Bug #4343
encode_user_password is not compatible with core auth non ASCII password
Status: | Closed | Start date: | 02/18/2016 | |
---|---|---|---|---|
Priority: | High | Due date: | ||
Assignee: | - | % Done: | 0% | |
Category: | Sunstone | |||
Target version: | Release 5.2 | |||
Resolution: | fixed | Pull request: | ||
Affected Versions: | OpenNebula 4.10, OpenNebula 4.14 |
Description
Hello,
As explained on the forum, we have issue with password encoding:
- our OpenNebula use LDAP authentication for most users, so I enabled
:encode_user_password
as describe in the configuration file - some of our users use the
core
authentication and have non ASCII characters in their password - theses users can authenticate through CLI
- theses users can't authenticate through Sunstone
I reproduced the problem with a test user, here is the HTTP dialog between sunstone and OpenNebula XML RPC (formated for readability):
- create a test user
oneuser create test Testuserwithé echo 'test:Testuserwithé' > ~/test_one_auth
- activate password encoding
sed -i -E 's,^#(:encode),\1,' /etc/one/sunstone-server.conf service opennebula-sunstone restart
- try CLI login
ONE_AUTH=~/test_one_auth oneuser list -l NAME NAME test
- capture packets with tshark/tcpdump
- try login with Sunstone, here is a wireshark display of capture during login
POST /login HTTP/1.1 Host: igor.eole.lan User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0 Iceweasel/42.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Authorization: Basic dGVzdDpUZXN0dXNlcndpdGjDqQ== X-Requested-With: XMLHttpRequest Referer: http://igor.eole.lan/login Content-Length: 14 Cookie: sunstone=2186eaf4cd50d4c4c95450d9761ff3d3b3a3da1b3005fec705837e8a64b08c33; one-user=test Connection: keep-alive Pragma: no-cache Cache-Control: no-cache remember=false
The Authorization field is base64 encoding of test:Testuserwithé
.
Regards.
Associated revisions
Bug #4343: Remove default encoding, perform only as fallback
History
#1 Updated by Ruben S. Montero over 5 years ago
- Target version set to Release 5.0
#2 Updated by Carlos Martín about 5 years ago
- Status changed from Pending to New
- Priority changed from Normal to High
- Target version changed from Release 5.0 to Release 5.2
Thank you for reporting this.
For the time been this will be left as a known issue, we may not have time to fix it before the 5.0 final release.
The discussed solution is to remove the url encoding from sunstone, and move it to the core.
The core will encode the user & password before sending it to the drivers, and here we have two options:
- Do this for all the auth drivers
- Define in oned.conf which ones expect the parameters encoded
#3 Updated by Ruben S. Montero almost 5 years ago
- Status changed from New to Closed
- Resolution set to fixed