FireEdge Authentication¶
By default, FireEdge works with the default core authentication method (user and password) although you can configure any authentication mechanism supported by OpenNebula. In this section, you will learn how to enable other authentication.
Web client and FireEdge server. Authentication is based on the credentials stored in the OpenNebula database for the user. Depending on the type of these credentials the authentication method can be:
remote``or ``opennebula
The following sections explain the client-to-FireEdge server authentication methods.
Basic Auth¶
In the basic mode, username and password are matched to those in OpenNebula’s database in order to authorize the user at the time of login. JWT-based sessions are then used to authenticate and authorize the requests.
:auth: opennebula
Remote Auth¶
This method performs OpenNebula login based on user extraction and compares it with the password value in the user database.
To update existing users to use remote authentication, change the controller to public and update the password as follows:
The user password has to be changed by running one of the following commands:
oneuser chauth johndoe public "johndoe"
New users with this authentication method should be created as follows:
oneuser create johndoe "johndoe" --driver public
To enable this login method, set the :auth: option in /etc/one/fireedge-server.conf to remote and restart FireEdge:
:auth: remote
The login screen will not display the username and password fields anymore, as all information is fetched from the user certificate:
Note that OpenNebula will not verify that the user holds a valid certificate at the time of login: this is expected to be done by the external container of the FireEdge server (normally Apache), whose job is to tell the user’s browser that the site requires a user certificate and to check that the certificate is consistently signed by the chosen Certificate Authority (CA). The setup with Apache/SAML is the more common and tested. However, it can rely on Apache/Nginx for OIDC.
Warning
The FireEdge authentication only handles the authentication of the user at the time of login. Authentication of the user certificate is a complementary setup, which can rely on Apache.
Two Factor Authentication¶
You can get an additional authentication level by using a two-factor authentication that not only requests the username and password but also the one-time (or pre-generated security) keys generated by an authenticator application.
Important
This option needs to be activated per user, and it is necessary to use legacy Sunstone to perform this activation link