Include Sunstone remote auth doc and apache+passenger+kerberos example

source/administration/sunstone_gui/suns_auth.rst

@@ -80,6 +80,35 @@ Note that OpenNebula will not verify that the user is holding a valid certificat
 
 .. warning:: Sunstone x509 auth method only handles the authentication of the user at the time of login. Authentication of the user certificate is a complementary setup, which can rely on Apache.
 
+remote Auth
+---------
+
+This method is similar to x509 auth. It performs the login to OpenNebula based on a Kerberos ``REMOTE_USER``. The ``USER@DOMAIN`` is extracted from ``REMOTE_USER`` variable and matched to the password value in the user database.
+
+The user password has to be changed running one of the following commands:
+
+.. code::
+
+    oneuser chauth new_user x509 "new_user@DOMAIN"
+
+New users with this authentication method should be created as follows:
+
+.. code::
+
+    oneuser create new_user "new_user@DOMAIN" --driver x509
+
+To enable this login method, set the ``:auth:`` option of ``/etc/one/sunstone-server.conf`` to ``remote``:
+
+.. code::
+
+        :auth: remote
+
+The login screen will not display the username and password fields anymore, as all information is fetched from Kerberos server or a remote authentication service.
+
+Note that OpenNebula will not verify that the user is holding a valid Kerberos ticket at the time of login: this is expected to be done by the external container of the Sunstone server (normally Apache), whose job is to tell the user's browser that the site requires a valid ticket to login.
+
+.. warning:: Sunstone remote auth method only handles the authentication of the user at the time of login. Authentication of the remote ticket is a complementary setup, which can rely on Apache.
+
 Configuring a SSL Proxy
 =======================
 
@@ -180,7 +209,7 @@ You will need to configure a new virtual host in nginx. Depending on the operati
     server {
             listen 80;
             server_name cloudserver.org;
-            
+
             ### Permanent redirect to HTTPS (optional)
             return 301 https://$server_name:8443;
     }
@@ -189,7 +218,7 @@ You will need to configure a new virtual host in nginx. Depending on the operati
     server {
             listen 8443;
             server_name cloudserver.org;
-            
+
             ### SSL Parameters
             ssl on;
             ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;

source/administration/sunstone_gui/sunstone.rst

@@ -86,7 +86,7 @@ Available options are:
 +---------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
 | :env                      | Excution environment for Sunstone. ``dev``, Instead of pulling the minified js all the files will be pulled (app/main.js). Check the :ref:`Building from Source <compile>` guide in the docs, for details on how to run Sunstone in development. ``prod``, the minified js will be used (dist/main.js) |
 +---------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| :auth                     | Authentication driver for incoming requests. Possible values are ``sunstone``, ``opennebula`` and ``x509``. Check :ref:`authentication methods <authentication>` for more info                                                                                                                         |
+| :auth                     | Authentication driver for incoming requests. Possible values are ``sunstone``, ``opennebula``, ``remote`` and ``x509``. Check :ref:`authentication methods <authentication>` for more info                                                                                                                         |
 +---------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
 | :core\_auth               | Authentication driver to communicate with OpenNebula core. Possible values are ``x509`` or ``cipher``. Check :ref:`cloud\_auth <cloud_auth>` for more information                                                                                                                                      |
 +---------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

source/advanced_administration/scalability/suns_advance.rst

@@ -140,7 +140,6 @@ Next thing we have to do is configure the virtual host that will run our Sunston
 
 Now the configuration should be ready, restart -or reload apache configuration- to start the application and point to the virtual host to check if everything is running.
 
-
 Running Sunstone behind nginx SSL Proxy
 ---------------------------------------
 
@@ -184,6 +183,40 @@ And this is the changes that have to be made to sunstone-server.conf:
 
 If using a selfsigned cert, the connection to VNC window in Sunstone will fail, either get a real cert, or manually accept the selfsigned cert in your browser before trying it with Sunstone.  Now, VNC sessions should show "encrypted" in the title.
 
+Running Sunstone with Passenger using FreeIPA/Kerberos auth in Apache
+---------------------------------------------------------------------
+
+It is also possible to use Sunstone ``remote`` authentication with Apache and Passenger. The configuration in this case is quite similar to Passenger configuration but we must include the Apache auth module line. How to configure freeIPA server and Kerberos is outside of the scope of this document, you can get more info in `FreeIPA Apache setup example <http://www.freeipa.org/page/Web_App_Authentication/Example_setup>`__
+
+As example to include Kerberos authentication we can use two different modules: ``mod_auth_gssapi`` or ``mod_authnz_pam``
+And generate the keytab for http service, here is an example with Passenger:
+
+.. code::
+
+    LoadModule auth_gssapi_module modules/mod_auth_gssapi.so
+
+    <VirtualHost *:80>
+      ServerName sunstone-server
+      PassengerUser oneadmin
+      # !!! Be sure to point DocumentRoot to 'public'!
+      DocumentRoot /usr/lib/one/sunstone/public
+      <Directory /usr/lib/one/sunstone/public>
+         # Only is possible to access to this dir using a valid ticket
+         AuthType GSSAPI
+         AuthName "EXAMPLE.COM login"
+         GssapiCredStore keytab:/etc/http.keytab
+         Require valid-user
+         ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=https://yourdomain"><body>Kerberos authentication did not pass.</body></html>'
+         AllowOverride all
+         # MultiViews must be turned off.
+         Options -MultiViews
+      </Directory>
+    </VirtualHost>
+
+.. note:: User must generate a valid ticket running ``kinit`` to get acces to Sunstone service. You can also set a custom 401 document to warn users about any authentication failure.
+
+Now our configuration is ready to use Passenger and Kerberos, restart -or reload apache configuration- and point to the virtual host using a valid ticket to check if everything is running.
+
 Running Sunstone in Multiple Servers
 ------------------------------------
 

