I have a problem with Sunstone authentication. When an user try authenticate in Sunstone, occurs this error:
OpenNebula is not running or there was a server exception. Please check the server logs
In oned.log have:
Wed May 8 03:01:58 2019 [Z0][ReM][D]: Req:4560 UID:0 one.user.info invoked , -1
Wed May 8 03:01:58 2019 [Z0][ReM][D]: Req:4560 UID:0 one.user.info result SUCCESS, “0<GID…”
Wed May 8 03:01:58 2019 [Z0][ReM][D]: Req:2112 UID:-1 one.user.info invoked , -1
Wed May 8 03:01:58 2019 [Z0][ReM][E]: Req:2112 UID:- one.user.info result FAILURE
[one.user.info] User couldn’t be authenticated, aborting call.
I’ve already checked it the credential of serveradmin user in files stored in /var/lib/one/.one/ and comparated with database information:
# oneuser show 1
USER 1 INFORMATION
ID : 1
NAME : serveradmin
GROUP : oneadmin
PASSWORD : xxxxd5b02cb1c3b9d39a2dad7aab5b7f733exxxx
AUTH_DRIVER : core
ENABLED : Yes
# cat /var/lib/one/.one/sunstone_auth
serveradmin:<sanitized_pass>
# echo -n "<sanitized_pass>" | sha1sum
xxxxd5b02cb1c3b9d39a2dad7aab5b7f733exxxx
It was working perfectly, and I suspect that the problem may have occurred after an “oneuser chauth” command.
In command line, one* commands working perfectly.
I’ve already tried restore user_pool table and restart opennebula and opennebula-sunstone services, but the problem persist.
I using Opennebula 5.6.2. Can anyone help-me please??
Hi @ahuertas and others ,
Seeing here, the error is generated by line 272 of the file sunstone_server.rb. So the check that fails is line 270. How to know exactly what failed?
Any have ideas or suggestions?
265: client = $cloud_auth.client(result, session[:active_zone_endpoint])
266: user_id = OpenNebula::User::SELF
267:
268: user = OpenNebula::User.new_with_id(user_id, client)
269: rc = user.info
270: if OpenNebula.is_error?(rc)
271: logger.error { rc.message }
272: return [500, ""] <=== This is the return
273: end
Copied the value of field ‘body’ of table user_pool of serveradmin user in test database;
testDB: mysql> SELECT body FROM user_pool where uid=‘1’
<USER><ID>1…</TEMPLATE></USER>
Updated in production DB the field ‘body’ of table user_pool of serveradmin;
productionDB: mysql> UPDATE user_pool set body=’<USER><ID>1…</TEMPLATE>
</USER>’ WHERE uid=‘1’;
Copied file sunstone_auth of test for production.
# cp /var/lib/one/.one-test/sunstone_auth /var/lib/one/.one/sunstone_auth
@ahuertas Many thanks for your help and cooperation!
so the summary of this is that the commands don’t really work, correct?
they just don’t properly update the value in the database, and the user is then left alone to edit the xml themselves.
so first the ONE UI doesn’t work
then there is actually NO WAY at all to fix this using the ONE cli, although all the commands exist. They just don’t work.
then we leave the most dangerous task to the user
and just to make it really clear we don’t care, the whole thing requires a downtime of the cloud controller where no failed VM could be restarted
and, to make it more fun, we have caching that interferes with password changes
And an issue like that is existing since like 7 years, and all we do is write howtos how to squeeze the XML out of the database and then manually fix it (but of course no DTD to even validate, and of course no single howto shows the steps in clear with a password and it’s SHA1 hash.
If I ever find any hope again i’ll just open an issue in the bugtracker because this is so sad.
and then i’d ask you to upvote is so no more people in the future need to waste time just because the commands here do things and then don’t actually do them.
Extra care needs to be taken at the time of changing the password of oneadmin and serveradmin. If you change the password of oneadmin but do not update the auth file for the CLI, you just locked yourself out of the system (using the CLI at least).