====== AAI integrations in Openstack Ocata (Work In Progress)====== Authors: Paolo Andreetto (INFN Padova) ==== Requirements ==== * CentOS Linux release 7.4 * Openstack "Ocata" version or above ==== X509 support ==== Install the EUGridPMA packages


wget -O /etc/yum.repos.d/EGI-trustanchors.repo http://repository.egi.eu/sw/production/cas/1/current/repo-files/EGI-trustanchors.repo
yum -y install ca-policy-egi-core fetch-crl

Start the cron service:


systemctl enable fetch-crl-cron && systemctl start fetch-crl-cron

==== Shibboleth installation ==== Install the required modules


wget -O /etc/yum.repos.d/shibboleth.repo http://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo
yum -y install shibboleth

Deploy the service certificate file in ///etc/shibboleth/sp-cert.pem// and the related service key file in ///etc/shibboleth/sp-key.pem//. Change the ownership and permissions for those files:


chmod 400 /etc/shibboleth/sp-key.pem
chmod 600 /etc/shibboleth/sp-cert.pem
chown shibd.shibd /etc/shibboleth/sp-key.pem
chown shibd.shibd /etc/shibboleth/sp-cert.pem

The file ///etc/shibboleth/shibboleth2.xml// must contain the following definitions:




    

        

            SAML2 SAML1

            SAML2 Local
            
            
                     
            
            
            
        

        
       
        
            
        
        
        
        
        

        
            /etc/shibboleth/sp-key.pem
            
                /etc/shibboleth/sp-cert.pem
                /etc/grid-security/certificates/INFN-CA-2015.pem
            
            
                /etc/grid-security/certificates/49f18420.r0

==== OpenID Connect module installation ==== Install the Apache plugin for OpenID:


yum -y install mod_auth_openidc

Create the configuration file ///etc/httpd/conf.d/auth_openidc.conf// containing the definitions:


OIDCClaimPrefix      "OIDC-"
OIDCMetadataDir      /var/cache/httpd/mod_auth_openidc/metadata
OIDCCryptoPassphrase ********
OIDCRedirectURI      https://cloud-areapd.pd.infn.it/dashboard-openidc/redirect-uri

==== HTTP service’s configuration ==== if the module "apache-ssl" isn't already configured, define the following attributes:


SSLCertificateFile /etc/grid-security/hostcert.pem
SSLCertificateKeyFile /etc/grid-security/hostkey.pem

in the configuration file for SSL apache plugin. In general the file is ''/etc/httpd/conf.d/ssl.conf''. If the dashboard has been deployed using packstack the file is ''/etc/httpd/conf.d/15-horizon_ssl_vhost.conf'' In order to avoid [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig|security holes]] it is necessary to activate the [[http://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname|UseCanonicalName]] option for any virtual host or location protected by shibboleth


ServerName https://cloud-areapd.pd.infn.it
UseCanonicalName On

==== Installation of the AAI integration ==== The repository for Ocata can be downloaded with the command:


wget -O /etc/yum.repos.d/openstack-security-integrations.repo http://igi-01.pd.infn.it/mrepo/CAP/openstack-security-integrations_centos7_ocata.repo

The integration for the project Cloud Area Padovana can be installed with the command:


yum -y install openstack-auth-cap keystone-skey-auth

The integration for the project Cloud Veneto can be installed with the following command:


yum -y install openstack-auth-cedc keystone-skey-auth

=== Setting up the database === In the file ///usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/_1000_local_settings.py// define the parameter for the database according to the [[https://docs.djangoproject.com/en/1.4/ref/databases/|Django requirements]]. This snippet is an example for a mysql based installation:


DATABASES = {
    'default': {
        'ENGINE' : 'django.db.backends.mysql',
        'NAME' : 'horizon_aai',
        'USER' : 'horizonaai',
        'PASSWORD' : '*********',
        'HOST' : 'cloud-areapd.pd.infn.it',
        'PORT' : '3306'
    }
}

The database must be created manually and all permissions granted before performing any further action:


create database horizon_aai;
grant all on horizon_aai.* to 'horizonaai'@'cloud-areapd.pd.infn.it' identified by '*********';
grant all on horizon_aai.* to 'horizonaai'@'localhost' identified by '*********';

