Skip to content

Commit

Permalink
F OpenNebula/one#6430: Sunstone review of auth and config (#2973)
Browse files Browse the repository at this point in the history
Signed-off-by: dcarracedo <dcarracedo@opennebula.io>
  • Loading branch information
dcarracedo authored Jul 12, 2024
1 parent 2f296da commit ae2fdb2
Show file tree
Hide file tree
Showing 29 changed files with 49 additions and 73 deletions.
Binary file modified source/images/auth_options_350.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed source/images/fireedge-settings-2fa-app.png
Binary file not shown.
Binary file removed source/images/fireedge-settings-auth.png
Binary file not shown.
Binary file removed source/images/fireedge-template-user-auth.png
Binary file not shown.
Binary file added source/images/ruby_sunstone-settings-2fa-app.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added source/images/ruby_sunstone-settings-auth.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
File renamed without changes
Binary file modified source/images/sunstone-settings-2fa-app.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified source/images/sunstone-settings-auth.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified source/images/sunstone-template-user-auth.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
File renamed without changes
File renamed without changes
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,4 @@ Authentication Configuration
SSH Authentication <ssh>
X.509 Authentication <x509>
LDAP Authentication <ldap>
Sunstone Authentication <sunstone>
FireEdge Authentication <fireedge>
Sunstone Authentication <sunstone_auth>
Original file line number Diff line number Diff line change
Expand Up @@ -296,20 +296,14 @@ Each group in OpenNebula can have its :ref:`admins <manage_groups_permissions>`
Enabling LDAP auth in Sunstone
==============================

Update the ``/etc/one/sunstone-server.conf`` ``:auth`` parameter to use ``opennebula``:
Update the ``/etc/one/fireedge-server.conf`` ``:auth`` parameter to use ``opennebula``:

.. code-block:: yaml
:auth: opennebula
Using this method, the credentials provided in the login screen will be sent to the OpenNebula core, and the authentication will be delegated to the OpenNebula auth system using the specified driver for that user. Therefore any OpenNebula auth driver can be used through this method to authenticate the user (e.g. LDAP).

To automatically encode credentials as explained in the :ref:`DN's with special characters <ldap_dn_with_special_characters>` section, also add this parameter to the sunstone configuration:

.. code-block:: yaml
:encode_user_password: true
Multiple LDAP servers: Order vs. Regex Match
============================================

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,13 +26,13 @@ You can choose from the following authentication drivers to access OpenNebula fr

By default, any authentication driver configured to work with OpenNebula can be used out-of-the-box with Sunstone. Additionally you can add a TLS-proxy to secure the Sunstone. See:

- :ref:`Sunstone Authentication <sunstone>`
- :ref:`Sunstone Authentication <sunstone_auth>`

**c) Server Authentication**

This method is designed to delegate the authentication process to high level tools interacting with OpenNebula. You'll be interested in this method if you are developing your own servers.

OpenNebula ships with two GUI servers - :ref:`Sunstone <sunstone>` and :ref:`FireEdge <fireedge_setup>`. When a user interacts with one of them, the server authenticates the request and then forwards the requested operation to the OpenNebula Daemon. The forwarded requests are encrypted using a symmetric key. The following guide shows how to strengthen the security of these requests using X.509 certificates. This is especially relevant if you are running your server in a machine other than the Front-end.
OpenNebula ships with a GUI server - :ref:`Sunstone <fireedge_setup>`. When a user interacts with one of them, the server authenticates the request and then forwards the requested operation to the OpenNebula Daemon. The forwarded requests are encrypted using a symmetric key. The following guide shows how to strengthen the security of these requests using X.509 certificates. This is especially relevant if you are running your server in a machine other than the Front-end.

