote`` authentication with Apache and Passenger. The configuration in this case is quite similar to Passenger configuration but we must include the Apache auth module line. How to configure freeIPA server and Kerberos is outside of the scope of this document, you can get more info in `FreeIPA Apache setup example `__ + +As example to include Kerberos authentication we can use two different modules: ``mod_auth_gssapi`` or ``mod_authnz_pam`` +And generate the keytab for http service, here is an example with Passenger: + +.. code:: + + LoadModule auth_gssapi_module modules/mod_auth_gssapi.so + + + ServerName sunstone-server + PassengerUser oneadmin + # !!! Be sure to point DocumentRoot to 'public'! + DocumentRoot /usr/lib/one/sunstone/public + + # Only is possible to access to this dir using a valid ticket + AuthType GSSAPI + AuthName "EXAMPLE.COM login" + GssapiCredStore keytab:/etc/http.keytab + Require valid-user + ErrorDocument 401 'Kerberos authentication did not pass.' + AllowOverride all + # MultiViews must be turned off. + Options -MultiViews + + + +.. note:: User must generate a valid ticket running ``kinit`` to get acces to Sunstone service. You can also set a custom 401 document to warn users about any authentication failure. + +Now our configuration is ready to use Passenger and Kerberos, restart -or reload apache configuration- and point to the virtual host using a valid ticket to check if everything is running. + Running Sunstone in Multiple Servers ------------------------------------ diff --git a/source/locale/es/LC_MESSAGES/administration/sunstone_gui/suns_auth.po b/source/locale/es/LC_MESSAGES/administration/sunstone_gui/suns_auth.po index 036ab65952..ced37e6f95 100644 --- a/source/locale/es/LC_MESSAGES/administration/sunstone_gui/suns_auth.po +++ b/source/locale/es/LC_MESSAGES/administration/sunstone_gui/suns_auth.po @@ -1,4 +1,4 @@ -# +# msgid "" msgstr "" "Project-Id-Version: OpenNebula 4.6\n" @@ -36,7 +36,7 @@ msgstr "" msgid "" "**Web client and Sunstone server**. Authentication is based on the " "credentials store in the OpenNebula database for the user. Depending on the " -"type of this credentials the authentication method can be: basic, x509 and " +"type of this credentials the authentication method can be: basic, remote, x509 and " "opennebula (supporting LDAP or other custom methods)." msgstr "" @@ -150,34 +150,83 @@ msgid "" msgstr "" #: ../../source/administration/sunstone_gui/suns_auth.rst:84 -msgid "Configuring a SSL Proxy" +msgid "remote Auth" msgstr "" #: ../../source/administration/sunstone_gui/suns_auth.rst:86 msgid "" +"This method is similar to x509 auth. It performs the login to OpenNebula " +"based on a Kerberos ``REMOTE\_USER``. The ``USER@DOMAIN`` is extracted from " +"``REMOTE\_USER`` variable and matched to the password value in the user database." +msgstr "" + +#: ../../source/administration/sunstone_gui/suns_auth.rst:88 +msgid "" +"The user password has to be changed running one of the following commands:" +msgstr "" + +#: ../../source/administration/sunstone_gui/suns_auth.rst:94 +msgid "" +"New users with this authentication method should be created as follows:" +msgstr "" + +#: ../../source/administration/sunstone_gui/suns_auth.rst:100 +msgid "" +"To enable this login method, set the ``:auth:`` option of " +"``/etc/one/sunstone-server.conf`` to ``remote``:" +msgstr "" + +#: ../../source/administration/sunstone_gui/suns_auth.rst:106 +msgid "" +"The login screen will not display the username and password fields anymore, " +"as all information is fetched from Kerberos/freeIPA" +msgstr "" + +#: ../../source/administration/sunstone_gui/suns_auth.rst:108 +msgid "" +"Note that OpenNebula will not verify that the user is holding a valid " +"Kerberos ticket at the time of login: this is expected to be done by the " +"external container of the Sunstone server (normally Apache), whose job is to " +"tell the user's browser that the site requires a valid Kerberos ticket to " +"login." +msgstr "" + +#: ../../source/administration/sunstone_gui/suns_auth.rst:110 +msgid "" +"Sunstone remote auth method only handles the authentication of the user at " +"the time of login. Authentication of the Kerberos ticket is a complementary " +"setup, which can rely on Apache." +msgstr "" + +#: ../../source/administration/sunstone_gui/suns_auth.rst:113 +msgid "Configuring a SSL Proxy" +msgstr "" + +#: ../../source/administration/sunstone_gui/suns_auth.rst:115 +msgid "" "OpenNebula Sunstone runs natively just on normal HTTP connections. If the " "extra security