OpenNebula comes with a default internal user authentication system based on username/password, where information and secrets are stored in the OpenNebula (see the Users & Groups Subsystem guide). Dedicated external user authentication drivers can be used to leverage additional authentication mechanisms or sources of information about the users (e.g., LDAP). This chapter describes the available user authentication and management options.
In this figure you can see three authentication configurations you can customize in OpenNebula.
a) CLI/API Authentication
You can choose from the following authentication drivers to access OpenNebula from the command line:
- Built-in User/Password and token authentication
- SSH Authentication
- X.509 Authentication
- LDAP Authentication
b) Sunstone Authentication
By default, any authentication driver configured to work with OpenNebula can be used out-of-the-box with Sunstone. Additionally you can add a TLS-proxy to secure the Sunstone. See:
c) Server Authentication
This method is designed to delegate the authentication process to high level tools interacting with OpenNebula. You’ll be interested in this method if you are developing your own servers.
OpenNebula ships with two GUI servers - Sunstone and FireEdge. When a user interacts with one of them, the server authenticates the request and then forwards the requested operation to the OpenNebula Daemon. The forwarded requests are encrypted using a symmetric key. The following guide shows how to strengthen the security of these requests using X.509 certificates. This is especially relevant if you are running your server in a machine other than the Front-end.
How Should I Read This Chapter¶
When designing the architecture of your cloud you will have to choose where to store users’ credentials. Different authentication methods can be configured at the same time and selected on a ‘per user’ basis. A major difference between various authentication methods is their ability to be used either by API, CLI and/or only Sunstone (the web interface). You can read the relevant sections based on your requirements.
Usable with API, CLI and Sunstone:
Usable only with API and CLI:
Usable only with Sunstone:
This chapter applies to supported hypervisors.