diff --git a/source/images/auth_options_350.png b/source/images/auth_options_350.png index 6f80ce020e..d8fb896e68 100644 Binary files a/source/images/auth_options_350.png and b/source/images/auth_options_350.png differ diff --git a/source/images/fireedge-settings-2fa-app.png b/source/images/fireedge-settings-2fa-app.png deleted file mode 100644 index 7d9fab68f3..0000000000 Binary files a/source/images/fireedge-settings-2fa-app.png and /dev/null differ diff --git a/source/images/fireedge-settings-auth.png b/source/images/fireedge-settings-auth.png deleted file mode 100644 index 6e633559d6..0000000000 Binary files a/source/images/fireedge-settings-auth.png and /dev/null differ diff --git a/source/images/fireedge-template-user-auth.png b/source/images/fireedge-template-user-auth.png deleted file mode 100644 index 9585a63ba3..0000000000 Binary files a/source/images/fireedge-template-user-auth.png and /dev/null differ diff --git a/source/images/ruby_sunstone-settings-2fa-app.png b/source/images/ruby_sunstone-settings-2fa-app.png new file mode 100644 index 0000000000..3f05c4fa73 Binary files /dev/null and b/source/images/ruby_sunstone-settings-2fa-app.png differ diff --git a/source/images/sunstone-settings-2fa-keys.png b/source/images/ruby_sunstone-settings-2fa-keys.png similarity index 100% rename from source/images/sunstone-settings-2fa-keys.png rename to source/images/ruby_sunstone-settings-2fa-keys.png diff --git a/source/images/sunstone-settings-2fa-login.png b/source/images/ruby_sunstone-settings-2fa-login.png similarity index 100% rename from source/images/sunstone-settings-2fa-login.png rename to source/images/ruby_sunstone-settings-2fa-login.png diff --git a/source/images/sunstone-settings-2fa-result.png b/source/images/ruby_sunstone-settings-2fa-result.png similarity index 100% rename from source/images/sunstone-settings-2fa-result.png rename to source/images/ruby_sunstone-settings-2fa-result.png diff --git a/source/images/ruby_sunstone-settings-auth.png b/source/images/ruby_sunstone-settings-auth.png new file mode 100644 index 0000000000..877c7d7c33 Binary files /dev/null and b/source/images/ruby_sunstone-settings-auth.png differ diff --git a/source/images/ruby_sunstone-template-user-auth.png b/source/images/ruby_sunstone-template-user-auth.png new file mode 100644 index 0000000000..bd3afcf610 Binary files /dev/null and b/source/images/ruby_sunstone-template-user-auth.png differ diff --git a/source/images/sunstone_login_x5094.png b/source/images/ruby_sunstone_login_x5094.png similarity index 100% rename from source/images/sunstone_login_x5094.png rename to source/images/ruby_sunstone_login_x5094.png diff --git a/source/images/sunstone-settings-2fa-app.png b/source/images/sunstone-settings-2fa-app.png index 3f05c4fa73..7d9fab68f3 100644 Binary files a/source/images/sunstone-settings-2fa-app.png and b/source/images/sunstone-settings-2fa-app.png differ diff --git a/source/images/fireedge-settings-2fa-dissable.png b/source/images/sunstone-settings-2fa-dissable.png similarity index 100% rename from source/images/fireedge-settings-2fa-dissable.png rename to source/images/sunstone-settings-2fa-dissable.png diff --git a/source/images/sunstone-settings-auth.png b/source/images/sunstone-settings-auth.png index 877c7d7c33..0f10041027 100644 Binary files a/source/images/sunstone-settings-auth.png and b/source/images/sunstone-settings-auth.png differ diff --git a/source/images/sunstone-template-user-auth.png b/source/images/sunstone-template-user-auth.png index bd3afcf610..9585a63ba3 100644 Binary files a/source/images/sunstone-template-user-auth.png and b/source/images/sunstone-template-user-auth.png differ diff --git a/source/images/fireedge_login_2fa.png b/source/images/sunstone_login_2fa.png similarity index 100% rename from source/images/fireedge_login_2fa.png rename to source/images/sunstone_login_2fa.png diff --git a/source/images/fireedge_login_remote.png b/source/images/sunstone_login_remote.png similarity index 100% rename from source/images/fireedge_login_remote.png rename to source/images/sunstone_login_remote.png diff --git a/source/installation_and_configuration/authentication/index.rst b/source/installation_and_configuration/authentication/index.rst index e6e2fbc357..04d3edb102 100644 --- a/source/installation_and_configuration/authentication/index.rst +++ b/source/installation_and_configuration/authentication/index.rst @@ -11,5 +11,4 @@ Authentication Configuration SSH Authentication X.509 Authentication LDAP Authentication - Sunstone Authentication - FireEdge Authentication + Sunstone Authentication diff --git