F OpenNebula/one#6430: Sunstone review of auth and config (#2973)

Signed-off-by: dcarracedo <[email protected]>

source/installation_and_configuration/authentication/index.rst

@@ -11,5 +11,4 @@ Authentication Configuration
    SSH Authentication <ssh>
    X.509 Authentication <x509>
    LDAP Authentication <ldap>
-   Sunstone Authentication <sunstone>
-   FireEdge Authentication <fireedge>
+   Sunstone Authentication <sunstone_auth>

source/installation_and_configuration/authentication/ldap.rst

@@ -296,20 +296,14 @@ Each group in OpenNebula can have its :ref:`admins <manage_groups_permissions>`
 Enabling LDAP auth in Sunstone
 ==============================
 
-Update the ``/etc/one/sunstone-server.conf`` ``:auth`` parameter to use ``opennebula``:
+Update the ``/etc/one/fireedge-server.conf`` ``:auth`` parameter to use ``opennebula``:
 
 .. code-block:: yaml
 
         :auth: opennebula
 
 Using this method, the credentials provided in the login screen will be sent to the OpenNebula core, and the authentication will be delegated to the OpenNebula auth system using the specified driver for that user. Therefore any OpenNebula auth driver can be used through this method to authenticate the user (e.g. LDAP).
 
-To automatically encode credentials as explained in the :ref:`DN's with special characters <ldap_dn_with_special_characters>` section, also add this parameter to the sunstone configuration:
-
-.. code-block:: yaml
-
-        :encode_user_password: true
-
 Multiple LDAP servers: Order vs. Regex Match
 ============================================
 

source/installation_and_configuration/authentication/overview.rst

@@ -26,13 +26,13 @@ You can choose from the following authentication drivers to access OpenNebula fr
 
 By default, any authentication driver configured to work with OpenNebula can be used out-of-the-box with Sunstone. Additionally you can add a TLS-proxy to secure the Sunstone. See:
 
-- :ref:`Sunstone Authentication <sunstone>`
+- :ref:`Sunstone Authentication <sunstone_auth>`
 
 **c) Server Authentication**
 
 This method is designed to delegate the authentication process to high level tools interacting with OpenNebula. You'll be interested in this method if you are developing your own servers.
 
-OpenNebula ships with two GUI servers - :ref:`Sunstone <sunstone>` and :ref:`FireEdge <fireedge_setup>`. When a user interacts with one of them, the server authenticates the request and then forwards the requested operation to the OpenNebula Daemon. The forwarded requests are encrypted using a symmetric key. The following guide shows how to strengthen the security of these requests using X.509 certificates. This is especially relevant if you are running your server in a machine other than the Front-end.
+OpenNebula ships with a GUI server - :ref:`Sunstone <fireedge_setup>`. When a user interacts with one of them, the server authenticates the request and then forwards the requested operation to the OpenNebula Daemon. The forwarded requests are encrypted using a symmetric key. The following guide shows how to strengthen the security of these requests using X.509 certificates. This is especially relevant if you are running your server in a machine other than the Front-end.
 
 - :ref:`Cloud Servers Authentication <cloud_auth>`
 
@@ -52,11 +52,7 @@ Usable only with API and CLI:
 
 Usable only with Sunstone:
 
-* :ref:`X.509 Authentication <x509_auth>`
-* :ref:`Sunstone Authentication <suns_auth>`
-
-Usable only with FireEdge:
-* :ref:`FireEdge Authentication <fireedge_auth>`
+* :ref:`Sunstone Authentication <sunstone_auth>`
 
 Hypervisor Compatibility
 ================================================================================

source/installation_and_configuration/authentication/fireedge.rst → source/installation_and_configuration/authentication/sunstone_auth.rst

@@ -1,16 +1,16 @@
-.. _fireedge_auth:
+.. _sunstone_auth:
 
 =======================
-FireEdge Authentication
+Sunstone Authentication
 =======================
 
-By default, FireEdge works with the default ``core`` authentication method (user and password) although you can configure any authentication mechanism supported by OpenNebula. In this section, you will learn how to enable other authentication.
+By default, Sunstone works with the default ``core`` authentication method (user and password) although you can configure any authentication mechanism supported by OpenNebula. In this section, you will learn how to enable other authentication.
 
