User Management 2.0

OpenNebula comes with an internal user/password authentication and authorization system and the ability to use an external driver that takes care of these duties.

Current Authentication/Authorization module (from now on auth module) has support for user/password and rsa private/public key authentication and also user quota support. By default OpenNebula comes configured to use internal user/password authentication, here you will learn how to enable the external auth module, configure it to access extended features and how admins and users should use it.

If you do not want to use extended auth features is better not no enable the external auth module.

Even if the authorization module is enabled oneadmin user (user with id 0) will be authenticated/authorized using internal methods, that is, user/password authentication and no quotas.

Configuring and Enabling Auth Module

Configuration file for auth module is located at $ONE_LOCATION/etc/auth/auth.conf. This is the default configuration:

:database: sqlite://auth.db
:authentication: simple
:quota:
  :enabled: false
  :defaults:
    :cpu: 10.0
    :memory: 1048576

VARIABLE	DESCRIPTION	DEFAULT VALUE
`:database`	Driver and connection parameters for quota database. Information on what this string can contain is located here. Usually is better to leave it like this.	Default configuration will use sqlite database located at $ONE_LOCATION/var/auth.db
`:authentication`	Authentication method to use, currently `simple` and `ssh` options are available. `simple` option is exactly the same as the internal authorization method, `ssh` option uses rsa private/public keys to authenticate.	Uses the internal user/password authentication
`:quota/:enabled`	This parameter enables or disables user quota verification.	It comes disabled
`:quota/:defaults/:cpu`	Default value for user cpu quota. This value is used when a user does not have an explicit quota. It can be set to `null` if you want it to be unlimited.	Lets the user have 10 cpu units registered in OpenNebula at the same time
`:quota/:defaults/:memory`	Default value for user memory quota in Kb. This value is used when a user does not have an explicit quota. It can be set to `null` if you want it to be unlimited.	Lets the user have 1 Gb of memory registered in OpenNebula at the same time

To load auth module and enable its use these both libes should be uncommented in the OpenNebula configuration file (at the end of $ONE_LOCATION/etc/oned.conf):

AUTH_MAD = [
    executable = "one_auth_mad" ]

OpenNebula should be restarted so the changes are loaded.

Authorization Options

Simple

Simple option for authorization works the same as internal auth, that is, without loading auth module. User creation and credentials configuration documentation can be found at the configuration guide.

SSH

User Key Generation (done by users)

This authentication method uses standard ssh rsa keypairs for authentication. Users can create these files if they don't exist using this command:

$ ssh-keygen -t rsa

OpenNebula commands look for the files generated at the standard location ($HOME/.ssh/id_rsa) so it is good idea not to change the path where this command is going to create the rsa key file. It is also good idea to protect the private key with a password.

Public Key Extraction (done by users)

To create a user compatible with ssh option for authentication the administrator needs to add the user's public key into the database. The file with public key generated by ssh-keygen ($HOME/.ssh/id_rsa.pub) is written in a format readable by openssl so the public key should be extracted by the user and sent to the administrator. The way to extract it is the following:

$ oneauth key
Enter PEM pass phrase:
MIIBCAKCAQEApUO+JISjSf02rFVtDr1yar/34EoUoVETx0n+RqWNav+5wi+gHiPp3e03AfEkXzjDYi8F
voS4a4456f1OUQlQddfyPECn59OeX8Zu4DH3gp1VUuDeeE8WJWyAzdK5hg6F+RdyP1pT26mnyunZB8Xd
bll8seoIAQiOS6tlVfA8FrtwLGmdEETfttS9ukyGxw5vdTplse/fcam+r9AXBR06zjc77x+DbRFbXcgI
1XIdpVrjCFL0fdN53L0aU7kTE9VNEXRxK8sPv1Nfx+FQWpX/HtH8ICs5WREsZGmXPAO/IkrSpMVg5taS
jie9JAQOMesjFIwgTWBUh6cNXuYsQ/5wIwIBIw==

The string the user has to send to the administrator to create the user is written to the console.

User Creation (done by the administrator)

After the user sends the rsa public key the administration needs to create a new account in OpenNebula system. This is done in a similar way as standar user/password users but using the public key provided by the user and adding a parameter to the command so the password (in this case the public key) is stored as is in the database. Here is the command to create a user called test with the previously extracted public key:

$ oneuser create -n test "MIIBCAKCAQEApUO+JISjSf02rFVtDr1yar/34EoUoVETx0n+RqWNav+5wi+gHiPp3e03AfEkXzjDYi8F
voS4a4456f1OUQlQddfyPECn59OeX8Zu4DH3gp1VUuDeeE8WJWyAzdK5hg6F+RdyP1pT26mnyunZB8Xd
bll8seoIAQiOS6tlVfA8FrtwLGmdEETfttS9ukyGxw5vdTplse/fcam+r9AXBR06zjc77x+DbRFbXcgI
1XIdpVrjCFL0fdN53L0aU7kTE9VNEXRxK8sPv1Nfx+FQWpX/HtH8ICs5WREsZGmXPAO/IkrSpMVg5taS
jie9JAQOMesjFIwgTWBUh6cNXuYsQ/5wIwIBIw=="

After this the administrator can check that the user is in the system:

$ oneuser list
  ID USER            PASSWORD                                          
   0 oneadmin        5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8          
   1 test            MIIBCAKCAQEApUO+JISjSf02rFVtDr1yar/34EoUoVETx0n+Rq

User Login (done by users)

Before performing any action in OpenNebula system the user needs to login. To do this we must issue this command:

$ oneauth login test
Enter PEM pass phrase:
export ONE_AUTH=/home/test/.one/one_ssh

The command on success will print the command needed to execute so OpenNebula knows where to find the login file generated.

$ export ONE_AUTH=/home/test/.one/one_ssh

This line can also be added by the user to $HOME/.profile or $HOME/.bash_rc so it is not needed to be executed every new system login.

By default the login file will be valid for one hour. This expire time can be changed adding another parameter with the number of seconds you want the login to be valid. For example to create a 2 hours valid login you can issue this command:

$ oneauth login test 7200
Enter PEM pass phrase:
export ONE_AUTH=/home/test/.one/one_ssh

Quota

When quota module is enabled it checks for user resource consumption before letting a VM to created in OpenNebula system. You have to take into account that all resources for VMs listed by onevm list for a user are counted as used. Administrator user has unlimited quota.

Quotas Database Security (done by the administrator)

By default user quota database is an sqlite database located at $ONE_LOCATION/var/auth.db. This database on creation does not have secure permissions and the administrator may change its permission and maybe its location. To change its location you can use a full path to the database in the auth module configuration file:

:database: sqlite:///somewhere/in/your/hdd/auth.db
...

You may also change its permissions to 0600 so the unix user that runs OpenNebula daemons is the only with read/write access permissions.

Default Quotas (done by the administrator)

Default quotas for all users are configured as previously stated in Configuring and Enabling Auth Module. This is the first configuration you will have to do if you enable quota system as any user without explicit quotas can only use that amount of resources.

Explicit User Quotas (done by the administrator)

Setting special quotas for a user can be done using oneauth command. If you have secured the database only unix user that runs OpenNebula will be able to update them. The steps to change permissions for a user are as follows:

Find the user id for the user we want to change limits. We are searching for user test:

$ oneuser list
  ID USER            PASSWORD                                          
   0 oneadmin        5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8          
   1 test            MIIBCAKCAQEApUO+JISjSf02rFVtDr1yar/34EoUoVETx0n+Rq

The user id for test is 1. Now we use oneauth quota set <user id> <cpu> <memory> to change user limits:

$ oneauth quota set 1 20 10000000