<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Authentication — Bcfg2 1.3.0 documentation</title> <link rel="stylesheet" href="../../_static/default.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', VERSION: '1.3.0', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <script type="text/javascript" src="../../_static/sidebar.js"></script> <link rel="shortcut icon" href="../../_static/favicon.ico"/> <link rel="top" title="Bcfg2 1.3.0 documentation" href="../../index.html" /> <link rel="up" title="Guides" href="../guides.html" /> <link rel="next" title="Bootstrap" href="bootstrap.html" /> <link rel="prev" title="Guides" href="../guides.html" /> <link rel="stylesheet" href="../../_static/bcfg2.css" type=""/> </head> <body> <div style="text-align: left; padding: 10px 10px 15px 15px"> <a href="../../index.html"><img src="../../_static/bcfg2_logo.png" border="0" alt="sampledoc"/></a> </div> <div class="related"> <h3>Navigation</h3> <ul> <li class="right" style="margin-right: 10px"> <a href="../../genindex.html" title="General Index" accesskey="I">index</a></li> <li class="right" > <a href="../../py-modindex.html" title="Python Module Index" >modules</a> |</li> <li class="right" > <a href="bootstrap.html" title="Bootstrap" accesskey="N">next</a> |</li> <li class="right" > <a href="../guides.html" title="Guides" accesskey="P">previous</a> |</li> <li><a href="../../index.html">home</a> | </li> <!--<li><a href="../../search.html">search</a> | </li>--> <li><a href="../../help/index.html">help</a> | </li> <li><a href="../../contents.html">documentation </a> »</li> <li><a href="../../contents.html" >Bcfg2 documentation 1.3.0</a> »</li> <li><a href="../index.html" >Appendix</a> »</li> <li><a href="../guides.html" accesskey="U">Guides</a> »</li> </ul> </div> <div class="document"> <div class="documentwrapper"> <div class="bodywrapper"> <div class="body"> <div class="section" id="authentication"> <span id="appendix-guides-authentication"></span><h1>Authentication<a class="headerlink" href="#authentication" title="Permalink to this headline">¶</a></h1> <div class="section" id="scenarios"> <h2>Scenarios<a class="headerlink" href="#scenarios" title="Permalink to this headline">¶</a></h2> <ol class="arabic"> <li><p class="first">Cluster nodes that are frequently rebuilt</p> <p>Default settings work well; machines do not float, and a per-client password is not required.</p> </li> <li><p class="first"><a class="reference internal" href="nat_howto.html#appendix-guides-nat-howto"><em>NAT HOWTO</em></a></p> </li> </ol> <blockquote> <div><ul> <li><p class="first">Build client records in advance with <tt class="docutils literal"><span class="pre">bcfg2-admin</span></tt>, setting a uuid for each new client.</p> </li> <li><p class="first">Set the address attribute for each to the address of the NAT.</p> </li> <li><p class="first">Optionally, set a per-client password for each, and set into secure mode.</p> <div class="admonition note"> <p class="first admonition-title">Note</p> <p class="last">This will require the use of the uuid and password from each client, and will require that they come through the NAT address.</p> </div> </li> </ul> </div></blockquote> </div> <div class="section" id="building-bcfg2-conf-automatically"> <h2>Building bcfg2.conf automatically<a class="headerlink" href="#building-bcfg2-conf-automatically" title="Permalink to this headline">¶</a></h2> <p>This is a <a class="reference internal" href="../../server/plugins/generators/cfg.html#server-plugins-generators-cfg-cheetah"><em>Cheetah template</em></a> that automatically constructs per-client bcfg2.conf from the per-client metadata:</p> <div class="highlight-python"><pre>[communication] protocol = xmlrpc/ssl #if $self.metadata.uuid != None user = $self.metadata.uuid #end if #if $self.metadata.password != None password = $self.metadata.password #else password = my-password-foobat #end if [components] bcfg2 = https://localhost:6789</pre> </div> <p>In this setup, this will cause any clients that have uuids established to be set to use them in <tt class="docutils literal"><span class="pre">bcfg2.conf</span></tt>. It will also cause any clients with passwords set to use them instead of the global password.</p> </div> <div class="section" id="how-authentication-works"> <h2>How Authentication Works<a class="headerlink" href="#how-authentication-works" title="Permalink to this headline">¶</a></h2> <ol class="arabic simple"> <li>First, the client is associated with a client record. If the client specifies a uuid, it uses this instead of the results of a dns or address lookup.</li> <li>Next, the ip address is verified against the client record. If the address doesn’t match, then the client must be set to floating=’true’</li> <li>Finally, the password is verified. If the client is set to secure mode, the only its per-client password is accepted. If it is not set to secure mode, then either the global password or per-client password will be accepted</li> </ol> <p>Failure during any of these stages results in authentication failure. Note that clients set into secure mode that do not have per-client passwords set will not be able to connect.</p> </div> <div class="section" id="ssl-cert-based-client-authentication"> <h2>SSL Cert-based client authentication<a class="headerlink" href="#ssl-cert-based-client-authentication" title="Permalink to this headline">¶</a></h2> <p>SSL-based client authentication is supported. This requires several things:</p> <ol class="arabic simple"> <li>Certificate Authority (to sign all keys)</li> <li>Server key and cert signed by the CA</li> <li>Client key and cert signed by the CA</li> </ol> <p>A variety of CAs can be used, but these keys can be simply generated using the following set of steps:</p> <ol class="arabic"> <li><p class="first">Setup a CA</p> <p><a class="reference external" href="http://www.flatmtn.com/article/setting-openssl-create-certificates">http://www.flatmtn.com/article/setting-openssl-create-certificates</a></p> </li> <li><p class="first">Create keys for each client and server, signing them with the CA signing cert</p> <p><a class="reference external" href="http://www.flatmtn.com/article/setting-ssl-certificates-apache">http://www.flatmtn.com/article/setting-ssl-certificates-apache</a></p> <div class="admonition note"> <p class="first admonition-title">Note</p> <p>The client CN must be the FQDN of the client (as returned by a reverse DNS lookup of the ip address. Otherwise, you will end up with an error message on the client that looks like:</p> <div class="highlight-python"><pre>Server failure: Protocol Error: 401 Unauthorized Failed to download probes from bcfg2 Server Failure</pre> </div> <p>You will also see an error message on the server that looks something like:</p> <div class="last highlight-python"><pre>cmssrv01 bcfg2-server[9785]: Got request for cmssrv115 from incorrect address 131.225.206.122 cmssrv01 bcfg2-server[9785]: Resolved to cmssrv115.fnal.gov</pre> </div> </div> </li> <li><p class="first">Distribute the keys and certs to the appropriate locations</p> </li> <li><p class="first">Copy the ca cert to clients, so that the server can be authenticated</p> </li> </ol> <p>Clients authenticating themselves with a certificate will be authenticated that way first; clients can be setup to either authenticate solely with certs, use certs with a fallback to password, or password only. Also a bootstrap mode will be added shortly; this will allow a client to authenticate with a password its first time, requiring a certificate all subsequent times. This behavior can be controlled through the use of the auth attribute in <tt class="docutils literal"><span class="pre">Metadata/clients.xml</span></tt>:</p> <div class="highlight-python"><pre><Clients> <Client name='testclient' auth='cert'/> </Clients></pre> </div> <p>Allowed values are:</p> <blockquote> <div><table border="1" class="docutils"> <colgroup> <col width="26%" /> <col width="74%" /> </colgroup> <thead valign="bottom"> <tr class="row-odd"><th class="head"><strong>Auth Type</strong></th> <th class="head"><strong>Meaning</strong></th> </tr> </thead> <tbody valign="top"> <tr class="row-even"><td>cert</td> <td>Certificates must be used</td> </tr> <tr class="row-odd"><td>cert+password</td> <td>Certificate or password may be used</td> </tr> <tr class="row-even"><td>bootstrap</td> <td>Password can be used for one client run, after that certificate is required</td> </tr> </tbody> </table> </div></blockquote> </div> </div> </div> </div> </div> <div class="sphinxsidebar"> <div class="sphinxsidebarwrapper"> <h3><a href="../../index.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">Authentication</a><ul> <li><a class="reference internal" href="#scenarios">Scenarios</a></li> <li><a class="reference internal" href="#building-bcfg2-conf-automatically">Building bcfg2.conf automatically</a></li> <li><a class="reference internal" href="#how-authentication-works">How Authentication Works</a></li> <li><a class="reference internal" href="#ssl-cert-based-client-authentication">SSL Cert-based client authentication</a></li> </ul> </li> </ul> <h4>Previous topic</h4> <p class="topless"><a href="../guides.html" title="previous chapter">Guides</a></p> <h4>Next topic</h4> <p class="topless"><a href="bootstrap.html" title="next chapter">Bootstrap</a></p> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="../../_sources/appendix/guides/authentication.txt" rel="nofollow">Show Source</a></li> </ul> <div id="searchbox" style="display: none"> <h3>Quick search</h3> <form class="search" action="../../search.html" method="get"> <input type="text" name="q" /> <input type="submit" value="Go" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> <p class="searchtip" style="font-size: 90%"> Enter search terms or a module, class or function name. </p> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <div class="clearer"></div> </div> <div class="related"> <h3>Navigation</h3> <ul> <li class="right" style="margin-right: 10px"> <a href="../../genindex.html" title="General Index" >index</a></li> <li class="right" > <a href="../../py-modindex.html" title="Python Module Index" >modules</a> |</li> <li class="right" > <a href="bootstrap.html" title="Bootstrap" >next</a> |</li> <li class="right" > <a href="../guides.html" title="Guides" >previous</a> |</li> <li><a href="../../index.html">home</a> | </li> <!--<li><a href="../../search.html">search</a> | </li>--> <li><a href="../../help/index.html">help</a> | </li> <li><a href="../../contents.html">documentation </a> »</li> <li><a href="../../contents.html" >Bcfg2 documentation 1.3.0</a> »</li> <li><a href="../index.html" >Appendix</a> »</li> <li><a href="../guides.html" >Guides</a> »</li> </ul> </div> <div class="footer"> © Copyright 2009-2013, Narayan Desai. Last updated on Mar 20, 2013. Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.1.3. </div> </body> </html>