The database can be populated with the command:


runuser -s /bin/bash -c 'python /usr/share/openstack-dashboard/manage.py migrate' -- apache

The creation of an admin user in the database is not required. === Setting up the notication system === The notification system must be configured according to [[https://docs.djangoproject.com/en/1.4/topics/email/|Django requirements]]. The file to be modified is ///etc/openstack-dashboard/local_settings//. Several notifications are sent directly to site administrators, their addresses must be defined in variable **MANAGERS** This snippet is an example of configuration for accessing a protected SMTP server:


EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
EMAIL_HOST = '****.pd.infn.it'
EMAIL_PORT = 587
EMAIL_HOST_USER = '******'
EMAIL_HOST_PASSWORD = '******'
SERVER_EMAIL = 'cloud@lists.pd.infn.it'
MANAGERS = (('Cloud Support', 'cloud-support@lists.pd.infn.it'),)

=== Configure the INFN IdP === In the virtual host section of the dashboard the following definitions must be declared


WSGIScriptAlias /dashboard-infn "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi"


    AuthType shibboleth
    ShibRequestSetting requireSession 1
    require shib-session
    ShibRequestSetting applicationId default
    ShibRequestSetting entityID https://idp.infn.it/saml2/idp/metadata.php

In the virtual host section of the Keystone service (main) the following definitions must be declared



    AuthType shibboleth
    Require shib-session
    ShibRequestSetting requireSession 1
    ShibRequestSetting applicationId default
    ShibRequestSetting entityID https://idp.infn.it/saml2/idp/metadata.php
    ShibRequireSession On
    ShibExportAssertion Off

If the testing IdP has to be used in the file ///etc/shibboleth/shibboleth2.xml// a new metadata provider in the chain must be defined:

and the entityID is https://idp.infn.it/testing/saml2/idp/metadata.php === Configuration for the UniPD IdP === In the virtual host section of the dashboard the following definitions must be declared


WSGIScriptAlias /dashboard-unipd /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi


  AuthType shibboleth
  ShibRequestSetting requireSession 1
  ShibRequestSetting applicationId default
  ShibRequestSetting entityID https://shibidp.cca.unipd.it/idp/shibboleth
  require shib-session

In the virtual host section of the Keystone service (main) the following definitions must be declared



    AuthType shibboleth
    Require shib-session
    ShibRequestSetting requireSession 1
    ShibRequestSetting applicationId default
    ShibRequestSetting entityID https://shibidp.cca.unipd.it/idp/shibboleth
    ShibRequireSession On
    ShibExportAssertion Off

=== Configuration for INDIGO IAM === In the virtual host section of the dashboard the following definitions must be declared


WSGIScriptAlias /dashboard-openidc "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi"


  AuthType openid-connect
  Require  claim iss:https://iam-test.indigo-datacloud.eu/
  LogLevel debug

In the virtual host section of the Keystone service (main) the following definitions must be declared



  AuthType openid-connect
  Require  claim iss:https://iam-test.indigo-datacloud.eu/
  LogLevel debug

In the file ///usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/_1001_indigo_settings.py// it is necessary to register the INDIGO IAM


HORIZON_CONFIG['identity_providers']['indigo_sso'] = {
    'context' :     '/dashboard-openidc',
    'path' :        '/dashboard-openidc/auth/register/',
    'description' : 'INDIGO IAM',
    'logo' :        '/dashboard/static/dashboard/img/logoINDIGO.png',
    'uid_tag' :     'OIDC-preferred_username',
    'org_tag' :     'OIDC-organisation_name'
}

Download the metadata from INDIGO IAM:


wget -O /var/cache/httpd/mod_auth_openidc/metadata/iam-test.indigo-datacloud.eu.provider https://iam-test.indigo-datacloud.eu/.well-known/openid-configuration

Create the client configuration file for INDIGO IAM ///var/cache/httpd/mod_auth_openidc/metadata/iam-test.indigo-datacloud.eu.client// with the following definitions:


{
    "client_id" : "**********************",
    "client_secret" : "*******************************************************"
}

Create the service configuration file for INDIGO IAM ///var/cache/httpd/mod_auth_openidc/metadata/iam-test.indigo-datacloud.eu.conf// with the following definitions:


{
  "scope" : "openid profile email",
  "token_endpoint_auth" : "client_secret_basic",
  "response_type" : "code"
}

=== Other changes === It is necessary to force the version 3 for keystone API. In the file ///etc/openstack-dashboard/local_settings// the following definitions must be present


OPENSTACK_API_VERSIONS = {
    "identity": 3
}
OPENSTACK_HOST = "cloud-areapd.pd.infn.it"
# Keystone accessible in plaintext
#OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
# Keystone protected with SSL/TLS
OPENSTACK_KEYSTONE_URL = "https://%s:5000/v3" % OPENSTACK_HOST
OPENSTACK_SSL_CACERT = "/etc/grid-security/certificates/INFN-CA-2006.pem"

It's strongly recommanded to use memcached for storing session attributes, instead of signed cookies. Login cannot be correctly performed if too many data are stored in a cookie. The cache definition is specified into the file ///etc/openstack-dashboard/local_settings//:

SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
CACHES = {
    'default': {
        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
        'LOCATION': '127.0.0.1:11211',
    }
}

The memcache daemon must be running systemctl status memcached For further details refer to the [[https://docs.djangoproject.com/en/1.4/topics/http/sessions/|django session guide]] Since the configuration file of the dashboard contains sensitive parameters it is necessary to change its permissions:


chown root.apache /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/_1000_local_settings.py
chmod 640 /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/_1000_local_settings.py

=== Restarting of the services === It is strongly recommended to verify the configuration of the shibboleth service with the command: LD_LIBRARY_PATH=/opt/shibboleth/lib64 runuser -s /bin/bash -c 'shibd -t' -- shibd before starting the service:


systemctl enable shibd && systemctl start shibd


systemctl restart httpd

^ Tips ^ ^ | | The log for Horizon can be enabled defining a new handler, a new formatter and a new logger in the LOGGING table of the file ///etc/openstack-dashboard/local_settings//:

LOGGING = {
    'formatters': {
        'verbose': {
            'format': '%(asctime)s %(process)d %(levelname)s %(name)s '
                      '%(message)s'
        },
    },
    # other definitions
    'handlers': {
        # other definitions
        'file': {
            'level': 'DEBUG',
            'class': 'logging.FileHandler',
            'filename': '/var/log/horizon/horizon.log',
            'formatter': 'verbose',
        },
    }
    'loggers': {
        # other definitions
        'openstack_auth_shib': {
            'handlers': ['file'],
            'level': 'DEBUG',
            'propagate': False,
        },
    }

For further details about logging see the [[https://docs.python.org/2.7/library/logging.html| python documentation]] | | | If necessary the service metadata (service description, information URLs, etc.) can be customized editing the file ///etc/openstack-auth-shib/idem-template-metadata.xml// | ==== Configuration of the Keystone service ==== Change the following sections in the file ///etc/keystone/keystone.conf//:


[federation]
trusted_dashboard = https://cloud-areapd.pd.infn.it/dashboard/auth/websso/

[mapped]
remote_id_attribute = Shib-Identity-Provider

[auth]
methods = password,token,mapped,openid

Restart the keystone service :


systemctl restart httpd

==== Configuration of the cron scripts ==== Create the configuration file ///etc/openstack-auth-shib/actions.conf// with the following definitions:


USERNAME=admin
TENANTNAME=admin
PASSWD=****
AUTHURL=https://cloud-areapd.pd.infn.it:35357/v3/
CAFILE=/etc/grid-security/certificates/INFN-CA-2015.pem
NOTIFICATION_PLAN=5,10,20

The configuration file must be readable only by root:


chmod 600 /etc/openstack-auth-shib/actions.conf

^ Tips ^ ^ | | The crontab configuration file is located at ///etc/cron.d/openstack-auth-shib-cron// | | | Since the script accesses the database, for installations on multiple nodes which share the same backend, it's recommanded to have different crontab configurations for different nodes | | | The configuration file for the logging system of all the scripts is ///etc/openstack-auth-shib/logging.conf// | ==== References ==== * INFN AAI Support: aai-support@lists.infn.it * UniPD SSO Support : supporto.sso@unipd.it