Skip to content

Commit

Permalink
F OpenNebula/one#6430: Refactor references section
Browse files Browse the repository at this point in the history 
Refactor:
* Overview
* Building from Source Code
* Build Dependencies
* Sunstone Development
* FireEdge Sunstone Development
* Cloud Servers Authentication
* Virtual Machines State Reference
* Image States Reference
* What's New
* Platform Notes
* Secondary Platforms
* Compatbility Guide
* Known Issues
* Acknowledgements
* What is OpenNebula CE
* What is OpenNebula EE

Signed-off-by: Victor Hansson <[email protected]>
  • Loading branch information
@vichansson
vichansson committed Jul 12, 2024
1 parent 2f296da commit ba8e1a1
Show file tree
Hide file tree
Showing 4 changed files with 60 additions and 155 deletions.
89 changes: 7 additions & 82 deletions source/integration_and_development/references/cloud_auth.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,38 +4,20 @@
Cloud Servers Authentication
=============================

When a user interacts with :ref:`Sunstone <sunstone>`, the server authenticates the request and then forwards the requested operation to the OpenNebula daemon.
When a user interacts with :ref:`Sunstone <fireedge>`, the server authenticates the request and then forwards the requested operation to the OpenNebula daemon.

The forwarded requests between the server and the core daemon include the original user name, and are signed with the credentials of a special ``server`` user.

In this guide this request forwarding mechanism is explained, and how it is secured with a symmetric-key algorithm or x509 certificates.
In this guide this request forwarding mechanism is explained, and how it is secured with a symmetric-key algorithm.

Server Users
============

The :ref:`Sunstone <sunstone>` server communicate with the core using a ``server`` user. OpenNebula creates the **serveradmin** account at bootstrap, with the authentication driver **server\_cipher** (symmetric key).
The :ref:`Sunstone <fireedge>` server communicate with the core using a ``server`` user. OpenNebula creates the **serveradmin** account at bootstrap, with the authentication driver **server\_cipher** (symmetric key).

This ``server`` user uses a special authentication mechanism that allows the servers to perform an operation on behalf of another user.

You can strengthen the security of the requests from the servers to the core daemon by changing the serveruser's driver to **server\_x509**. This is specially relevant if you are running your server in a machine other than the frontend.

Please note that you can have as many users with a **server\_**\ \* driver as you need. For example, you may want to have Sunstone configured with a user with **server\_x509** driver, and EC2 with **server\_cipher**.

Symmetric Key
=============

Enable
------

This mechanism is enabled by default, you will have a user named **serveradmin** with driver **server\_cipher**.

To use it, you need a user with the driver **server\_cipher**. Enable it in the relevant configuration file in ``/etc/one``:

- :ref:`Sunstone <sunstone>`: ``/etc/one/sunstone-server.conf``

.. code-block:: yaml
:core_auth: cipher
Please note that you can have as many users with a **server\_**\ \* driver as you need.

Configure
---------
Expand All @@ -58,63 +40,6 @@ You must update the configuration files in ``/var/lib/one/.one`` if you change t
:one_xmlrpc: https://frontend:2634/RPC2
x509 Encryption
===============

Enable
------

To enable it, change the authentication driver of the **serveradmin** user, or create a new user with the driver **server_x509**:

.. prompt:: bash $ auto

$ oneuser chauth serveradmin server_x509
$ oneuser passwd serveradmin --x509 --cert usercert.pem

The serveradmin account should look like:

.. prompt:: bash $ auto

$ oneuser list

ID GROUP NAME AUTH PASSWORD
0 oneadmin oneadmin core c24783ba96a35464632a624d9f829136edc0175e
1 oneadmin serveradmin server_x /C=ES/O=ONE/OU=DEV/CN=server

You need to edit ``/etc/one/auth/server_x509_auth.conf`` and uncomment all the fields. The defaults should work:

.. code-block:: yaml
# User to be used for x509 server authentication
:srv_user: serveradmin
# Path to the certificate used by the OpenNebula Services
# Certificates must be in PEM format
:one_cert: "/etc/one/auth/cert.pem"
:one_key: "/etc/one/auth/pk.pem"
Copy the certificate and the private key to the paths set in ``:one_cert:`` and ``:one_key:``, or simply update the paths.

Then edit the relevant configuration file in ``/etc/one``:

- :ref:`Sunstone <sunstone>`: ``/etc/one/sunstone-server.conf``

.. code-block:: yaml
:core_auth: x509
Configure
---------

To trust the serveradmin certificate (``/etc/one/auth/cert.pem`` if you used the default path) the CA's certificate must be added to the ``ca_dir`` defined in ``/etc/one/auth/x509_auth.conf``. See the :ref:`x509 Authentication guide for more information <x509_auth>`.

.. prompt:: bash $ auto

$ openssl x509 -noout -hash -in cacert.pem
78d0bbd8

$ sudo cp cacert.pem /etc/one/auth/certificates/78d0bbd8.0

Tuning & Extending
==================

Expand All @@ -129,19 +54,19 @@ You can find the drivers in these paths:
Authentication Session String
-----------------------------

OpenNebula users with the driver **server\_cipher** or **server\_x509** use a special authentication session string (the first parameter of the :ref:`XML-RPC calls <api>`). A regular authentication token is in the form:
OpenNebula users with the **server\_cipher** driver use a special authentication session string (the first parameter of the :ref:`XML-RPC calls <api>`). A regular authentication token is in the form:

.. code::
username:secret
whereas a user with a **server\_**\ \* driver must use this token format:
whereas a user with the **server\_cipher**\ \* driver must use this token format:

.. code::
username:target_username:secret
The core daemon understands a request with this authentication session token as "perform this operation on behalf of target_user". The ``secret`` part of the token is signed with one of the two mechanisms explained before.
The core daemon understands a request with this authentication session token as "perform this operation on behalf of target_user". The ``secret`` part of the token is signed with the mechanism explained before.