a/source/installation_and_configuration/authentication/ldap.rst b/source/installation_and_configuration/authentication/ldap.rst index 6cf1ffe4af..4f7514c1c9 100644 --- a/source/installation_and_configuration/authentication/ldap.rst +++ b/source/installation_and_configuration/authentication/ldap.rst @@ -296,7 +296,7 @@ Each group in OpenNebula can have its :ref:`admins ` Enabling LDAP auth in Sunstone ============================== -Update the ``/etc/one/sunstone-server.conf`` ``:auth`` parameter to use ``opennebula``: +Update the ``/etc/one/fireedge-server.conf`` ``:auth`` parameter to use ``opennebula``: .. code-block:: yaml @@ -304,12 +304,6 @@ Update the ``/etc/one/sunstone-server.conf`` ``:auth`` parameter to use ``openne Using this method, the credentials provided in the login screen will be sent to the OpenNebula core, and the authentication will be delegated to the OpenNebula auth system using the specified driver for that user. Therefore any OpenNebula auth driver can be used through this method to authenticate the user (e.g. LDAP). -To automatically encode credentials as explained in the :ref:`DN's with special characters ` section, also add this parameter to the sunstone configuration: - -.. code-block:: yaml - - :encode_user_password: true - Multiple LDAP servers: Order vs. Regex Match ============================================ diff --git a/source/installation_and_configuration/authentication/overview.rst b/source/installation_and_configuration/authentication/overview.rst index 749a3bc61c..95fa7f5724 100644 --- a/source/installation_and_configuration/authentication/overview.rst +++ b/source/installation_and_configuration/authentication/overview.rst @@ -26,13 +26,13 @@ You can choose from the following authentication drivers to access OpenNebula fr By default, any authentication driver configured to work with OpenNebula can be used out-of-the-box with Sunstone. Additionally you can add a TLS-proxy to secure the Sunstone. See: -- :ref:`Sunstone Authentication ` +- :ref:`Sunstone Authentication ` **c) Server Authentication** This method is designed to delegate the authentication process to high level tools interacting with OpenNebula. You'll be interested in this method if you are developing your own servers. -OpenNebula ships with two GUI servers - :ref:`Sunstone ` and :ref:`FireEdge `. When a user interacts with one of them, the server authenticates the request and then forwards the requested operation to the OpenNebula Daemon. The forwarded requests are encrypted using a symmetric key. The following guide shows how to strengthen the security of these requests using X.509 certificates. This is especially relevant if you are running your server in a machine other than the Front-end. +OpenNebula ships with a GUI server - :ref:`Sunstone `. When a user interacts with one of them, the server authenticates the request and then forwards the requested operation to the OpenNebula Daemon. The forwarded requests are encrypted using a symmetric key. The following guide shows how to strengthen the security of these requests using X.509 certificates. This is especially relevant if you are running your server in a machine other than the Front-end. - :ref:`Cloud Servers Authentication ` @@ -52,11 +52,7 @@ Usable only with API and CLI: Usable only with Sunstone: -* :ref:`X.509 Authentication ` -* :ref:`Sunstone Authentication ` - -Usable only with FireEdge: -* :ref:`FireEdge Authentication ` +* :ref:`Sunstone Authentication ` Hypervisor Compatibility ================================================================================ diff --git a/source/installation_and_configuration/authentication/fireedge.rst b/source/installation_and_configuration/authentication/sunstone_auth.rst similarity index 68% rename from source/installation_and_configuration/authentication/fireedge.rst rename to source/installation_and_configuration/authentication/sunstone_auth.rst index 8e07a971c9..d6ea9760b0 100644 --- a/source/installation_and_configuration/authentication/fireedge.rst +++ b/source/installation_and_configuration/authentication/sunstone_auth.rst @@ -1,16 +1,16 @@ -.. _fireedge_auth: +.. _sunstone_auth: ======================= -FireEdge Authentication +Sunstone Authentication ======================= -By default, FireEdge works with the default ``core`` authentication method (user and password) although you can configure any authentication mechanism supported by OpenNebula. In this section, you will learn how to enable other authentication. +By default, Sunstone works with the default ``core`` authentication method (user and