Bug #847

Users using x509 certificates can't have certain characters in their DN

Added by Carlos Martín almost 10 years ago. Updated about 6 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:Core & System
Target version:Release 3.2 - S0
Resolution:fixed Pull request:
Affected Versions:OpenNebula 3.0

Description

Currently there are some limitations in the x509 authentication:

  • The certificate DN can't contain the ":" character, due to the internal protocol between the core and the authentication driver.
  • If the certificate contains some special characters, like "á", they are not processed correctly and the authentication fails.

Subtasks

Feature #894: Add update template method to User resource and VnetClosedRuben S. Montero

Feature #909: Review Ozones user creation, with the new API callClosedHector Sanjuan

Feature #895: Clean-up resource templates for images, vnetsClosedRuben S. Montero

Feature #888: User authentication driver should be choose by the admin.ClosedRuben S. Montero

Feature #910: Update Auth protocol to send driver and password in diffe...ClosedRuben S. Montero

Feature #912: Add auth driver to the create dialog for users (core, ssh...ClosedHector Sanjuan

Feature #913: Update unit tests for OpenNebula coreClosedRuben S. Montero

Feature #928: Include support for ':' in passwords. Username can not in...ClosedCarlos Martín

Feature #918: Add method to change the authentication driver for UsersClosedCarlos Martín

Feature #902: Add custom template attributes to the Image and Vnet crea...ClosedHector Sanjuan

Feature #899: Add JAVA - OCA methods for update user and vnet templatesClosedCarlos Martín

Feature #901: Include TEMPLATE for User resource in onedb. AUTH_DRIVER ...ClosedCarlos Martín

Feature #929: Include expiration time for user authentication sessions....ClosedCarlos Martín

Feature #911: Do not hash password in OCA Clients, Sunstone, OCCI and O...ClosedDaniel Molina

Feature #931: Update CloudAuth classes to use new server driversClosedDaniel Molina

Feature #930: Create a server based driver using $ONE_AUTH to encrypt t...ClosedRuben S. Montero

Feature #889: Improve X509 cert chain management. Use '|' to separate D...ClosedDaniel Molina

Feature #900: Refactor update dialogs for image, vnet & user resources ClosedHector Sanjuan

Associated revisions

Revision fd5fc63d
Added by Ruben S. Montero over 9 years ago

bug #847: Implements update method for VirtualNetworks in OpenNebula core

Revision 1a410d85
Added by Ruben S. Montero over 9 years ago

bug #847: New methods for OCA and onevnet option

Revision b94dd94f
Added by Ruben S. Montero over 9 years ago

bug #847: Adds template to Users to store metadata. Added OCA (ruby) methods and command option

Revision 3ece4999
Added by Ruben S. Montero over 9 years ago

bug #847: Prints the template information for the user

Revision d27d9944
Added by Ruben S. Montero over 9 years ago

bug #847: User load fails if there is no template. Needs a proper onedb update method.

Revision 6c55f347
Added by Ruben S. Montero over 9 years ago

bug #847: Added method to get & erase an attribute. Cleaned up prototypes

Revision 83562487
Added by Ruben S. Montero over 9 years ago

bug #847: changes the prototype of mkfs function in Image Driver

Revision 1d9d1bd7
Added by Ruben S. Montero over 9 years ago

bug #847: Fix constness for erase method in PoolObjectSQL. Better check in template erase

Revision 21b1303c
Added by Ruben S. Montero over 9 years ago

bug #847: Removes core attributes from VirtualNetwork template, so it only stores vnet metadata after creation

Revision 7683ba89
Added by Ruben S. Montero over 9 years ago

bug #847: Cleans image templates so only metadata is left. Adds path and fstype to image attributes for reference

Revision cbf64ecf
Added by Ruben S. Montero over 9 years ago

bug #847: Auth drivers are set in OpenNebula core. Login tokens do not include the driver, so the hash logic needs update, see #911

Revision fcb352d0
Added by Ruben S. Montero over 9 years ago

bug #847: Tokens are never sha1_digested. Core authentication mechanism stores the passwords digested, client sends plain passwords. Includes OCA (Ruby), CloudAuth and CLI updates. Ozones needs redesign its password storafe strategy.

