Bug #4343

encode_user_password is not compatible with core auth non ASCII password

Added by EOLE Team over 5 years ago. Updated almost 5 years ago.

Status:ClosedStart date:02/18/2016
Priority:HighDue date:
Assignee:-% Done:

0%

Category:Sunstone
Target version:Release 5.2
Resolution:fixed Pull request:
Affected Versions:OpenNebula 4.10, OpenNebula 4.14

Description

Hello,

As explained on the forum, we have issue with password encoding:

  • our OpenNebula use LDAP authentication for most users, so I enabled :encode_user_password as describe in the configuration file
  • some of our users use the core authentication and have non ASCII characters in their password
  • theses users can authenticate through CLI
  • theses users can't authenticate through Sunstone

I reproduced the problem with a test user, here is the HTTP dialog between sunstone and OpenNebula XML RPC (formated for readability):

  • create a test user
    oneuser create test Testuserwithé
echo 'test:Testuserwithé' > ~/test_one_auth
  • activate password encoding
    sed -i -E 's,^#(:encode),\1,' /etc/one/sunstone-server.conf
service opennebula-sunstone restart
  • try CLI login
    ONE_AUTH=~/test_one_auth oneuser list -l NAME
NAME
test
  • capture packets with tshark/tcpdump
  • try login with Sunstone, here is a wireshark display of capture during login
    POST /login HTTP/1.1
Host: igor.eole.lan
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/20100101
Firefox/42.0 Iceweasel/42.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Authorization: Basic dGVzdDpUZXN0dXNlcndpdGjDqQ==
X-Requested-With: XMLHttpRequest
Referer: http://igor.eole.lan/login
Content-Length: 14
Cookie: sunstone=2186eaf4cd50d4c4c95450d9761ff3d3b3a3da1b3005fec705837e8a64b08c33; one-user=test
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
remember=false

The Authorization field is base64 encoding of test:Testuserwithé.

Regards.

Associated revisions

Revision 1a1d056d
Added by Carlos Martín almost 5 years ago

Bug #4343: Remove default encoding, perform only as fallback

History

#1 Updated by Ruben S. Montero over 5 years ago

  • Target version set to Release 5.0

#2 Updated by Carlos Martín about 5 years ago

  • Status changed from Pending to New
  • Priority changed from Normal to High
  • Target version changed from Release 5.0 to Release 5.2

Thank you for reporting this.

For the time been this will be left as a known issue, we may not have time to fix it before the 5.0 final release.

The discussed solution is to remove the url encoding from sunstone, and move it to the core.
The core will encode the user & password before sending it to the drivers, and here we have two options:

  • Do this for all the auth drivers
  • Define in oned.conf which ones expect the parameters encoded

#3 Updated by Ruben S. Montero almost 5 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

Also available in: Atom PDF