-* **Web client and FireEdge server**. Authentication is based on the credentials stored in the OpenNebula database for the user. Depending on the type of these credentials the authentication method can be: ``remote``or ``opennebula``
+* Authentication is based on the credentials stored in the OpenNebula database for the user. Depending on the type of these credentials the authentication method can be: ``remote``or ``opennebula``
 
-The following sections explain the client-to-FireEdge server authentication methods.
+The following sections explain the client to Sunstone server authentication methods.
 
-.. _basic_auth_fireedge:
+.. _suntone_basic_auth:
 
 Basic Auth
 ===========
@@ -21,7 +21,7 @@ In the basic mode, username and password are matched to those in OpenNebula's da
 
     :auth: opennebula
 
-.. _remote_auth_fireedge:
+.. _sunstone_remote_auth:
 
 Remote Auth
 ===========
@@ -50,29 +50,29 @@ To enable this login method, set the ``:auth:`` option in ``/etc/one/fireedge-se
 
 The login screen will not display the username and password fields anymore, as all information is fetched from the user certificate:
 
-|fireedge_remote_login|
+|sunstone_remote_login|
 
-Note that OpenNebula will not verify that the user holds a valid certificate at the time of login: this is expected to be done by the external container of the FireEdge server (normally Apache), whose job is to tell the user's browser that the site requires a user certificate and to check that the certificate is consistently signed by the chosen Certificate Authority (CA). The setup with Apache/SAML is the more common and tested. However, it can rely on Apache/Nginx for OIDC.
+Note that OpenNebula will not verify that the user holds a valid certificate at the time of login: this is expected to be done by the external container of the Sunstone server (normally Apache), whose job is to tell the user's browser that the site requires a user certificate and to check that the certificate is consistently signed by the chosen Certificate Authority (CA). The setup with Apache/SAML is the more common and tested. However, it can rely on Apache/Nginx for OIDC.
 
-.. warning:: The FireEdge authentication only handles the authentication of the user at the time of login. Authentication of the user certificate is a complementary setup, which can rely on Apache.
+.. warning:: The Sunstone authentication only handles the authentication of the user at the time of login. Authentication of the user certificate is a complementary setup, which can rely on Apache.
 
-.. _ldap_auth_fireedge:
+.. _sunstone_ldap_auth:
 
 LDAP/AD Auth
 ============
 
 This method performs the OpenNebula login by delegating the authentication on a specific LDAP/AD server or several servers. 
 
-No special configuration is needed in FireEdge, the authentication method should be kept as 'opennebula' like in the :ref:`Basic Auth case<remote_auth_fireedge>`. However, this needs to be set up in the OpenNebula core side, to set up the ldap configuration this :ref:`guide <ldap>` needs to be followed.
+No special configuration is needed in Sunstone, the authentication method should be kept as 'opennebula' like in the :ref:`Basic Auth case <suntone_basic_auth>`. However, this needs to be set up in the OpenNebula core side, to set up the ldap configuration this :ref:`guide <ldap>` needs to be followed.
 
-.. _2f_auth_fireedge:
+.. _sunstone_2f_auth:
 
 Two Factor Authentication
 =========================
 
 You can get an additional authentication level by using a two-factor authentication that not only requests the username and password but also the one-time (or pre-generated security) keys generated by an authenticator application.
 
-|fireedge_2fa_auth|
+|sunstone_2fa_auth|
 
 Authenticator App
 ------------------
@@ -81,27 +81,27 @@ This method requires a token generated by any of these applications: `Google Aut
 
 To enable this, you must follow these steps:
 
--  Log in to FireEdge and select menu **Setting**. Inside, find the section **Two Factor Authentication**.
+-  Log in to Sunstone and select menu **Settings**. Inside, find the section **Two Factor Authentication**.
 -  Inside, find and select the button **Register authenticator App**.
 
-|fireedge_setting_auth|
+|sunstone_setting_auth|
 
 -  Scan the Qr code with the aforementioned apps and enter the verification code.
 
-|fireedge_setting_tfa_app|
+|sunstone_setting_tfa_app|
 
 Internally Sunstone adds the field ``TWO_FACTOR_AUTH_SECRET``.
 
-|fireedge_template_user_auth|
+|sunstone_template_user_auth|
 
 -  To disable 2FA, go to the **Settings**, find the section **Two Factor Authentication** tab and click remove button.
 
-|fireedge_settings_2fa_dissable|
+|sunstone_settings_2fa_dissable|
 
 
-.. |fireedge_remote_login| image:: /images/fireedge_login_remote.png
-.. |fireedge_2fa_auth| image:: /images/fireedge_login_2fa.png
-.. |fireedge_setting_auth| image:: /images/fireedge-settings-auth.png
-.. |fireedge_setting_tfa_app| image:: /images/fireedge-settings-2fa-app.png
-.. |fireedge_template_user_auth| image:: /images/fireedge-template-user-auth.png
-.. |fireedge_settings_2fa_dissable| image:: /images/fireedge-settings-2fa-dissable.png
+.. |sunstone_remote_login| image:: /images/sunstone_login_remote.png
+.. |sunstone_2fa_auth| image:: /images/sunstone_login_2fa.png
+.. |sunstone_setting_auth| image:: /images/sunstone-settings-auth.png
+.. |sunstone_setting_tfa_app| image:: /images/sunstone-settings-2fa-app.png
+.. |sunstone_template_user_auth| image:: /images/sunstone-template-user-auth.png
+.. |sunstone_settings_2fa_dissable| image:: /images/sunstone-settings-2fa-dissable.png

source/installation_and_configuration/authentication/x509.rst

@@ -159,12 +159,3 @@ Follow these steps to change oneadmin's authentication method to ``x509``:
 .. prompt:: bash $ auto
 
     $ export ONE_AUTH=/home/oneadmin/.one/one_x509
-
-Enabling x509 in Sunstone
-=========================
-
-In ``/etc/one/sunstone-server.conf`` update parameter ``:auth`` to ``x509``:
-
-.. code-block:: yaml
-
-    :auth: x509

source/installation_and_configuration/configuration_management/appendix.rst

@@ -41,10 +41,6 @@ Name                                                               Type
 ``/etc/one/onehem-server.conf``                                    YAML
 ``/etc/one/packet_driver.default``                                 Plain file (or XML)
 ``/etc/one/sched.conf``                                            oned.conf-like
-``/etc/one/sunstone-logos.yaml``                                   YAML w/ ordered arrays
-``/etc/one/sunstone-server.conf``                                  YAML
-``/etc/one/sunstone-views.yaml``                                   YAML
-``/etc/one/sunstone-views/**/*.yaml``                              YAML
 ``/etc/one/tmrc``                                                  Shell
 ``/etc/one/vcenter_driver.conf``                                   YAML
 ``/etc/one/vcenter_driver.default``                                Plain file (or XML)

source/installation_and_configuration/configuration_management/conflicts.rst

@@ -88,11 +88,11 @@ Example of multiple patch modes for multiple files:
     # onecfg upgrade \
         --patch-modes skip:/etc/one/oned.conf \
         --patch-modes skip,replace:/etc/one/oned.conf:5.10.0 \
-        --patch-modes force:/etc/one/sunstone-logos.yaml:5.6.0 \
-        --patch-modes replace:/etc/one/sunstone-server.conf \
-        --patch-modes skip:/etc/one/sunstone-views/admin.yaml:5.4.1 \
-        --patch-modes skip:/etc/one/sunstone-views/admin.yaml:5.4.2 \
-        --patch-modes skip:/etc/one/sunstone-views/kvm/admin.yaml
+        --patch-modes force:/etc/one/fireedge/sunstone-views.yaml:5.6.0 \
+        --patch-modes replace:/etc/one/fireedge-server.conf \
+        --patch-modes skip:/etc/one/fireedge/sunstone/admin/acl-tab.yaml:5.4.1 \
+        --patch-modes skip:/etc/one/fireedge/sunstone/admin/vm-tab.yaml:5.4.2 \
+        --patch-modes skip:/etc/one/fireedge/sunstone/admin/vm-template-tab.yaml
 
 Restore from Backup
 ===================

source/installation_and_configuration/configuration_management/diff_formats.rst

@@ -79,17 +79,16 @@ these paths are valid to address the emphasized parameters:
 
 	In the ``oned.conf``-like configurations, some nested structures are unique (e.g., ``DB=[...]`` is just a single database connection configuration) and some can appear several times (e.g., ``VM_MAD=[...]`` configures execution of different drivers for different hypervisors, one section for each driver). In the second case, the nested structure is uniquely addressed by a value of one identifying parameter inside the structure, usually ``NAME``. This value (including the quotes) is placed as part of the path. See path 3 above.
 
-- for the following ``/etc/one/sunstone-server.conf`` snippet
+- for the following ``/etc/one/fireedge-server.conf`` snippet
 
 .. code::
 
-    # OpenNebula sever contact information
+    # OpenNebula: use it if you have oned and fireedge on different servers
     :one_xmlrpc: http://localhost:2633/RPC2     # path 4
-    :one_xmlrpc_timeout: 60
 
 these paths are valid to address the emphasized parameter(s):
 
-  4. ``:one_xmlrpc`` or ``":one_xmlrpc"``
+  1. ``:one_xmlrpc`` or ``":one_xmlrpc"``
 
 - for the following ``/etc/one/cli/oneimage.yaml`` snippet
 

source/integration_and_development/references/cloud_auth.rst

@@ -147,4 +147,4 @@ Two Factor Authentication
 -------------------------
 
 To use 2FA in Sunstone see the following :ref:`link <2f_auth>`
-To use 2FA in FireEdge see the following :ref:`link <2f_auth_fireedge>`
+To use 2FA in FireEdge see the following :ref:`link <sunstone_2f_auth>`

source/legacy_components/ruby_sunstone/index.rst

@@ -13,3 +13,4 @@ Ruby Sunstone
    Sunstone Labels <ruby_sunstone_labels>
    Sunstone views <ruby_sunstone_views>
    Cloud view <ruby_sunstone_cloud_view>
+   Sunstone Authentication <ruby_sunstone_authentication>

source/installation_and_configuration/authentication/sunstone.rst → source/legacy_components/ruby_sunstone/ruby_sunstone_authentication.rst

@@ -1,4 +1,4 @@
-.. _suns_auth:
+.. _ruby_sunstone_authentication:
 
 =======================
 Sunstone Authentication
@@ -164,10 +164,10 @@ This allows us to use e.g. U2F/FIDO2 authentication keys. In this case, to enabl
 
 |sunstone_settings_2fa_keys|
 
-.. |image0| image:: /images/sunstone_login_x5094.png
-.. |sunstone_settings_auth| image:: /images/sunstone-settings-auth.png
-.. |sunstone_settings_2fa_app| image:: /images/sunstone-settings-2fa-app.png
-.. |sunstone_settings_2fa_keys| image:: /images/sunstone-settings-2fa-keys.png
-.. |sunstone_settings_2fa_result| image:: /images/sunstone-settings-2fa-result.png
-.. |sunstone_settings_2fa_login| image:: /images/sunstone-settings-2fa-login.png
-.. |sunstone_template_user_auth| image:: /images/sunstone-template-user-auth.png
+.. |image0| image:: /images/ruby_sunstone_login_x5094.png
+.. |sunstone_settings_auth| image:: /images/ruby_sunstone-settings-auth.png
+.. |sunstone_settings_2fa_app| image:: /images/ruby_sunstone-settings-2fa-app.png
+.. |sunstone_settings_2fa_keys| image:: /images/ruby_sunstone-settings-2fa-keys.png
+.. |sunstone_settings_2fa_result| image:: /images/ruby_sunstone-settings-2fa-result.png
+.. |sunstone_settings_2fa_login| image:: /images/ruby_sunstone-settings-2fa-login.png
+.. |sunstone_template_user_auth| image:: /images/ruby_sunstone-template-user-auth.png

source/management_and_operations/end-user_web_interfaces/fireedge_sunstone.rst

@@ -102,7 +102,7 @@ From this section, users can define multiple configuration options for themselve
 - **SSH Private key**: allows the user to specify a private SSH key that they can use when establishing connections with their VMs.
 - **SSH Private key passphrase**: if the private SSH key is encrypted, the user must specify the password.
 - **Login token**: allows to create a new token for the user.
-- **Two Factor Authentication**: allows to register an app to perform :ref:`Two Factor Authentication <2f_auth_fireedge>`.
+- **Two Factor Authentication**: allows to register an app to perform :ref:`Two Factor Authentication <sunstone_2f_auth>`.
 
 .. note:: All the configurations set in this section will be in the user template.