- :ref:`Cloud Servers Authentication <cloud_auth>`

Expand All @@ -52,11 +52,7 @@ Usable only with API and CLI:

Usable only with Sunstone:

* :ref:`X.509 Authentication <x509_auth>`
* :ref:`Sunstone Authentication <suns_auth>`

Usable only with FireEdge:
* :ref:`FireEdge Authentication <fireedge_auth>`
* :ref:`Sunstone Authentication <sunstone_auth>`

Hypervisor Compatibility
================================================================================
Expand Down
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
.. _fireedge_auth:
.. _sunstone_auth:

=======================
FireEdge Authentication
Sunstone Authentication
=======================

By default, FireEdge works with the default ``core`` authentication method (user and password) although you can configure any authentication mechanism supported by OpenNebula. In this section, you will learn how to enable other authentication.
By default, Sunstone works with the default ``core`` authentication method (user and password) although you can configure any authentication mechanism supported by OpenNebula. In this section, you will learn how to enable other authentication.

* **Web client and FireEdge server**. Authentication is based on the credentials stored in the OpenNebula database for the user. Depending on the type of these credentials the authentication method can be: ``remote``or ``opennebula``
* Authentication is based on the credentials stored in the OpenNebula database for the user. Depending on the type of these credentials the authentication method can be: ``remote``or ``opennebula``

The following sections explain the client-to-FireEdge server authentication methods.
The following sections explain the client to Sunstone server authentication methods.

.. _basic_auth_fireedge:
.. _suntone_basic_auth:

Basic Auth
===========
Expand All @@ -21,7 +21,7 @@ In the basic mode, username and password are matched to those in OpenNebula's da
:auth: opennebula
.. _remote_auth_fireedge:
.. _sunstone_remote_auth:

Remote Auth
===========
Expand Down Expand Up @@ -50,29 +50,29 @@ To enable this login method, set the ``:auth:`` option in ``/etc/one/fireedge-se
The login screen will not display the username and password fields anymore, as all information is fetched from the user certificate:

|fireedge_remote_login|
|sunstone_remote_login|

Note that OpenNebula will not verify that the user holds a valid certificate at the time of login: this is expected to be done by the external container of the FireEdge server (normally Apache), whose job is to tell the user's browser that the site requires a user certificate and to check that the certificate is consistently signed by the chosen Certificate Authority (CA). The setup with Apache/SAML is the more common and tested. However, it can rely on Apache/Nginx for OIDC.
Note that OpenNebula will not verify that the user holds a valid certificate at the time of login: this is expected to be done by the external container of the Sunstone server (normally Apache), whose job is to tell the user's browser that the site requires a user certificate and to check that the certificate is consistently signed by the chosen Certificate Authority (CA). The setup with Apache/SAML is the more common and tested. However, it can rely on Apache/Nginx for OIDC.

.. warning:: The FireEdge authentication only handles the authentication of the user at the time of login. Authentication of the user certificate is a complementary setup, which can rely on Apache.
.. warning:: The Sunstone authentication only handles the authentication of the user at the time of login. Authentication of the user certificate is a complementary setup, which can rely on Apache.

.. _ldap_auth_fireedge:
.. _sunstone_ldap_auth:

LDAP/AD Auth
============

This method performs the OpenNebula login by delegating the authentication on a specific LDAP/AD server or several servers.

No special configuration is needed in FireEdge, the authentication method should be kept as 'opennebula' like in the :ref:`Basic Auth case<remote_auth_fireedge>`. However, this needs to be set up in the OpenNebula core side, to set up the ldap configuration this :ref:`guide <ldap>` needs to be followed.
No special configuration is needed in Sunstone, the authentication method should be kept as 'opennebula' like in the :ref:`Basic Auth case <suntone_basic_auth>`. However, this needs to be set up in the OpenNebula core side, to set up the ldap configuration this :ref:`guide <ldap>` needs to be followed.

.. _2f_auth_fireedge:
.. _sunstone_2f_auth:

Two Factor Authentication
=========================

You can get an additional authentication level by using a two-factor authentication that not only requests the username and password but also the one-time (or pre-generated security) keys generated by an authenticator application.

|fireedge_2fa_auth|
|sunstone_2fa_auth|

Authenticator App
------------------
Expand All @@ -81,27 +81,27 @@ This method requires a token generated by any of these applications: `Google Aut

To enable this, you must follow these steps:

- Log in to FireEdge and select menu **Setting**. Inside, find the section **Two Factor Authentication**.
- Log in to Sunstone and select menu **Settings**. Inside, find the section **Two Factor Authentication**.
- Inside, find and select the button **Register authenticator App**.

