Bug #485

OpenNebula crashes if username containing space is used when an authorization module is active

Added by Charles Loomis over 10 years ago. Updated almost 10 years ago.

Status:ClosedStart date:02/16/2011
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Drivers - Auth
Target version:Release 3.0
Resolution:fixed Pull request:
Affected Versions:

Description

The authorization module appears to hang when given a user name which contains spaces, eventually causing the OpenNebula daemon to die. Such usernames are common when using certificates where the DN serves as the username, e.g. "CN=Charles Loomis,OU=LAL,O=CNRS,C=FR,O=GRID-FR".

This appears to happen when a message returned from the authorization module at the end of the authentication phase:

send_message('AUTHENTICATE', RESULT[:success], 
request_id, "#{user} #{token}")

Everything's fine if "user" doesn't contain a space, otherwise the daemon appears to hang (and then die) waiting for an answer.

[StratusLab Jira: STRATUSLAB-363]


Related issues

Related to Bug #797: The core should check that new passwords do not contain s... Closed 09/06/2011

Associated revisions

Revision 59e72d93
Added by Ruben S. Montero almost 10 years ago

Bug #485: Moves passwd checks to user allocate. Driver responses are now better parsed, user creation fails if it contains spaces in passwd.

Revision cb4dc712
Added by Ruben S. Montero almost 10 years ago

Bug #485: Moves passwd checks to user allocate. Driver responses are now better parsed, user creation fails if it contains spaces in passwd.
(cherry picked from commit 59e72d93a4979ad81dac8202ecf516e414213569)

Revision f2a45ed1
Added by Carlos Martín almost 10 years ago

Bugs #797, #485: Add invalid character checks to user names, add invalid char ':'

Revision 55607fea
Added by Carlos Martín almost 10 years ago

Bugs #797, #485: Add invalid character checks to user names, add invalid char ':'
(cherry picked from commit f2a45ed13988a6f00fb42c878d5414610da978ee)

History

#1 Updated by Javi Fontan over 10 years ago

  • Category set to Core & System

Escaping the spaces is a solution or you need the user to have the spaces?

#2 Updated by Charles Loomis over 10 years ago

If they are escaped internally in such a way that the username is unambiguous then it should be fine. It would have to be done in such a way that another user couldn't have the escaped DN as a valid DN. For example, just changing " " to "_" (or any other character) isn't sufficient because someone else could request the DN with the substitute character.

#3 Updated by Ruben S. Montero about 10 years ago

  • Target version set to Release 3.0

#4 Updated by Ruben S. Montero about 10 years ago

  • Category changed from Core & System to Drivers - Auth
  • Assignee set to Javi Fontan

#5 Updated by Ruben S. Montero almost 10 years ago

  • Assignee deleted (Javi Fontan)

#6 Updated by Ruben S. Montero almost 10 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

This is now fixed in master and in one-3.0 branch. OpenNebula rejects passwd's with blancks. Log message is in oned.conf if a driver tries to create a user with spaces in the password.

Also available in: Atom PDF