source/locale/es/LC_MESSAGES/administration/sunstone_gui/suns_auth.po

@@ -1,4 +1,4 @@
-# 
+#
 msgid ""
 msgstr ""
 "Project-Id-Version: OpenNebula 4.6\n"
@@ -36,7 +36,7 @@ msgstr ""
 msgid ""
 "**Web client and Sunstone server**. Authentication is based on the "
 "credentials store in the OpenNebula database for the user. Depending on the "
-"type of this credentials the authentication method can be: basic, x509 and "
+"type of this credentials the authentication method can be: basic, remote, x509 and "
 "opennebula (supporting LDAP or other custom methods)."
 msgstr ""
 
@@ -150,159 +150,208 @@ msgid ""
 msgstr ""
 
 #: ../../source/administration/sunstone_gui/suns_auth.rst:84
-msgid "Configuring a SSL Proxy"
+msgid "remote Auth"
 msgstr ""
 
 #: ../../source/administration/sunstone_gui/suns_auth.rst:86
 msgid ""
+"This method is similar to x509 auth. It performs the login to OpenNebula "
+"based on a Kerberos ``REMOTE\_USER``. The ``USER@DOMAIN`` is extracted from "
+"``REMOTE\_USER`` variable and matched to the password value in the user database."
+msgstr ""
+
+#: ../../source/administration/sunstone_gui/suns_auth.rst:88
+msgid ""
+"The user password has to be changed running one of the following commands:"
+msgstr ""
+
+#: ../../source/administration/sunstone_gui/suns_auth.rst:94
+msgid ""
+"New users with this authentication method should be created as follows:"
+msgstr ""
+
+#: ../../source/administration/sunstone_gui/suns_auth.rst:100
+msgid ""
+"To enable this login method, set the ``:auth:`` option of "
+"``/etc/one/sunstone-server.conf`` to ``remote``:"
+msgstr ""
+
+#: ../../source/administration/sunstone_gui/suns_auth.rst:106
+msgid ""
+"The login screen will not display the username and password fields anymore, "
+"as all information is fetched from Kerberos/freeIPA"
+msgstr ""
+
+#: ../../source/administration/sunstone_gui/suns_auth.rst:108
+msgid ""
+"Note that OpenNebula will not verify that the user is holding a valid "
+"Kerberos ticket at the time of login: this is expected to be done by the "
+"external container of the Sunstone server (normally Apache), whose job is to "
+"tell the user's browser that the site requires a valid Kerberos ticket to "
+"login."
+msgstr ""
+
+#: ../../source/administration/sunstone_gui/suns_auth.rst:110
+msgid ""
+"Sunstone remote auth method only handles the authentication of the user at "
+"the time of login. Authentication of the Kerberos ticket is a complementary "
+"setup, which can rely on Apache."
+msgstr ""
+
+#: ../../source/administration/sunstone_gui/suns_auth.rst:113
+msgid "Configuring a SSL Proxy"
+msgstr ""
+
+#: ../../source/administration/sunstone_gui/suns_auth.rst:115
+msgid ""
 "OpenNebula Sunstone runs natively just on normal HTTP connections. If the "
 "extra security provided by SSL is needed, a proxy can be set up to handle "
 "the SSL connection that forwards the petition to the Sunstone server and "
 "takes back the answer to the client."
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:88
+#: ../../source/administration/sunstone_gui/suns_auth.rst:117
 msgid "This set up needs:"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:90
+#: ../../source/administration/sunstone_gui/suns_auth.rst:119
 msgid "A server certificate for the SSL connections"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:91
+#: ../../source/administration/sunstone_gui/suns_auth.rst:120
 msgid "An HTTP proxy that understands SSL"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:92
+#: ../../source/administration/sunstone_gui/suns_auth.rst:121
 msgid "OpenNebula Sunstone configuration to accept petitions from the proxy"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:94
+#: ../../source/administration/sunstone_gui/suns_auth.rst:123
 msgid ""
 "If you want to try out the SSL setup easily, you can find in the following "
 "lines an example to set a self-signed certificate to be used by a web server"
 " configured to act as an HTTP proxy to a correctly configured OpenNebula "
 "Sunstone."
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:96
+#: ../../source/administration/sunstone_gui/suns_auth.rst:125
 msgid ""
 "Let's assume the server where the proxy is going to be started is called "
 "``cloudserver.org``. Therefore, the steps are:"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:99
+#: ../../source/administration/sunstone_gui/suns_auth.rst:128
 msgid "Step 1: Server Certificate (Snakeoil)"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:101
+#: ../../source/administration/sunstone_gui/suns_auth.rst:130
 msgid ""
 "We are going to generate a snakeoil certificate. If using an Ubuntu system "
 "follow the next steps (otherwise your milleage may vary, but not a lot):"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:103