Revision 054531ad
Added by Ruben S. Montero over 9 years ago

bug #847: Unneeded configuration option for sunstone removed.

Revision 605d580c
Added by Ruben S. Montero over 9 years ago

bug #847: The authentication driver is now not encoded as part of the secret. The base auth driver has been updated to deal with this new protocol

Revision 07321ac3
Added by Ruben S. Montero over 9 years ago

bug #847: Updated login tokens for auth drivers

Revision 07c82369
Added by Ruben S. Montero over 9 years ago

bug #847 - #913: Fixes AuthManager tests

Revision 7052b887
Added by Ruben S. Montero over 9 years ago

bug #847 - #913: Fixes unit tests for User

Revision 5407e589
Added by Ruben S. Montero over 9 years ago

bug #847 - #913: Fixes Images Unit Tests.

Revision e2f2c25e
Added by Ruben S. Montero over 9 years ago

bug #847 - #913: Fixes Network tests and some core bugs

Revision d2e781cd
Added by Carlos Martín over 9 years ago

Bug #847 - #918: Add method to change user auth driver in core, ruby oca and CLI

Revision 8d356a58
Added by Carlos Martín over 9 years ago

Bug #847: Add the auth driver column to oneuser list output

Revision 6b436902
Added by Carlos Martín over 9 years ago

Bug #847 - #911: Java OCA client does not hash the password, add new driver parameter for one.user.allocate

Revision 64bd8832
Added by Carlos Martín over 9 years ago

Bug #847 - #918: Add chauth method in Java OCA

Revision c42364d9
Added by Carlos Martín over 9 years ago

Bug #847 - #899: Add user and vnet update methods to Java OCA

Revision 34359e7a
Added by Carlos Martín over 9 years ago

Bug #847 - #901: onedb migrator adds USER TEMPLATE & AUTH_DRIVER, IMAGE FSTYPE & PATH.

Revision 92b05d59
Added by Carlos Martín over 9 years ago

Bug #847: Update the scheduler client, it does not hash the password

Revision b8ab2256
Added by Carlos Martín over 9 years ago

Bug #847 - #928: The character ':' is now allowed in passwords

Revision 0ff52248
Added by Carlos Martín over 9 years ago

Bug #847 - #929: Include authentication session expiration time

Revision 30734a57
Added by Carlos Martín over 9 years ago

Bug #847 - #929: Add session expiration time in oned.conf

Revision 319e170e
Added by Carlos Martín over 9 years ago

Bug #847: Add new ACL operation to change the user auth driver. TODO: update Sunstone acl tab

Revision 303d17b2
Added by Carlos Martín over 9 years ago

Bug #847 - #918: Add password to one.user.chauth method, this way the driver and the auth driver are changed atomically

Revision 86c12732
Added by Carlos Martín over 9 years ago

Bug #847: Perform sha1 for new passwords if the core driver is used

Revision 60e23019
Added by Ruben S. Montero over 9 years ago

bug #847: Fixes tests for session cache

Revision 26a6c633
Added by Ruben S. Montero over 9 years ago

bug #847: Added driver option to examples in command help

Revision 3a2cbc22
Added by Ruben S. Montero over 9 years ago

bug #847: This commit includes several changes to the auth mechanism:
1.- Simplified auth methods for UserPool
2.- Added special SERVER_AUTH method for sudo'ing
3.- Added special PUBLIC_AUTH method for only-public interface users
4.- Added special driver name ("default") to authenticate unknown users

Revision 2ded9cec
Added by Ruben S. Montero over 9 years ago

bug #847: Added a new server method based on OpenSSL symetric ciphers

Revision 7a44026d
Added by Ruben S. Montero over 9 years ago

bug #847: Get rid of unneeded constructor in AuthRequest

Revision f77771d5
Added by Carlos Martín over 9 years ago

Bug #847: Allow to change the auth driver only in one.user.chauth

Revision e573289f
Added by Ruben S. Montero over 9 years ago

bug #847: Renamed server to server_x509, also ServerAuth is now ServerX509Auth to be coherent with the new server classes. Condifuration file also changed to server_x509_auth.conf

Revision 0bd23e33
Added by Carlos Martín over 9 years ago

Bug #847: Change the expected session token for server users to allow session caching

Revision 37b180df
Added by Ruben S. Montero over 9 years ago

bug #847: New password method for Auth drivers. oneuser command update to make use of it

