Federation Login

Community Support
1

Hi all,

I’ve setup a federation with one master & one slave zone by following http://docs.opennebula.org/5.2/advanced_components/data_center_federation/federationconfig.html. All seem ok when logged on to the master. Slave zone can be accessed and managed through master sunstone.

However I can not log on directly to the slave zone sunstone.
If I try with correct oneadmin username&password the web interface gives:
OpenNebula is not running or there was a server exception. Please check the server logs. with wrong username&password, it says: Invalid username or password (as expected)

sunstone.log (with incorrect credentials):
Tue Mar 28 11:50:04 2017 [E]: User oneadmin could not be authenticated
Tue Mar 28 11:50:04 2017 [E]: [UserInfo] User couldn’t be authenticated, aborting call.
Tue Mar 28 11:50:04 2017 [I]: Unauthorized login attempt
Tue Mar 28 11:50:04 2017 [I]: xxx.xxx.xxx.xxx - - [28/Mar/2017:11:50:04 +0300] “POST /login HTTP/1.1” 401 - 0.0099

sunstone.log (with correct cred.):
Tue Mar 28 11:51:44 2017 [E]: [UserInfo] User couldn’t be authenticated, aborting call.
Tue Mar 28 11:51:44 2017 [I]: xxx.xxx.xxx.xxx - - [28/Mar/2017:11:51:44 +0300] “POST /login HTTP/1.1” 500 - 0.1352

oned.log (with incorrect cred.)
Tue Mar 28 11:54:44 2017 [Z100][ReM][D]: Req:3200 UID:-1 UserInfo invoked , -1
Tue Mar 28 11:54:44 2017 [Z100][ReM][E]: Req:3200 UID:- UserInfo result FAILURE [UserInfo] User couldn’t be authenticated, aborting call.
Tue Mar 28 11:54:44 2017 [Z100][ReM][D]: Req:3200 UID:-1 UserInfo invoked , -1
Tue Mar 28 11:54:44 2017 [Z100][ReM][E]: Req:3200 UID:- UserInfo result FAILURE [UserInfo] User couldn’t be authenticated, aborting call.

oned.log (with correct cred.)
Tue Mar 28 11:55:51 2017 [Z100][AuM][D]: Message received: LOG I 185 Command execution fail: /var/lib/one/remotes/auth/server_cipher/authenticate serveradmin f604c06ab03f5b9f26dfb5b1f473e24e039a0050 ****

Tue Mar 28 11:55:51 2017 [Z100][AuM][I]: Command execution fail: /var/lib/one/remotes/auth/server_cipher/authenticate serveradmin f604c06ab03f5b9f26dfb5b1f473e24e039a0050 ****
Tue Mar 28 11:55:51 2017 [Z100][AuM][D]: Message received: LOG E 185 bad decrypt

Tue Mar 28 11:55:51 2017 [Z100][AuM][I]: bad decrypt
Tue Mar 28 11:55:51 2017 [Z100][AuM][D]: Message received: LOG I 185 ExitCode: 255

Tue Mar 28 11:55:51 2017 [Z100][AuM][I]: ExitCode: 255
Tue Mar 28 11:55:51 2017 [Z100][AuM][D]: Message received: AUTHENTICATE FAILURE 185 bad decrypt

Tue Mar 28 11:55:51 2017 [Z100][AuM][E]: Auth Error: bad decrypt
Tue Mar 28 11:55:51 2017 [Z100][ReM][D]: Req:1200 UID:-1 UserInfo invoked , -1
Tue Mar 28 11:55:51 2017 [Z100][ReM][E]: Req:1200 UID:- UserInfo result FAILURE [UserInfo] User couldn’t be authenticated, aborting call.

Any idea?

Thanks,
Orhan

2

Hi,

I would check the tables replication between the databases on the two zones(are properly replicated, is their content same). Then compare the content of /var/lib/one/.one/ - it should be same on both instances. And finally I’d check the federation section of oned.conf on both master and slave.

Kind Regards,
Anton Todorov

3

slave status:
MariaDB [(none)]> show slave status\G;
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.x.xxx
Master_User: one-slave
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mysql-bin.000001
Read_Master_Log_Pos: 9626038
Relay_Log_File: ist-fe1-relay-bin.000002
Relay_Log_Pos: 9625838
Relay_Master_Log_File: mysql-bin.000001
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table: opennebula.acl,opennebula.group_pool,opennebula.db_versioning,opennebula.marketplace_pool,opennebula.zone_pool,opennebula.user_pool,opennebula.vdc_pool,opennebula.marketplaceapp_pool

master status:
MariaDB [(none)]> show master status;
±-----------------±---------±-------------±-----------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
±-----------------±---------±-------------±-----------------+
| mysql-bin.000001 | 9637126 | opennebula | |
±-----------------±---------±-------------±-----------------+
1 row in set (0.00 sec)

I had copied /var/lib/one/.one/ from master to slave. Checked the files again, they’re identical:
master:
[root@fe1 ~]# ll /var/lib/one/.one/
total 28
-rw------- 1 oneadmin oneadmin 53 Mar 24 10:42 ec2_auth
-rw------- 1 oneadmin oneadmin 53 Mar 24 10:42 occi_auth
-rw-r–r-- 1 oneadmin oneadmin 22 Mar 24 10:41 one_auth
-rw------- 1 oneadmin oneadmin 53 Mar 24 10:42 oneflow_auth
-rw------- 1 oneadmin oneadmin 53 Mar 24 10:42 onegate_auth
-rw------- 1 oneadmin oneadmin 41 Mar 24 10:42 one_key
-rw------- 1 oneadmin oneadmin 53 Mar 24 10:42 sunstone_auth

[root@ist-fe1 ~]# ll /var/lib/one/.one/
total 28
-rw------- 1 oneadmin oneadmin 53 Mar 24 11:42 ec2_auth
-rw------- 1 oneadmin oneadmin 53 Mar 24 11:42 occi_auth
-rw-r–r-- 1 oneadmin oneadmin 22 Mar 24 11:41 one_auth
-rw------- 1 oneadmin oneadmin 53 Mar 24 11:42 oneflow_auth
-rw------- 1 oneadmin oneadmin 53 Mar 24 11:42 onegate_auth
-rw------- 1 oneadmin oneadmin 41 Mar 24 11:42 one_key
-rw------- 1 oneadmin oneadmin 53 Mar 24 11:42 sunstone_auth

difference in timestamp is due to timezone.

master oned.conf
FEDERATION = [
MODE = “MASTER”,
ZONE_ID = 0,
MASTER_ONED = “”
]

slave oned.conf
FEDERATION = [
MODE = “SLAVE”,
ZONE_ID = 100,
MASTER_ONED = “http://192.168.x.xxx:2633/RPC2
]

I’ve chosen to merge the users and also checked the password in the database (select body from user_pool where name like ‘%oneadmin%’:wink: with sha1 hash of the value in /var/lib/one/.one/one_auth and they match (as expected, otherwise i couldnt be able to login to master because there’s just one oneadmin)

Stuck in here…