|fireedge_setting_auth|
|sunstone_setting_auth|

- Scan the Qr code with the aforementioned apps and enter the verification code.

|fireedge_setting_tfa_app|
|sunstone_setting_tfa_app|

Internally Sunstone adds the field ``TWO_FACTOR_AUTH_SECRET``.

|fireedge_template_user_auth|
|sunstone_template_user_auth|

- To disable 2FA, go to the **Settings**, find the section **Two Factor Authentication** tab and click remove button.

|fireedge_settings_2fa_dissable|
|sunstone_settings_2fa_dissable|


.. |fireedge_remote_login| image:: /images/fireedge_login_remote.png
.. |fireedge_2fa_auth| image:: /images/fireedge_login_2fa.png
.. |fireedge_setting_auth| image:: /images/fireedge-settings-auth.png
.. |fireedge_setting_tfa_app| image:: /images/fireedge-settings-2fa-app.png
.. |fireedge_template_user_auth| image:: /images/fireedge-template-user-auth.png
.. |fireedge_settings_2fa_dissable| image:: /images/fireedge-settings-2fa-dissable.png
.. |sunstone_remote_login| image:: /images/sunstone_login_remote.png
.. |sunstone_2fa_auth| image:: /images/sunstone_login_2fa.png
.. |sunstone_setting_auth| image:: /images/sunstone-settings-auth.png
.. |sunstone_setting_tfa_app| image:: /images/sunstone-settings-2fa-app.png
.. |sunstone_template_user_auth| image:: /images/sunstone-template-user-auth.png
.. |sunstone_settings_2fa_dissable| image:: /images/sunstone-settings-2fa-dissable.png
9 changes: 0 additions & 9 deletions source/installation_and_configuration/authentication/x509.rst
Original file line number Diff line number Diff line change
Expand Up @@ -159,12 +159,3 @@ Follow these steps to change oneadmin's authentication method to ``x509``:
.. prompt:: bash $ auto

$ export ONE_AUTH=/home/oneadmin/.one/one_x509

Enabling x509 in Sunstone
=========================

In ``/etc/one/sunstone-server.conf`` update parameter ``:auth`` to ``x509``:

.. code-block:: yaml
:auth: x509
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,6 @@ Name Type
``/etc/one/onehem-server.conf`` YAML
``/etc/one/packet_driver.default`` Plain file (or XML)
``/etc/one/sched.conf`` oned.conf-like
``/etc/one/sunstone-logos.yaml`` YAML w/ ordered arrays
``/etc/one/sunstone-server.conf`` YAML
``/etc/one/sunstone-views.yaml`` YAML
``/etc/one/sunstone-views/**/*.yaml`` YAML
``/etc/one/tmrc`` Shell
``/etc/one/vcenter_driver.conf`` YAML
``/etc/one/vcenter_driver.default`` Plain file (or XML)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -88,11 +88,11 @@ Example of multiple patch modes for multiple files:
# onecfg upgrade \
--patch-modes skip:/etc/one/oned.conf \
--patch-modes skip,replace:/etc/one/oned.conf:5.10.0 \
--patch-modes force:/etc/one/sunstone-logos.yaml:5.6.0 \
--patch-modes replace:/etc/one/sunstone-server.conf \
--patch-modes skip:/etc/one/sunstone-views/admin.yaml:5.4.1 \
--patch-modes skip:/etc/one/sunstone-views/admin.yaml:5.4.2 \
--patch-modes skip:/etc/one/sunstone-views/kvm/admin.yaml
--patch-modes force:/etc/one/fireedge/sunstone-views.yaml:5.6.0 \
--patch-modes replace:/etc/one/fireedge-server.conf \
--patch-modes skip:/etc/one/fireedge/sunstone/admin/acl-tab.yaml:5.4.1 \
--patch-modes skip:/etc/one/fireedge/sunstone/admin/vm-tab.yaml:5.4.2 \
--patch-modes skip:/etc/one/fireedge/sunstone/admin/vm-template-tab.yaml

Restore from Backup
===================
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -79,17 +79,16 @@ these paths are valid to address the emphasized parameters:

In the ``oned.conf``-like configurations, some nested structures are unique (e.g., ``DB=[...]`` is just a single database connection configuration) and some can appear several times (e.g., ``VM_MAD=[...]`` configures execution of different drivers for different hypervisors, one section for each driver). In the second case, the nested structure is uniquely addressed by a value of one identifying parameter inside the structure, usually ``NAME``. This value (including the quotes) is placed as part of the path. See path 3 above.