password) although you can configure any authentication mechanism supported by OpenNebula. In this section, you will learn how to enable other authentication. -* **Web client and FireEdge server**. Authentication is based on the credentials stored in the OpenNebula database for the user. Depending on the type of these credentials the authentication method can be: ``remote``or ``opennebula`` +* Authentication is based on the credentials stored in the OpenNebula database for the user. Depending on the type of these credentials the authentication method can be: ``remote``or ``opennebula`` -The following sections explain the client-to-FireEdge server authentication methods. +The following sections explain the client to Sunstone server authentication methods. -.. _basic_auth_fireedge: +.. _suntone_basic_auth: Basic Auth =========== @@ -21,7 +21,7 @@ In the basic mode, username and password are matched to those in OpenNebula's da :auth: opennebula -.. _remote_auth_fireedge: +.. _sunstone_remote_auth: Remote Auth =========== @@ -50,29 +50,29 @@ To enable this login method, set the ``:auth:`` option in ``/etc/one/fireedge-se The login screen will not display the username and password fields anymore, as all information is fetched from the user certificate: -|fireedge_remote_login| +|sunstone_remote_login| -Note that OpenNebula will not verify that the user holds a valid certificate at the time of login: this is expected to be done by the external container of the FireEdge server (normally Apache), whose job is to tell the user's browser that the site requires a user certificate and to check that the certificate is consistently signed by the chosen Certificate Authority (CA). The setup with Apache/SAML is the more common and tested. However, it can rely on Apache/Nginx for OIDC. +Note that OpenNebula will not verify that the user holds a valid certificate at the time of login: this is expected to be done by the external container of the Sunstone server (normally Apache), whose job is to tell the user's browser that the site requires a user certificate and to check that the certificate is consistently signed by the chosen Certificate Authority (CA). The setup with Apache/SAML is the more common and tested. However, it can rely on Apache/Nginx for OIDC. -.. warning:: The FireEdge authentication only handles the authentication of the user at the time of login. Authentication of the user certificate is a complementary setup, which can rely on Apache. +.. warning:: The Sunstone authentication only handles the authentication of the user at the time of login. Authentication of the user certificate is a complementary setup, which can rely on Apache. -.. _ldap_auth_fireedge: +.. _sunstone_ldap_auth: LDAP/AD Auth ============ This method performs the OpenNebula login by delegating the authentication on a specific LDAP/AD server or several servers. -No special configuration is needed in FireEdge, the authentication method should be kept as 'opennebula' like in the :ref:`Basic Auth case`. However, this needs to be set up in the OpenNebula core side, to set up the ldap configuration this :ref:`guide ` needs to be followed. +No special configuration is needed in Sunstone, the authentication method should be kept as 'opennebula' like in the :ref:`Basic Auth case `. However, this needs to be set up in the OpenNebula core side, to set up the ldap configuration this :ref:`guide ` needs to be followed. -.. _2f_auth_fireedge: +.. _sunstone_2f_auth: Two Factor Authentication ========================= You can get an additional authentication level by using a two-factor authentication that not only requests the username and password but also the one-time (or pre-generated security) keys generated by an authenticator application. -|fireedge_2fa_auth| +|sunstone_2fa_auth| Authenticator App ------------------ @@ -81,27 +81,27 @@ This method requires a token generated by any of these applications: `Google Aut To enable this, you must follow these steps: -- Log in to FireEdge and select menu **Setting**. Inside, find the section **Two Factor Authentication**. +- Log in to Sunstone and select menu **Settings**. Inside, find the section **Two Factor Authentication**. - Inside, find and select the button **Register authenticator App**. -|fireedge_setting_auth| +|sunstone_setting_auth| - Scan the Qr code with the aforementioned apps and enter the verification code. -|fireedge_setting_tfa_app| +|sunstone_setting_tfa_app| Internally Sunstone adds the field ``TWO_FACTOR_AUTH_SECRET``. -|fireedge_template_user_auth| +|sunstone_template_user_auth| - To disable 2FA, go