Revision 5486def3
Added by Ruben S. Montero over 9 years ago

bug #847: Removed unneeded access to public key in SshAuth class

Revision 41c13d59
Added by Ruben S. Montero over 9 years ago

bug #847: Removed dependency for user/passwd access in server_cipher driver. The ServerCipherAuth can now be instantiated in driver and client modes

Revision dd2e3fd7
Added by Ruben S. Montero over 9 years ago

bug #847: Make drivers with name matching server* a server driver

Revision 9d4a0687
Added by Ruben S. Montero over 9 years ago

bug #847: Missing header file for fnmatch

Revision 3ce6c2fc
Added by Ruben S. Montero over 9 years ago

bug #847: Change token to be send to the driver. The target user is not included as part of the token

Revision 5a94d09f
Added by Ruben S. Montero over 9 years ago

bug #847: Updated oned.conf with new auth methods

Revision 5ff614d5
Added by Daniel Molina over 9 years ago

bug #847: Add timestamp generation to Cloud Servers

Revision 4f8a1c2f
Added by Ruben S. Montero over 9 years ago

bug #847: Added Sunstone Authorization. Updated server classes

Revision 0e822f40
Added by Ruben S. Montero over 9 years ago

bug #847: Fixes minor bugs in suntone-server

Revision bb4911a5
Added by Ruben S. Montero over 9 years ago

bug #847: OCCI Server update to new Auth framework

Revision 198c60b6
Added by Ruben S. Montero over 9 years ago

bug #847: Update EC2Query for the new auth framework

Revision cd125c5b
Added by Carlos Martín over 9 years ago

Bug #847: Guess the driver to use in 'oneuser create' from the authentication option

Revision 4da3123d
Added by Ruben S. Montero over 9 years ago

bug #847: Update method to get server credentials from etc files

Revision c7584ad6
Added by Carlos Martín over 9 years ago

Bug #847: Automatically create at bootstrap new user serveradmin with server_cipher driver.

Revision 898750a7
Added by Ruben S. Montero over 9 years ago

bug #847: Adds option to filter public users in CloudAuth. Fixes paths for auth's files

Revision 20b67c6e
Added by Ruben S. Montero over 9 years ago

bug #847: Login files are created with 0600 permissions

Revision 06a0cdb3
Added by Ruben S. Montero over 9 years ago

bug #847: Login files are created with 0600 permissions
(cherry picked from commit 20b67c6e5983a3d9cd5acfc9c6d407778179af93)

Revision 24350486
Added by Daniel Molina over 9 years ago

bug #847: Add sha1 option and driver helpers

Revision 84d42493
Added by Daniel Molina over 9 years ago

bug #847: Add driver option

Revision b69340c9
Added by Carlos Martín over 9 years ago

Bug #847: Create new configuration files for serveradmin user, create a random password for it

Revision c27b3ad0
Added by Daniel Molina over 9 years ago

bug #847: Update server_x509_auth to the new token system

Revision 7ab03f0e
Added by Daniel Molina over 9 years ago

bug #847: Udate EC2_AUTH and OCCI_AUTH location

Revision 052be612
Added by Daniel Molina over 9 years ago

bug #847: Fix server_x509_auth user definition

Revision bb952018
Added by Ruben S. Montero over 9 years ago

bug #847: Create auth files with 0600 permissions. Refactors UserPool constructor

Revision e416eef1
Added by Ruben S. Montero over 9 years ago

bug #847: Removed stderr messages. IO for File

Revision dfa63790
Added by Carlos Martín over 9 years ago

Bug #847: Change authentication conf files for serveradmin to VAR_LOCATION/.one

Revision d80d8128
Added by Daniel Molina over 9 years ago

bug #847: Refactor X509CloudAuth

Revision 26e313a1
Added by Daniel Molina over 9 years ago

bug #847: Delete spaces from password, if x509 driver

Revision f9f20fc9
Added by Daniel Molina over 9 years ago

bug #847: Fix EC2 signature version 1

History

#1 Updated by Ruben S. Montero almost 10 years ago

  • Target version changed from Release 3.4 to Release 3.2 - S0

#2 Updated by Ruben S. Montero over 9 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

Also available in: Atom PDF