From 198c60b6a4eb545480526620639c5c7697b51d45 Mon Sep 17 00:00:00 2001 From: "Ruben S. Montero" Date: Tue, 25 Oct 2011 16:36:21 +0200 Subject: [PATCH] bug #847: Update EC2Query for the new auth framework --- src/cloud/common/CloudAuth/EC2CloudAuth.rb | 18 ++++++---------- src/cloud/ec2/etc/econe.conf | 7 +++++- src/cloud/ec2/lib/EC2QueryServer.rb | 24 +++++++-------------- src/cloud/ec2/lib/econe-server.rb | 25 ++++++++++++++++------ src/cloud/occi/etc/occi-server.conf | 11 +++++++--- 5 files changed, 47 insertions(+), 38 deletions(-) diff --git a/src/cloud/common/CloudAuth/EC2CloudAuth.rb b/src/cloud/common/CloudAuth/EC2CloudAuth.rb index 97ee258976..32b021e39e 100644 --- a/src/cloud/common/CloudAuth/EC2CloudAuth.rb +++ b/src/cloud/common/CloudAuth/EC2CloudAuth.rb @@ -18,26 +18,22 @@ module EC2CloudAuth def auth(env, params={}) username = params['AWSAccessKeyId'] one_pass = get_password(username) - return "Invalid credentials" unless one_pass + return nil unless one_pass signature = case params['SignatureVersion'] when "1" then signature_v1(params.clone,one_pass) when "2" then signature_v2(params.clone,one_pass,env,true,false) end - if params['Signature'] != signature - if params['SignatureVersion']=="2" - signature = signature_v2(params.clone,one_pass,env,false,false) - if params['Signature'] != signature - return "Invalid Credentials" - end - else - return "Invalid Credentials" + if params['Signature'] == signature + return username + elsif params['SignatureVersion']=="2" + signature = signature_v2(params.clone,one_pass,env,false,false) + if params['Signature'] == signature + return username end end - @token = @server_auth.login_token(username) - @client = Client.new(@token, @conf[:one_xmlrpc]) return nil end diff --git a/src/cloud/ec2/etc/econe.conf b/src/cloud/ec2/etc/econe.conf index 151279862d..4fce7eaef7 100644 --- a/src/cloud/ec2/etc/econe.conf +++ b/src/cloud/ec2/etc/econe.conf @@ -24,11 +24,16 @@ # SSL proxy that serves the API (set if is being used) #:ssl_server: fqdm.of.the.server -# Authentication protocol for the econe server: +# Authentication driver for incomming requests # ec2, default Acess key and Secret key scheme # x509, for x509 certificates based authentication :auth: ec2 +# Authentication driver to communicate with OpenNebula core +:core_auth: cipher +# Life-time in seconds for token renewal (that used to handle OpenNebula auths) +:token_expiration_delta: 1800 + # VM types allowed and its template file (inside templates directory) :instance_types: :m1.small: diff --git a/src/cloud/ec2/lib/EC2QueryServer.rb b/src/cloud/ec2/lib/EC2QueryServer.rb index 0783f3da34..f92c0527ec 100644 --- a/src/cloud/ec2/lib/EC2QueryServer.rb +++ b/src/cloud/ec2/lib/EC2QueryServer.rb @@ -61,18 +61,10 @@ class EC2QueryServer < CloudServer ########################################################################### - def initialize(config) + def initialize(client, config) super(config) - end - - def authenticate(env, params) - econe_host = @config[:ssl_server] - econe_host ||= @config[:server] - econe_port = @config[:port] - - params.merge!({:econe_host => econe_host, :econe_port => econe_port}) - super(env, params) + @client = client end ########################################################################### @@ -80,7 +72,7 @@ class EC2QueryServer < CloudServer ########################################################################### def upload_image(params) - image = ImageEC2.new(Image.build_xml, self.client, params['file']) + image = ImageEC2.new(Image.build_xml, @client, params['file']) template = image.to_one_template if OpenNebula.is_error?