provided by SSL is needed, a proxy can be set up to handle " "the SSL connection that forwards the petition to the Sunstone server and " "takes back the answer to the client." msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:88 +#: ../../source/administration/sunstone_gui/suns_auth.rst:117 msgid "This set up needs:" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:90 +#: ../../source/administration/sunstone_gui/suns_auth.rst:119 msgid "A server certificate for the SSL connections" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:91 +#: ../../source/administration/sunstone_gui/suns_auth.rst:120 msgid "An HTTP proxy that understands SSL" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:92 +#: ../../source/administration/sunstone_gui/suns_auth.rst:121 msgid "OpenNebula Sunstone configuration to accept petitions from the proxy" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:94 +#: ../../source/administration/sunstone_gui/suns_auth.rst:123 msgid "" "If you want to try out the SSL setup easily, you can find in the following " "lines an example to set a self-signed certificate to be used by a web server" @@ -185,95 +234,95 @@ msgid "" "Sunstone." msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:96 +#: ../../source/administration/sunstone_gui/suns_auth.rst:125 msgid "" "Let's assume the server where the proxy is going to be started is called " "``cloudserver.org``. Therefore, the steps are:" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:99 +#: ../../source/administration/sunstone_gui/suns_auth.rst:128 msgid "Step 1: Server Certificate (Snakeoil)" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:101 +#: ../../source/administration/sunstone_gui/suns_auth.rst:130 msgid "" "We are going to generate a snakeoil certificate. If using an Ubuntu system " "follow the next steps (otherwise your milleage may vary, but not a lot):" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:103 +#: ../../source/administration/sunstone_gui/suns_auth.rst:132 msgid "Install the ``ssl-cert`` package" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:109 +#: ../../source/administration/sunstone_gui/suns_auth.rst:138 msgid "Generate the certificate" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:115 +#: ../../source/administration/sunstone_gui/suns_auth.rst:144 msgid "" "As we are using lighttpd, we need to append the private key with the " "certificate to obtain a server certificate valid to lighttpd" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:122 +#: ../../source/administration/sunstone_gui/suns_auth.rst:150 msgid "Step 2: SSL HTTP Proxy" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:125 +#: ../../source/administration/sunstone_gui/suns_auth.rst:153 msgid "lighttpd" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:127 +#: ../../source/administration/sunstone_gui/suns_auth.rst:156 msgid "" "You will need to edit the ``/etc/lighttpd/lighttpd.conf`` configuration file" " and" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:129 +#: ../../source/administration/sunstone_gui/suns_auth.rst:158 msgid "Add the following modules (if not present already)" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:131 +#: ../../source/administration/sunstone_gui/suns_auth.rst:160 msgid "mod\\_access" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:132 +#: ../../source/administration/sunstone_gui/suns_auth.rst:161 msgid "mod\\_alias" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:133 +#: ../../source/administration/sunstone_gui/suns_auth.rst:162 msgid "mod\\_proxy" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:134 +#: ../../source/administration/sunstone_gui/suns_auth.rst:163 msgid "mod\\_accesslog" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:135 +#: ../../source/administration/sunstone_gui/suns_auth.rst:164 msgid "mod\\_compress" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:137 +#: ../../source/administration/sunstone_gui/suns_auth.rst:166 msgid "" "Change the server port to 443 if you are going to run lighttpd as root, or " "any number above 1024 otherwise:" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:143 +#: ../../source/administration/sunstone_gui/suns_auth.rst:172 msgid "Add the proxy module section:" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:163 +#: ../../source/administration/sunstone_gui/suns_auth.rst:192 msgid "" "The host must be the server hostname of the computer running the Sunstone " "server, and the port the one that the Sunstone Server is running on." msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:166 +#: ../../source/administration/sunstone_gui/suns_auth.rst:194 msgid "nginx" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:168 +#: ../../source/administration/sunstone_gui/suns_auth.rst:197 msgid "" "You will need to configure a new virtual host in nginx. Depending on the " "operating system and the method of installation, nginx loads virtual host " @@ -281,28 +330,28 @@ msgid "" "enabled``." msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:170 +#: ../../source/administration/sunstone_gui/suns_auth.rst:199 msgid "A sample ``cloudserver.org`` virtual host is presented next:" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:204 +#: ../../source/administration/sunstone_gui/suns_auth.rst:233 msgid "" "The IP address and port number used in ``upstream`` must be the ones of the " "server Sunstone is running on. On typical installations the nginx master " "process is run as user root so you don't need to modify the HTTPS port." msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:207 +#: ../../source/administration/sunstone_gui/suns_auth.rst:236 msgid "Step 3: Sunstone Configuration" msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:209 +#: ../../source/administration/sunstone_gui/suns_auth.rst:238 msgid "" "Start the Sunstone server using the default values, this way the server will" " be listening at localhost:9869." msgstr "" -#: ../../source/administration/sunstone_gui/suns_auth.rst:211 +#: ../../source/administration/sunstone_gui/suns_auth.rst:240 msgid "" "Once the proxy server is started, OpenNebula Sunstone requests using HTTPS " "URIs can be directed to ``https://cloudserver.org:8443``, that will then be " diff --git a/source/locale/es/LC_MESSAGES/administration/sunstone_gui/sunstone.po b/source/locale/es/LC_MESSAGES/administration/sunstone_gui/sunstone.po index 4e2869f34e..3e38d976f8 100644 --- a/source/locale/es/LC_MESSAGES/administration/sunstone_gui/sunstone.po +++ b/source/locale/es/LC_MESSAGES/administration/sunstone_gui/sunstone.po @@ -222,7 +222,7 @@ msgstr "" #: ../../source/administration/sunstone_gui/sunstone.rst:80 msgid "" "Authentication driver for incoming requests. Possible values are " -"``sunstone``, ``opennebula`` and ``x509``. Check :ref:`authentication " +"``sunstone``, ``opennebula``, ``remote`` and ``x509``. Check :ref:`authentication " "methods ` for more info" msgstr "" diff --git a/source/locale/es/LC_MESSAGES/advanced_administration/scalability/suns_advance.po b/source/locale/es/LC_MESSAGES/advanced_administration/scalability/suns_advance.po index 9fddb87469..b8b77e7fbd 100644 --- a/source/locale/es/LC_MESSAGES/advanced_administration/scalability/suns_advance.po +++ b/source/locale/es/LC_MESSAGES/advanced_administration/scalability/suns_advance.po @@ -250,11 +250,41 @@ msgid "" msgstr "" #: ../../source/advanced_administration/scalability/suns_advance.rst:134 -msgid "Running Sunstone in Multiple Servers" +msgid "Running Sunstone with Passenger using FreeIPA/Kerberos auth in Apache" msgstr "" #: ../../source/advanced_administration/scalability/suns_advance.rst:136 msgid "" +"It is also possible to use Sunstone ``remote`` authentication with Apache " +"and Passenger. The configuration in this case is quite similar to Passenger " +"configuration but we must include the Apache auth module line. How to " +"configure freeIPA server and Kerberos is outside of the scope of this " +"document, you can get more info in `FreeIPA Apache setup example " +"`__" +msgstr "" + +#: ../../source/advanced_administration/scalability/suns_advance.rst:142 +msgid "" +"As example to include Kerberos authentication we can use two different " +"modules: ``mod_auth_gssapi`` or ``mod_authnz_pam``." +"And generate the keytab for http service, here is an example with Passenger:" +msgstr "" + +#: ../../source/advanced_administration/scalability/suns_advance.rst:166 +msgid "" +"Now our configuration is ready to use Passenger and Kerberos, restart -or " +"reload apache configuration- and point to the virtual host using a valid " +"ticket to check if everything is running." +msgstr "" + + + +#: ../../source/advanced_administration/scalability/suns_advance.rst:169 +msgid "Running Sunstone in Multiple Servers" +msgstr "" + +#: ../../source/advanced_administration/scalability/suns_advance.rst:171 +msgid "" "You can run Sunstone in several servers and use a load balancer that " "connects to them. Make sure you are using ``memcache`` for sessions and both" " Sunstone servers connect to the same ``memcached`` server. To do this "