Bug #4343

encode_user_password is not compatible with core auth non ASCII password

Added by EOLE Team over 5 years ago. Updated almost 5 years ago.

Status:ClosedStart date:02/18/2016
Priority:HighDue date:
Assignee:-% Done:

0%

Category:Sunstone
Target version:Release 5.2
Resolution:fixed Pull request:
Affected Versions:OpenNebula 4.10, OpenNebula 4.14

Description

Hello,

As explained on the forum, we have issue with password encoding:

  • our OpenNebula use LDAP authentication for most users, so I enabled :encode_user_password as describe in the configuration file
  • some of our users use the core authentication and have non ASCII characters in their password
  • theses users can authenticate through CLI
  • theses users can't authenticate through Sunstone

I reproduced the problem with a test user, here is the HTTP dialog between sunstone and OpenNebula XML RPC (formated for readability):

  • create a test user
    oneuser create test Testuserwithé
    echo 'test:Testuserwithé' > ~/test_one_auth
    
  • activate password encoding
    sed -i -E 's,^#(:encode),\1,' /etc/one/sunstone-server.conf
    service opennebula-sunstone restart
    
  • try CLI login
    ONE_AUTH=~/test_one_auth oneuser list -l NAME
    NAME
    test
    
  • capture packets with tshark/tcpdump
  • try login with Sunstone, here is a wireshark display of capture during login
    POST /login HTTP/1.1
    Host: igor.eole.lan
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/20100101
    Firefox/42.0 Iceweasel/42.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Authorization: Basic dGVzdDpUZXN0dXNlcndpdGjDqQ==
    X-Requested-With: XMLHttpRequest
    Referer: http://igor.eole.lan/login
    Content-Length: 14
    Cookie: sunstone=2186eaf4cd50d4c4c95450d9761ff3d3b3a3da1b3005fec705837e8a64b08c33; one-user=test
    Connection: keep-alive
    Pragma: no-cache
    Cache-Control: no-cache
    remember=false
    

The Authorization field is base64 encoding of test:Testuserwithé.

Regards.

Associated revisions

Revision 1a1d056d
Added by Carlos Martín almost 5 years ago

Bug #4343: Remove default encoding, perform only as fallback

History

#1 Updated by Ruben S. Montero over 5 years ago

  • Target version set to Release 5.0

#2 Updated by Carlos Martín about 5 years ago

  • Status changed from Pending to New
  • Priority changed from Normal to High
  • Target version changed from Release 5.0 to Release 5.2

Thank you for reporting this.

For the time been this will be left as a known issue, we may not have time to fix it before the 5.0 final release.

The discussed solution is to remove the url encoding from sunstone, and move it to the core.
The core will encode the user & password before sending it to the drivers, and here we have two options:

  • Do this for all the auth drivers
  • Define in oned.conf which ones expect the parameters encoded

#3 Updated by Ruben S. Montero almost 5 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

Also available in: Atom PDF