+#: ../../source/administration/sunstone_gui/suns_auth.rst:132
 msgid "Install the ``ssl-cert`` package"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:109
+#: ../../source/administration/sunstone_gui/suns_auth.rst:138
 msgid "Generate the certificate"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:115
+#: ../../source/administration/sunstone_gui/suns_auth.rst:144
 msgid ""
 "As we are using lighttpd, we need to append the private key with the "
 "certificate to obtain a server certificate valid to lighttpd"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:122
+#: ../../source/administration/sunstone_gui/suns_auth.rst:150
 msgid "Step 2: SSL HTTP Proxy"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:125
+#: ../../source/administration/sunstone_gui/suns_auth.rst:153
 msgid "lighttpd"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:127
+#: ../../source/administration/sunstone_gui/suns_auth.rst:156
 msgid ""
 "You will need to edit the ``/etc/lighttpd/lighttpd.conf`` configuration file"
 " and"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:129
+#: ../../source/administration/sunstone_gui/suns_auth.rst:158
 msgid "Add the following modules (if not present already)"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:131
+#: ../../source/administration/sunstone_gui/suns_auth.rst:160
 msgid "mod\\_access"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:132
+#: ../../source/administration/sunstone_gui/suns_auth.rst:161
 msgid "mod\\_alias"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:133
+#: ../../source/administration/sunstone_gui/suns_auth.rst:162
 msgid "mod\\_proxy"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:134
+#: ../../source/administration/sunstone_gui/suns_auth.rst:163
 msgid "mod\\_accesslog"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:135
+#: ../../source/administration/sunstone_gui/suns_auth.rst:164
 msgid "mod\\_compress"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:137
+#: ../../source/administration/sunstone_gui/suns_auth.rst:166
 msgid ""
 "Change the server port to 443 if you are going to run lighttpd as root, or "
 "any number above 1024 otherwise:"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:143
+#: ../../source/administration/sunstone_gui/suns_auth.rst:172
 msgid "Add the proxy module section:"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:163
+#: ../../source/administration/sunstone_gui/suns_auth.rst:192
 msgid ""
 "The host must be the server hostname of the computer running the Sunstone "
 "server, and the port the one that the Sunstone Server is running on."
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:166
+#: ../../source/administration/sunstone_gui/suns_auth.rst:194
 msgid "nginx"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:168
+#: ../../source/administration/sunstone_gui/suns_auth.rst:197
 msgid ""
 "You will need to configure a new virtual host in nginx. Depending on the "
 "operating system and the method of installation, nginx loads virtual host "
 "configurations from either ``/etc/nginx/conf.d`` or ``/etc/nginx/sites-"
 "enabled``."
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:170
+#: ../../source/administration/sunstone_gui/suns_auth.rst:199
 msgid "A sample ``cloudserver.org`` virtual host is presented next:"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:204
+#: ../../source/administration/sunstone_gui/suns_auth.rst:233
 msgid ""
 "The IP address and port number used in ``upstream`` must be the ones of the "
 "server Sunstone is running on. On typical installations the nginx master "
 "process is run as user root so you don't need to modify the HTTPS port."
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:207
+#: ../../source/administration/sunstone_gui/suns_auth.rst:236
 msgid "Step 3: Sunstone Configuration"
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:209
+#: ../../source/administration/sunstone_gui/suns_auth.rst:238
 msgid ""
 "Start the Sunstone server using the default values, this way the server will"
 " be listening at localhost:9869."
 msgstr ""
 
-#: ../../source/administration/sunstone_gui/suns_auth.rst:211
+#: ../../source/administration/sunstone_gui/suns_auth.rst:240
 msgid ""
 "Once the proxy server is started, OpenNebula Sunstone requests using HTTPS "
 "URIs can be directed to ``https://cloudserver.org:8443``, that will then be "

source/locale/es/LC_MESSAGES/administration/sunstone_gui/sunstone.po

@@ -222,7 +222,7 @@ msgstr ""
 #: ../../source/administration/sunstone_gui/sunstone.rst:80
 msgid ""
 "Authentication driver for incoming requests. Possible values are "
-"``sunstone``, ``opennebula`` and ``x509``. Check :ref:`authentication "
+"``sunstone``, ``opennebula``, ``remote`` and ``x509``. Check :ref:`authentication "
 "methods <authentication>` for more info"
 msgstr ""