Feature #4411

public auth users are able to modify their passwords from Sunstone

Added by Alvaro Simon over 4 years ago. Updated over 4 years ago.

Status:ClosedStart date:04/14/2016
Priority:NormalDue date:
Assignee:Ruben S. Montero% Done:

100%

Category:Core & System
Target version:Release 5.0.2
Resolution:fixed Pull request:

Description

Hi

We have detected that users with "public" authentication mechanism are able to change their passwords from Sunstone. The password for "public" auth is like "x509" auth pass, is not a "real" pass is used to match the user name within OpenNebula database and give him/her access to the cloud infrastructure. The behaviour should be the same that for x509 auth, the password should not be changed by the user from Sunstone view, x509 auth uses the certificate DN for example and "public" auth uses "USER@REALM" as password.

The user will not able to connect again if he/she changes the pass by mistake from Sunstone view. The workaround is to disable the user configuration settings from cloud.yaml but this should be handled by opennebula auth mechanism.

Cheers
Alvaro

opennebula_pass.png (55.9 KB) Alvaro Simon, 04/14/2016 12:52 PM

Associated revisions

Revision e8f9de4b
Added by Carlos Martín over 4 years ago

Feature #4411: Disable password change for some auth drivers

Revision d482d967
Added by Ruben S. Montero over 4 years ago

feature #4411: Change AUTH_DRIVER_CONF to AUTH_MAD_CONF. Added defaults
for AUTH_MAD_CONF

Revision 8c466483
Added by Carlos Martín over 4 years ago

Feature #4411: Disable password change for some auth drivers

(cherry picked from commit e8f9de4bb26c7d861429cfecb11790b2ec4316d5)

Revision f2238bde
Added by Ruben S. Montero over 4 years ago

feature #4411: Change AUTH_DRIVER_CONF to AUTH_MAD_CONF. Added defaults
for AUTH_MAD_CONF

(cherry picked from commit d482d967aa991fa1d7234f9b56853a9aaafe9ca1)

History

#1 Updated by Daniel Molina over 4 years ago

  • Assignee deleted (Daniel Molina)

#2 Updated by Ruben S. Montero over 4 years ago

  • Tracker changed from Bug to Backlog
  • Target version set to Release 5.0

So the proposal here is to disable one.user.set_passwd method for users when the auth driver is public???? This can happen at oned level, and only let the admin change the password of a user

Also we could make this a configuration option in oned.conf

#3 Updated by Alvaro Simon over 4 years ago

Hi Ruben

So the proposal here is to disable one.user.set_passwd method for users when the auth driver is public???? This can happen at oned level, and only let the admin change the password of a user

Also we could make this a configuration option in oned.conf

Yes, something like that, for x509 auth for example the users are not able to change their DNs included in the password field (they can click in the button and put any value but the password value is not changed), for "public" auth should be the same, we are using the user's realm value as password that should be constant and only changed by the admin user.

#4 Updated by Carlos Martín over 4 years ago

  • Category changed from Cloud View to Core & System
  • Target version changed from Release 5.0 to Release 5.2

#5 Updated by Ruben S. Montero over 4 years ago

  • Target version changed from Release 5.2 to Release 5.0.2

#6 Updated by Carlos Martín over 4 years ago

  • % Done changed from 0 to 100

#7 Updated by Carlos Martín over 4 years ago

  • Tracker changed from Backlog to Feature

#8 Updated by Jaime Melis over 4 years ago

  • Assignee set to Ruben S. Montero

Review

#9 Updated by Ruben S. Montero over 4 years ago

  • Status changed from Pending to Closed
  • Resolution set to fixed

Also available in: Atom PDF