Custom authentication driver

vdjurovic · August 12, 2020, 11:10am

I’ve created a simple authentication driver as a proof of concept, but I’m having a hard time testing it.

According to documentation, driver expects input in XML format:

<AUTHN>
<USERNAME>VALUE</USERNAME>
<PASSWORD>VALUE</PASSWORD>
<SECRET>VALUE</SECRET>

I tried using oneuser login command to test the driver, but I can’t figure out how to specify options to get the desired input. For my driver to work, I need to pass username and secret.

I tried using command like

oneuser my-user

then I get prompted for the password, but the authentication fails. According to driver log, it got only as input, so neither username nor password got passed to the driver.

What am I doing wrong? What is the right way to pass username and secret to the driver?

jorel · August 13, 2020, 8:24am

You can test it using comand like:
oneuser show --user [username] --password [password]

Or you can put the credentials to the ~/.one/one_auth file

Ensure you added your auth driver to oned.conf

AUTH_MAD = [
    EXECUTABLE = "one_auth_mad",
    AUTHN = "ssh,x509,ldap,server_cipher,server_x509,custom"
]
DEFAULT_AUTH = "custom"

vdjurovic · August 13, 2020, 9:14am

I tried the command you describe, but still getting the same. Running

oneuser show --user user1-tenant1 --password xxxx

In the auth driver, I log the input, and this is what I get:

time="2020-08-13T11:05:03+02:00" level=info msg="Running authentication"
time="2020-08-13T11:05:03+02:00" level=debug msg="<AUTHN>\n"

Driver expects XML input in the form described in the documentation, but looks like it only gets <AUTHN> tag followed by newline. It’s like username and password were never passed to driver. I would expect the driver to get input like:

<AUTHN>
    <USERNAME>user1-tenant1</USERNAME>
   <PASSWORD>xxxx</PASSWORD>
   <SECRET></SECRET>
</AUTHN

BTW, driver is registered and user is set to use that driver:

I’m really lost here

jorel · August 18, 2020, 3:37pm

How do you process the STDIN in the custom driver? Can you share it here?

vdjurovic · August 19, 2020, 8:17am

You were right, I messed STDIN processing :-). I expected it would come in as a single line, as shown in sample documentation. I fixed it, so it works both ways now. Thanks a lot for your help!

BTW, if anyone is interested, complete driver code is available here. It’s based on JWT instead of relying on user password.

It’s just a prototype/proof-of-concept thing, but could be useful to someone as starting point for another driver. It’s tested only with Keycloak as IDP and works only with RSA256 signing algorithm.Maybe it would work with any compatible OpenID IDP, but I’m not sure.

Anyway, thanks again for your help.

TafkaMax · June 28, 2023, 8:53am

Hi

How did you integrate this driver to your opennebula instance? A little bit more documentation would be awesome

Install go binary
Add go to path
Add the ‘authenticator.go’ code to /var/lib/one/remotes/auth/jwt folder?

vdjurovic · June 28, 2023, 1:38pm

Sorry, I have no idea :-). I didn’t touch OpenNebula for a few years, and I forgot most of what I did.

TafkaMax · June 28, 2023, 2:47pm

Ok thx for response anyway.

Topic		Replies	Views
How to read GET parameters in custom authentication driver script? Community Support	1	579	July 12, 2016
Auth provider development Development	2	946	February 1, 2018
Wed Mar 30 17:24:39 2016 [Z0][ReM][E]: Req:2240 UID:- SystemConfig result FAILURE [SystemConfig] User couldn't be authenticated, aborting call Community Support	1	631	March 31, 2016
[solved] LDAP not working after oneadmin password change Community Support	2	777	January 10, 2018
How to make login from my script to opennebula web - interface Community Support	3	1024	August 2, 2016

Custom authentication driver

Related topics