- for the following ``/etc/one/sunstone-server.conf`` snippet
- for the following ``/etc/one/fireedge-server.conf`` snippet

.. code::
# OpenNebula sever contact information
# OpenNebula: use it if you have oned and fireedge on different servers
:one_xmlrpc: http://localhost:2633/RPC2 # path 4
:one_xmlrpc_timeout: 60
these paths are valid to address the emphasized parameter(s):

4. ``:one_xmlrpc`` or ``":one_xmlrpc"``
1. ``:one_xmlrpc`` or ``":one_xmlrpc"``

- for the following ``/etc/one/cli/oneimage.yaml`` snippet

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -147,4 +147,4 @@ Two Factor Authentication
-------------------------

To use 2FA in Sunstone see the following :ref:`link <2f_auth>`
To use 2FA in FireEdge see the following :ref:`link <2f_auth_fireedge>`
To use 2FA in FireEdge see the following :ref:`link <sunstone_2f_auth>`
1 change: 1 addition & 0 deletions source/legacy_components/ruby_sunstone/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,4 @@ Ruby Sunstone
Sunstone Labels <ruby_sunstone_labels>
Sunstone views <ruby_sunstone_views>
Cloud view <ruby_sunstone_cloud_view>
Sunstone Authentication <ruby_sunstone_authentication>
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
.. _suns_auth:
.. _ruby_sunstone_authentication:

=======================
Sunstone Authentication
Expand Down Expand Up @@ -164,10 +164,10 @@ This allows us to use e.g. U2F/FIDO2 authentication keys. In this case, to enabl

|sunstone_settings_2fa_keys|

.. |image0| image:: /images/sunstone_login_x5094.png
.. |sunstone_settings_auth| image:: /images/sunstone-settings-auth.png
.. |sunstone_settings_2fa_app| image:: /images/sunstone-settings-2fa-app.png
.. |sunstone_settings_2fa_keys| image:: /images/sunstone-settings-2fa-keys.png
.. |sunstone_settings_2fa_result| image:: /images/sunstone-settings-2fa-result.png
.. |sunstone_settings_2fa_login| image:: /images/sunstone-settings-2fa-login.png
.. |sunstone_template_user_auth| image:: /images/sunstone-template-user-auth.png
.. |image0| image:: /images/ruby_sunstone_login_x5094.png
.. |sunstone_settings_auth| image:: /images/ruby_sunstone-settings-auth.png
.. |sunstone_settings_2fa_app| image:: /images/ruby_sunstone-settings-2fa-app.png
.. |sunstone_settings_2fa_keys| image:: /images/ruby_sunstone-settings-2fa-keys.png
.. |sunstone_settings_2fa_result| image:: /images/ruby_sunstone-settings-2fa-result.png
.. |sunstone_settings_2fa_login| image:: /images/ruby_sunstone-settings-2fa-login.png
.. |sunstone_template_user_auth| image:: /images/ruby_sunstone-template-user-auth.png
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ From this section, users can define multiple configuration options for themselve
- **SSH Private key**: allows the user to specify a private SSH key that they can use when establishing connections with their VMs.
- **SSH Private key passphrase**: if the private SSH key is encrypted, the user must specify the password.
- **Login token**: allows to create a new token for the user.
- **Two Factor Authentication**: allows to register an app to perform :ref:`Two Factor Authentication <2f_auth_fireedge>`.
- **Two Factor Authentication**: allows to register an app to perform :ref:`Two Factor Authentication <sunstone_2f_auth>`.

.. note:: All the configurations set in this section will be in the user template.

Expand Down

0 comments on commit ae2fdb2

Please sign in to comment.