Orion software - pepProxy
I am part of a team that is developing an application using Fiware GE, has part of the Smart-AgriFood accelerator. We are using the Orion Context Broker to collect the data provided by the sensor network, and we intend to use Pep-Proxy to authenticate the sensor node to access the Orion instance. We tried the following pepProxy:
https://github.com/telefonicaid/fiware-orion-pep
https://github.com/ging/fi-ware-pep-proxy
We only have success implementing the second (fi-ware-pep-proxy) proxy implementation. With fiware-orion-pep we were unable to connect to the Keystone Global instance (account.lab.fi-ware.org), we tried account.lab ... and cloud.lab ... my question is:
1) is the key (IDM) instance for account.lab or cloud.lab authentication ?? and which port to use or address?
2) is file-orion-pep prepared for authentication to account.lab.fi-ware.org ?? this is how I ask:
This file works with curl command at -> cloud.lab.fiware.org:4730/v2.0/tokens
{
"auth": {
"passwordCredentials": {
"username": "<my_user>",
"password": "<my_password>"
}
}
}'
This one doesn't work with thorn on page -> account.lab.fi-ware.org:5000/v3/auth/tokens
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"domain": {
"name": "<my_domain>"
},
"name": "<my_user>",
"password": "<my_password>"
}
}
}
} }'
3) what is the implementation I should be using to authenticate devices or other calls to the Orion instance ???
Here is the configuration I used:
fiware-Orion-PEP
config.authentication = {
checkHeaders: true,
module: 'keystone',
user: '<my_user>',
password: '<my_password>',
domainName: '<my_domain>',
retries: 3,
cacheTTLs: {
users: 1000,
projectIds: 1000,
roles: 60
},
options: {
protocol: 'http',
host: 'account.lab.fiware.org',
port: 5000,
path: '/v3/role_assignments',
authPath: '/v3/auth/tokens'
}
};
fi-ware-pep-proxy (this one works), I set the list port to 1026 in the source code
var config = {};
config.account_host = 'https://account.lab.fiware.org';
config.keystone_host = 'cloud.lab.fiware.org';
config.keystone_port = 4731;
config.app_host = 'localhost';
config.app_port = '10026';
config.username = 'pepProxy';
config.password = 'pepProxy';
// in seconds
config.chache_time = 300;
config.check_permissions = false;
config.magic_key = undefined;
module.exports = config;
Thanks in advance for the time ... :)
source to share
There are currently some differences in how PEP proxies are authenticated and checked against global instances, so they don't behave exactly the same.
The telefonicaid / fiware-orion-pep technology has been developed to ensure that the PEP proxy (Keystone and Access Control Authentication and Compliance) requirements are met in individual projects with their own Keystone and Keypass (Access Control) settings and therefore it evolves faster than the one in ging / fi-ware-pep-proxy and a slightly different direction. As an example, the former supports multitasking using the fiware-service and fiware-servicepath headers, while the latter are transparent to these mechanisms. This direction of development also meant that the functionality was slightly different from time to time to what is in the global instance.
That being said, is the concrete answer: - Both PEP proxies must be able to communicate with the global instance. If it doesn't, please submit a bug in the Github repository and we'll fix it as soon as possible. - The ging / fi-ware-pep player was specifically designed to access the global instance, so you should use it as expected.
Please also note if you try to continue with phone / fiware -orion-pep: - The authentication.checkHeaders configuration flag must be false, as the global instance does not currently support layering. - the current stable version (0.5.0) is about to change to the next version (maybe today), so maybe some issues will be resolved with the update.
Hopefully this clears up some of your doubts.
source to share
[EDIT]
1) I have already installed telefonicaid / fiware-orion-pep (v 0.6.0) from sources and from the rpm package created after the tutorial available on github. When the rpm package is created, this is created with the following name: pep-proxy-0.4.0_next-0.noarch.rpm.
2) Here is the configuration I used:
/opt/fiware-orion-pep/config.js
var config = {};
config.resource = {
original: {
host: 'localhost',
port: 10026
},
proxy: {
port: 1026,
adminPort: 11211
} };
config.authentication = {
checkHeaders: false,
module: 'keystone',
user: '<##################>',
password: '<###################>',
domainName: 'admin_domain',
retries: 3,
cacheTTLs: {
users: 1000,
projectIds: 1000,
roles: 60
},
options: { protocol: 'http',
host: 'cloud.lab.fiware.org',
port: 4730,
path: '/v3/role_assignments',
authPath: '/v3/auth/tokens'
} };
config.ssl = {
active: false,
keyFile: '',
certFile: '' }
config.logLevel = 'DEBUG'; // List of component
config.middlewares = {
require: 'lib/plugins/orionPlugin',
functions: [
'extractCBAction'
] };
config.componentName = 'orion';
config.resourceNamePrefix = 'fiware:';
config.bypass = false;
config.bypassRoleId = '';
module.exports = config;
/etc. / sysconfig / pepProxy
# General Configuration
############################################################################
# Port where the proxy will listen for requests
PROXY_PORT=1026
# User to execute the PEP Proxy with
PROXY_USER=pepproxy
# Host where the target Context Broker is located
# TARGET_HOST=localhost
# Port where the target Context Broker is listening
# TARGET_PORT=10026
# Maximum level of logs to show (FATAL, ERROR, WARNING, INFO, DEBUG)
LOG_LEVEL=DEBUG
# Indicates what component plugin should be loaded with this PEP: orion, keypass, perseo
COMPONENT_PLUGIN=orion
#
# Access Control Configuration
############################################################################
# Host where the Access Control (the component who knows the policies for the incoming requests) is located
# ACCESS_HOST=
# Port where the Access Control is listening
# ACCESS_PORT=
# Host where the authentication authority for the Access Control is located
# AUTHENTICATION_HOST=
# Port where the authentication authority is listening
# AUTHENTICATION_PORT=
# User name of the PEP Proxy in the authentication authority
PROXY_USERNAME=XXXXXXXXXXXXX
# Password of the PEP Proxy in the Authentication authority
PROXY_PASSWORD=XXXXXXXXXXXXX
In the above files, I've tried the following options:
Keystone instance: account.lab.fiware.org or cloud.lab.fiware.org
User: pep or pepProxy or "user from dummy account"
Pass: pep or pepProxy or "user password from account"
Port: 4730, 4731, 5000
The result will be the same as before ... telefonicaid / fiware-orion-pep cannot authenticate:
log file at /var/log/pepProxy/pepProxy
time=2015-04-13T14:49:24.718Z | lvl=ERROR | corr=71a34c8b-10b3-40a3-be85-71bd3ce34c8a | trans=71a34c8b-10b3-40a3-be85-71bd3ce34c8a | op=/v1/updateContext | msg=VALIDATION-GEN-003] Error connecting to Keystone authentication: KEYSTONE_AUTHENTICATION_ERROR: There was a connection error while authenticating to Keystone: 500
time=2015-04-13T14:49:24.721Z | lvl=DEBUG | corr=71a34c8b-10b3-40a3-be85-71bd3ce34c8a | trans=71a34c8b-10b3-40a3-be85-71bd3ce34c8a | op=/v1/updateContext | msg=response-time: 50745 statusCode: 500
from the client console
{
"message": "There was a connection error while authenticating to Keystone: 500",
"name": "KEYSTONE_AUTHENTICATION_ERROR"
}
Am I doing something wrong here?
source to share