to the **Settings**, find the section **Two Factor Authentication** tab and click remove button. -|fireedge_settings_2fa_dissable| +|sunstone_settings_2fa_dissable| -.. |fireedge_remote_login| image:: /images/fireedge_login_remote.png -.. |fireedge_2fa_auth| image:: /images/fireedge_login_2fa.png -.. |fireedge_setting_auth| image:: /images/fireedge-settings-auth.png -.. |fireedge_setting_tfa_app| image:: /images/fireedge-settings-2fa-app.png -.. |fireedge_template_user_auth| image:: /images/fireedge-template-user-auth.png -.. |fireedge_settings_2fa_dissable| image:: /images/fireedge-settings-2fa-dissable.png +.. |sunstone_remote_login| image:: /images/sunstone_login_remote.png +.. |sunstone_2fa_auth| image:: /images/sunstone_login_2fa.png +.. |sunstone_setting_auth| image:: /images/sunstone-settings-auth.png +.. |sunstone_setting_tfa_app| image:: /images/sunstone-settings-2fa-app.png +.. |sunstone_template_user_auth| image:: /images/sunstone-template-user-auth.png +.. |sunstone_settings_2fa_dissable| image:: /images/sunstone-settings-2fa-dissable.png diff --git a/source/installation_and_configuration/authentication/x509.rst b/source/installation_and_configuration/authentication/x509.rst index 029b09c61f..466fcfa5f8 100644 --- a/source/installation_and_configuration/authentication/x509.rst +++ b/source/installation_and_configuration/authentication/x509.rst @@ -159,12 +159,3 @@ Follow these steps to change oneadmin's authentication method to ``x509``: .. prompt:: bash $ auto $ export ONE_AUTH=/home/oneadmin/.one/one_x509 - -Enabling x509 in Sunstone -========================= - -In ``/etc/one/sunstone-server.conf`` update parameter ``:auth`` to ``x509``: - -.. code-block:: yaml - - :auth: x509 diff --git a/source/installation_and_configuration/configuration_management/appendix.rst b/source/installation_and_configuration/configuration_management/appendix.rst index 6807204810..550f965724 100644 --- a/source/installation_and_configuration/configuration_management/appendix.rst +++ b/source/installation_and_configuration/configuration_management/appendix.rst @@ -41,10 +41,6 @@ Name Type ``/etc/one/onehem-server.conf`` YAML ``/etc/one/packet_driver.default`` Plain file (or XML) ``/etc/one/sched.conf`` oned.conf-like -``/etc/one/sunstone-logos.yaml`` YAML w/ ordered arrays -``/etc/one/sunstone-server.conf`` YAML -``/etc/one/sunstone-views.yaml`` YAML -``/etc/one/sunstone-views/**/*.yaml`` YAML ``/etc/one/tmrc`` Shell ``/etc/one/vcenter_driver.conf`` YAML ``/etc/one/vcenter_driver.default`` Plain file (or XML) diff --git a/source/installation_and_configuration/configuration_management/conflicts.rst b/source/installation_and_configuration/configuration_management/conflicts.rst index 9bd30e1585..5634ea775e 100644 --- a/source/installation_and_configuration/configuration_management/conflicts.rst +++ b/source/installation_and_configuration/configuration_management/conflicts.rst @@ -88,11 +88,11 @@ Example of multiple patch modes for multiple files: # onecfg upgrade \ --patch-modes skip:/etc/one/oned.conf \ --patch-modes skip,replace:/etc/one/oned.conf:5.10.0 \ - --patch-modes force:/etc/one/sunstone-logos.yaml:5.6.0 \ - --patch-modes replace:/etc/one/sunstone-server.conf \ - --patch-modes skip:/etc/one/sunstone-views/admin.yaml:5.4.1 \ - --patch-modes skip:/etc/one/sunstone-views/admin.yaml:5.4.2 \ - --patch-modes skip:/etc/one/sunstone-views/kvm/admin.yaml + --patch-modes force:/etc/one/fireedge/sunstone-views.yaml:5.6.0 \ + --patch-modes replace:/etc/one/fireedge-server.conf \ + --patch-modes skip:/etc/one/fireedge/sunstone/admin/acl-tab.yaml:5.4.1 \ + --patch-modes skip:/etc/one/fireedge/sunstone/admin/vm-tab.yaml:5.4.2 \ + --patch-modes skip:/etc/one/fireedge/sunstone/admin/vm-template-tab.yaml Restore from Backup =================== diff --git a/source/installation_and_configuration/configuration_management/diff_formats.rst b/source/installation_and_configuration/configuration_management/diff_formats.rst index f48366b8a7..6e72c2e6b9 100644 --- a/source/installation_and_configuration/configuration_management/diff_formats.rst +++ b/source/installation_and_configuration/configuration_management/diff_formats.rst @@ -79,17 +79,16 @@ these paths are valid to address the emphasized parameters: In the ``oned.conf``-like configurations, some nested structures are unique (e.g., ``DB=[...]`` is just a single database connection configuration) and some can appear several times (e.g., ``VM_MAD=[...]