(template) @@ -102,7 +94,7 @@ class EC2QueryServer < CloudServer # Get the Image ID tmp, img=params['ImageLocation'].split('-') - image = Image.new(Image.build_xml(img.to_i), self.client) + image = Image.new(Image.build_xml(img.to_i), @client) # Enable the new Image rc = image.info @@ -120,7 +112,7 @@ class EC2QueryServer < CloudServer def describe_images(params) user_flag = OpenNebula::Pool::INFO_GROUP - impool = ImagePool.new(self.client, user_flag) + impool = ImagePool.new(@client, user_flag) impool.info erb_version = params['Version'] @@ -159,7 +151,7 @@ class EC2QueryServer < CloudServer template_text = template.result(binding) # Start the VM. - vm = VirtualMachine.new(VirtualMachine.build_xml, self.client) + vm = VirtualMachine.new(VirtualMachine.build_xml, @client) rc = vm.allocate(template_text) if OpenNebula::is_error?(rc) @@ -179,7 +171,7 @@ class EC2QueryServer < CloudServer def describe_instances(params) user_flag = OpenNebula::Pool::INFO_MINE - vmpool = VirtualMachinePool.new(self.client, user_flag) + vmpool = VirtualMachinePool.new(@client, user_flag) vmpool.info erb_version = params['Version'] @@ -196,7 +188,7 @@ class EC2QueryServer < CloudServer tmp, vmid=vmid.split('-') if vmid[0]==?i - vm = VirtualMachine.new(VirtualMachine.build_xml(vmid),self.client) + vm = VirtualMachine.new(VirtualMachine.build_xml(vmid),@client) rc = vm.info return OpenNebula::Error.new('Unsupported'),400 if OpenNebula::is_error?(rc) diff --git a/src/cloud/ec2/lib/econe-server.rb b/src/cloud/ec2/lib/econe-server.rb index 000d138b88..930c0b9df4 100644 --- a/src/cloud/ec2/lib/econe-server.rb +++ b/src/cloud/ec2/lib/econe-server.rb @@ -43,6 +43,7 @@ require 'sinatra' require 'yaml' require 'EC2QueryServer' +require 'CloudAuth' include OpenNebula @@ -73,24 +74,34 @@ if CloudServer.is_port_open?(settings.config[:server], puts "Port busy, please shutdown the service or move econe server port." exit 1 end + +set :cloud_auth, CloudAuth.new(settings.config) + +econe_host = conf[:ssl_server] +econe_host ||= conf[:server] +econe_port = conf[:port] + +set :econe_host, econe_host +set :econe_port, econe_port ############################################################################## # Actions ############################################################################## before do - @econe_server = EC2QueryServer.new(settings.config) - begin - result = @econe_server.authenticate(request.env, params) + params[:econe_host] = settings.econe_host + params[:econe_port] = settings.econe_port + username = settings.cloud_auth.auth(request.env, params) rescue Exception => e - # Add a log message error 500, error_xml("AuthFailure", 0) end - if result - # Add a log message - error 400, error_xml("AuthFailure", 0) + if username.nil? + error 401, error_xml("AuthFailure", 0) + else + client = settings.cloud_auth.client(username) + @econe_server = EC2QueryServer.new(client, settings.config) end end diff --git a/src/cloud/occi/etc/occi-server.conf b/src/cloud/occi/etc/occi-server.conf index 2bf8516b9f..839aa27eb7 100644 --- a/src/cloud/occi/etc/occi-server.conf +++ b/src/cloud/occi/etc/occi-server.conf @@ -27,10 +27,15 @@ # Configuration for OpenNebula's Virtual Networks #:bridge: NAME_OF_DEFAULT_BRIDGE -# Authentication protocol for the OCCI server: -# basic, for OpenNebula's user-password scheme +# Authentication driver for incomming requests +# occi, for OpenNebula's user-password scheme # x509, for x509 certificates based authentication -:auth: basic +:auth: occi + +# Authentication driver to communicate with OpenNebula core +:core_auth: cipher +# Life-time in seconds for token renewal (that used to handle OpenNebula auths) +:token_expiration_delta: 1800 # VM types allowed and its template file (inside templates directory) :instance_types: