External Auth 3.2

OpenNebula comes by default with an internal user/password authentication and an ACL authorization system, see the [[.:auth_overview|Users & Groups Subsystem guide]] for more information. You can enable the external Authentication and Authorization drivers to strengthen the security of your cloud. {{INLINETOC}} ====== Authentication ====== {{ documentation:rel3.2:auth_options_350.png}} In the figure to the right of this text you can see three authentication configurations you can customize in OpenNebula. ===== a) CLI Authentication ===== You can choose from the following authentication drivers to access OpenNebula from the command line: * [[.:ssh_auth|SSH Authentication]] * [[.:x509_auth|X509 Authentication]] ===== b) Sunstone Authentication ===== By default, users with the "core" authentication driver (user/password) can login in Sunstone. You can enable users with the "x509" authentication driver to login using an external **SSL proxy** (e.g. Apache). Proceed to the Sunstone documentation to configure the x509 access: * [[.:sunstone#authentication_methods|Sunstone Authentication Methods]] ===== c) Servers Authentication ===== OpenNebula ships with three servers: [[.:sunstone|Sunstone]], [[.:ec2qcg|EC2]] and [[.:occicg|OCCI]]. When a user interacts with one of them, the server authenticates the request and then forwards the requested operation to the OpenNebula daemon. The forwarded requests are encrypted by default using a Symmetric Key mechanism. The following guide shows how to strengthen the security of these requests using x509 certificates. This is specially relevant if you are running your server in a machine other than the frontend. * [[.:cloud_auth|Cloud Services Authentication]] ====== Authorization ====== Please proceed to the following guides to learn more: * [[.:quota_auth| Quota based Authorization]]