`` configures execution of different drivers for different hypervisors, one section for each driver). In the second case, the nested structure is uniquely addressed by a value of one identifying parameter inside the structure, usually ``NAME``. This value (including the quotes) is placed as part of the path. See path 3 above. -- for the following ``/etc/one/sunstone-server.conf`` snippet +- for the following ``/etc/one/fireedge-server.conf`` snippet .. code:: - # OpenNebula sever contact information + # OpenNebula: use it if you have oned and fireedge on different servers :one_xmlrpc: http://localhost:2633/RPC2 # path 4 - :one_xmlrpc_timeout: 60 these paths are valid to address the emphasized parameter(s): - 4. ``:one_xmlrpc`` or ``":one_xmlrpc"`` + 1. ``:one_xmlrpc`` or ``":one_xmlrpc"`` - for the following ``/etc/one/cli/oneimage.yaml`` snippet diff --git a/source/integration_and_development/references/cloud_auth.rst b/source/integration_and_development/references/cloud_auth.rst index 91951073ec..af252e74bf 100644 --- a/source/integration_and_development/references/cloud_auth.rst +++ b/source/integration_and_development/references/cloud_auth.rst @@ -147,4 +147,4 @@ Two Factor Authentication ------------------------- To use 2FA in Sunstone see the following :ref:`link <2f_auth>` -To use 2FA in FireEdge see the following :ref:`link <2f_auth_fireedge>` +To use 2FA in FireEdge see the following :ref:`link ` diff --git a/source/legacy_components/ruby_sunstone/index.rst b/source/legacy_components/ruby_sunstone/index.rst index 47cff1a4c0..f57cc5ac0a 100644 --- a/source/legacy_components/ruby_sunstone/index.rst +++ b/source/legacy_components/ruby_sunstone/index.rst @@ -13,3 +13,4 @@ Ruby Sunstone Sunstone Labels Sunstone views Cloud view + Sunstone Authentication diff --git a/source/installation_and_configuration/authentication/sunstone.rst b/source/legacy_components/ruby_sunstone/ruby_sunstone_authentication.rst similarity index 94% rename from source/installation_and_configuration/authentication/sunstone.rst rename to source/legacy_components/ruby_sunstone/ruby_sunstone_authentication.rst index 90d5108b74..b0b9210058 100644 --- a/source/installation_and_configuration/authentication/sunstone.rst +++ b/source/legacy_components/ruby_sunstone/ruby_sunstone_authentication.rst @@ -1,4 +1,4 @@ -.. _suns_auth: +.. _ruby_sunstone_authentication: ======================= Sunstone Authentication @@ -164,10 +164,10 @@ This allows us to use e.g. U2F/FIDO2 authentication keys. In this case, to enabl |sunstone_settings_2fa_keys| -.. |image0| image:: /images/sunstone_login_x5094.png -.. |sunstone_settings_auth| image:: /images/sunstone-settings-auth.png -.. |sunstone_settings_2fa_app| image:: /images/sunstone-settings-2fa-app.png -.. |sunstone_settings_2fa_keys| image:: /images/sunstone-settings-2fa-keys.png -.. |sunstone_settings_2fa_result| image:: /images/sunstone-settings-2fa-result.png -.. |sunstone_settings_2fa_login| image:: /images/sunstone-settings-2fa-login.png -.. |sunstone_template_user_auth| image:: /images/sunstone-template-user-auth.png +.. |image0| image:: /images/ruby_sunstone_login_x5094.png +.. |sunstone_settings_auth| image:: /images/ruby_sunstone-settings-auth.png +.. |sunstone_settings_2fa_app| image:: /images/ruby_sunstone-settings-2fa-app.png +.. |sunstone_settings_2fa_keys| image:: /images/ruby_sunstone-settings-2fa-keys.png +.. |sunstone_settings_2fa_result| image:: /images/ruby_sunstone-settings-2fa-result.png +.. |sunstone_settings_2fa_login| image:: /images/ruby_sunstone-settings-2fa-login.png +.. |sunstone_template_user_auth| image:: /images/ruby_sunstone-template-user-auth.png diff --git a/source/management_and_operations/end-user_web_interfaces/fireedge_sunstone.rst b/source/management_and_operations/end-user_web_interfaces/fireedge_sunstone.rst index a1a0dde247..2ccfe1b919 100644 --- a/source/management_and_operations/end-user_web_interfaces/fireedge_sunstone.rst +++ b/source/management_and_operations/end-user_web_interfaces/fireedge_sunstone.rst @@ -102,7 +102,7 @@ From this section, users can define multiple configuration options for themselve - **SSH Private key**: allows the user to specify a private SSH key that they can use when establishing connections with their VMs. - **SSH Private key passphrase**: if the private SSH key is encrypted, the user must specify the password. - **Login token**: allows to create a new token for the user. -- **Two Factor Authentication**: allows to register an app to perform :ref:`Two Factor Authentication <2f_auth_fireedge>`. +- **Two Factor Authentication**: allows to register an app to perform :ref:`Two Factor Authentication `. .. note:: All the configurations set in this section will be in the user template.