Two Factor Authentication
-------------------------
Expand Down
62 changes: 31 additions & 31 deletions source/integration_and_development/references/compile.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,35 +33,35 @@ Follow these simple steps to install the OpenNebula software:
The argument expression [OPTION=VALUE] is used to set non-default values for :

+----------------+--------------------------------------------------------+
| OPTION | VALUE |
+================+========================================================+
| sqlite\_dir | path-to-sqlite-install |
+----------------+--------------------------------------------------------+
| sqlite | **no** if you don't want to build sqlite support |
+----------------+--------------------------------------------------------+
| mysql | **yes** if you want to build mysql support |
+----------------+--------------------------------------------------------+
| postgresql | **yes** if you want to build PostgreSQL support |
+----------------+--------------------------------------------------------+
| xmlrpc | path-to-xmlrpc-install |
+----------------+--------------------------------------------------------+
| parsers | **yes** if you want to rebuild flex/bison files |
+----------------+--------------------------------------------------------+
| new\_xmlrpc | **yes** if you have an xmlrpc-c version >= 1.31 |
+----------------+--------------------------------------------------------+
| sunstone | **yes** if you want to build sunstone minified files |
+----------------+--------------------------------------------------------+
| fireedge | **yes** if you want to build fireedge minified files |
+----------------+--------------------------------------------------------+
| systemd | **yes** if you want to build systemd support |
+----------------+--------------------------------------------------------+
| rubygems | **yes** if you want to generate ruby gems |
+----------------+--------------------------------------------------------+
| svncterm | **no** to skip building vnc support for LXD drivers |
+----------------+--------------------------------------------------------+
| context | **no** Download guest contextualization packages |
+----------------+--------------------------------------------------------+
+----------------+--------------------------------------------------------------+
| OPTION | VALUE |
+================+==============================================================+
| sqlite\_dir | path-to-sqlite-install |
+----------------+--------------------------------------------------------------+
| sqlite | **no** if you don't want to build sqlite support |
+----------------+--------------------------------------------------------------+
| mysql | **yes** if you want to build mysql support |
+----------------+--------------------------------------------------------------+
| postgresql | **yes** if you want to build PostgreSQL support |
+----------------+--------------------------------------------------------------+
| xmlrpc | path-to-xmlrpc-install |
+----------------+--------------------------------------------------------------+
| parsers | **yes** if you want to rebuild flex/bison files |
+----------------+--------------------------------------------------------------+
| new\_xmlrpc | **yes** if you have an xmlrpc-c version >= 1.31 |
+----------------+--------------------------------------------------------------+
| sunstone | **yes** if you want to build ruby sunstone minified files |
+----------------+--------------------------------------------------------------+
| fireedge | **yes** if you want to build fireedge minified files |
+----------------+--------------------------------------------------------------+
| systemd | **yes** if you want to build systemd support |
+----------------+--------------------------------------------------------------+
| rubygems | **yes** if you want to generate ruby gems |
+----------------+--------------------------------------------------------------+
| svncterm | **no** to skip building vnc support for LXD drivers |
+----------------+--------------------------------------------------------------+
| context | **no** Download guest contextualization packages |
+----------------+--------------------------------------------------------------+

If the following error appears, then you need to remove the option 'new\_xmlrpc=yes' or install xmlrpc-c version >= 1.31:

Expand Down Expand Up @@ -98,9 +98,9 @@ where *<install\_options>* can be one or more of:
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| **-c** | only install client utilities: OpenNebula cli and ec2 client files |
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| **-s** | install OpenNebula Sunstone |
| **-s** | install OpenNebula Ruby Sunstone |
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| **-p** | do not install OpenNebula Sunstone non-minified files |
| **-p** | do not install OpenNebula Ruby Sunstone non-minified files |
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| **-F** | install OpenNebula FireEdge |
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Expand Down
8 changes: 4 additions & 4 deletions source/integration_and_development/references/ruby_sunstone_dev.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ After testing the changes, the minified files can be generated by running the ``
package.json # List of dev dependencies
routes/ # Custom routes for Sunstone Server
Sunstone Development Dependencies
Ruby Sunstone Development Dependencies
--------------------------------------------------------------------------------

1. Install nodejs v12 and npm v6
Expand Down Expand Up @@ -306,7 +306,7 @@ Custom Routes for Sunstone Server
:ref:`OpenNebula Sunstone <sunstone>` server plugins consist of a set files defining custom routes. Custom routes will have priority over default routes and allow administrators to integrate their own custom controllers in the Sunstone Server.
Configuring Sunstone Server Plugins
Configuring Ruby Sunstone Server Plugins
--------------------------------------------------------------------------------
It is very easy to enable custom plugins:
Expand All @@ -321,10 +321,10 @@ It is very easy to enable custom plugins:
- custom
- other
Creating Sunstone Server Plugins
Creating Ruby Sunstone Server Plugins
--------------------------------------------------------------------------------
Sunstone server is a `Sinatra <http://www.sinatrarb.com/>`__ application. A server plugin is simply a file containing one or several custom routes, as defined in sinatra applications.
Ruby Sunstone server is a `Sinatra <http://www.sinatrarb.com/>`__ application. A server plugin is simply a file containing one or several custom routes, as defined in sinatra applications.
The following example defines 4 custom routes:
Expand Down
Loading

0 comments on commit ba8e1a1

Please sign in to comment.