Auth Module 2.2

Authentication and authorization module (auth module) is designed so it can be easily modified or completely replaced. In this guide we will learn how to modify the auth module so you can add new authorization methods or tune it for your needs.

Adding Authentication System

Default auth module come with two authorization systems, simple and ssh. Authorization systems are classes with a method called auth defined. This method is called each time OpenNebula needs to authenticate a user. Both of this authorization classes reside in $ONE_LOCATION/lib/ruby and are called simple_auth.rb and ssh_auth.rb. To illustrate how they work we will use the simple authorization. Here is the code for it: 

# Password authentication module. This one just compares stored password
# with the token sent by the client.
class SimpleAuth
    # Method called by authentication driver. It should awnser true if
    # successful or a string with the error message if failure. All
    # parameters are strings extracted from the authorization message.
    #
    # * user_id: OpenNebula user identifier
    # * user: user name
    # * password: password stored in OpenNebula dabatase
    # * token: password sent by the client trying to connect
    def auth(user_id, user, password, token)
        auth=(password==token)
        auth="Invalid credentials" if auth!=true or token=='-'
        auth
    end
end

To create a new authorization system you will need to create a class similar to this one. Its name must conform <name>Auth. name should be capitalized so then it will be easily selected in the configuration file.

The file where you defined the new authorization class should be required by one_auth_mad.rb ($ONE_LOCATION/lib/mads) and be stored a directory in ruby path, like $ONE_LOCATION/lib/ruby.

Tweaking Permissions

When OpenNebula is asked by a user to do something with one of its objects an authorization message with a series of tokes describing the objects and type of actions that will be performed. For an authorization message to be successful the user needs to have permissions to perform all the actions. Permission policies are defined in $ONE_LOCATION/lib/ruby/simple_permissions.rb. The method auth_object will be called for each of these tokens, here is the information available to the method: 

def auth_object(uid, object, id, action, owner, pub)
  • uid: id of the user willing to perform the action
  • object: one of these VM, NET, IMAGE, HOST
  • id: object identifier
  • action: type of the action, one of these CREATE, DELETE, USE, MANAGE, INFO
  • owner: id of the user who owns the object
  • pub: flag telling that the image is public. 0 is not public, 1 is public

All the parameters are strings. When the action is permitted by the policy it should return true otherwise false or a string containing the reason for rejection is returned.