This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
progetti:cloud-areapd:aai_integration_with_keystone:aai_integrations_in_openstack_ocata [2018/05/24 08:32] andreett@infn.it [Installation of the AAI integration] |
progetti:cloud-areapd:aai_integration_with_keystone:aai_integrations_in_openstack_ocata [2018/05/24 09:10] (current) andreett@infn.it [Installation of the AAI integration] |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== AAI integrations in Openstack Ocata (Work In Progress)====== | ||
+ | |||
+ | Authors: Paolo Andreetto (INFN Padova) | ||
+ | |||
+ | ==== Requirements ==== | ||
+ | * CentOS Linux release 7.4 | ||
+ | * Openstack | ||
+ | |||
+ | ==== X509 support ==== | ||
+ | |||
+ | Install the EUGridPMA packages | ||
+ | <code bash> | ||
+ | wget -O / | ||
+ | yum -y install ca-policy-egi-core fetch-crl | ||
+ | </ | ||
+ | |||
+ | Start the cron service: | ||
+ | <code bash> | ||
+ | systemctl enable fetch-crl-cron && systemctl start fetch-crl-cron | ||
+ | </ | ||
+ | |||
+ | ==== Shibboleth installation ==== | ||
+ | |||
+ | Install the required modules | ||
+ | <code bash> | ||
+ | wget -O / | ||
+ | yum -y install shibboleth | ||
+ | </ | ||
+ | |||
+ | Deploy the service certificate file in /// | ||
+ | Change the ownership and permissions for those files: | ||
+ | <code bash> | ||
+ | chmod 400 / | ||
+ | chmod 600 / | ||
+ | chown shibd.shibd / | ||
+ | chown shibd.shibd / | ||
+ | </ | ||
+ | |||
+ | The file /// | ||
+ | |||
+ | <code xml shibboleth2.xml> | ||
+ | < | ||
+ | xmlns: | ||
+ | xmlns: | ||
+ | xmlns: | ||
+ | xmlns: | ||
+ | clockSkew=" | ||
+ | |||
+ | < | ||
+ | | ||
+ | | ||
+ | |||
+ | < | ||
+ | checkAddress=" | ||
+ | |||
+ | < | ||
+ | |||
+ | < | ||
+ | | ||
+ | <Handler type=" | ||
+ | | ||
+ | | ||
+ | |||
+ | <Handler type=" | ||
+ | <Handler type=" | ||
+ | <Handler type=" | ||
+ | </ | ||
+ | |||
+ | <Errors redirectErrors=" | ||
+ | |||
+ | < | ||
+ | < | ||
+ | uri=" | ||
+ | backingFilePath="/ | ||
+ | reloadInterval=" | ||
+ | </ | ||
+ | | ||
+ | < | ||
+ | validate=" | ||
+ | reloadChanges=" | ||
+ | path="/ | ||
+ | < | ||
+ | < | ||
+ | |||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | <CRL> | ||
+ | < | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | </ | ||
+ | | ||
+ | < | ||
+ | < | ||
+ | |||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ==== OpenID Connect module installation ==== | ||
+ | |||
+ | Install the Apache plugin for OpenID: | ||
+ | <code bash> | ||
+ | yum -y install mod_auth_openidc | ||
+ | </ | ||
+ | |||
+ | Create the configuration file /// | ||
+ | < | ||
+ | OIDCClaimPrefix | ||
+ | OIDCMetadataDir | ||
+ | OIDCCryptoPassphrase ******** | ||
+ | OIDCRedirectURI | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== HTTP service’s configuration ==== | ||
+ | |||
+ | if the module " | ||
+ | <code bash> | ||
+ | SSLCertificateFile / | ||
+ | SSLCertificateKeyFile / | ||
+ | </ | ||
+ | in the configuration file for SSL apache plugin. In general the file is ''/ | ||
+ | |||
+ | In order to avoid [[https:// | ||
+ | <code bash> | ||
+ | ServerName https:// | ||
+ | UseCanonicalName On | ||
+ | </ | ||
+ | |||
+ | ==== Installation of the AAI integration ==== | ||
+ | |||
+ | The repository for Ocata can be downloaded with the command: | ||
+ | <code bash> | ||
+ | wget -O / | ||
+ | </ | ||
+ | |||
+ | The integration for the project Cloud Area Padovana can be installed with the command: | ||
+ | <code bash> | ||
+ | yum -y install openstack-auth-cap keystone-skey-auth | ||
+ | </ | ||
+ | |||
+ | The integration for the project Cloud Veneto can be installed with the following command: | ||
+ | <code bash> | ||
+ | yum -y install openstack-auth-cedc keystone-skey-auth | ||
+ | </ | ||
+ | |||
+ | === Setting up the database === | ||
+ | In the file /// | ||
+ | define the parameter for the database according to the [[https:// | ||
+ | This snippet is an example for a mysql based installation: | ||
+ | <code python> | ||
+ | DATABASES = { | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | The database must be created manually and all permissions granted before performing any further action: | ||
+ | |||
+ | <code sql> | ||
+ | create database horizon_aai; | ||
+ | grant all on horizon_aai.* to ' | ||
+ | grant all on horizon_aai.* to ' | ||
+ | </ | ||
+ | |||
+ | The database can be populated with the command: | ||
+ | <code bash> | ||
+ | runuser -s /bin/bash -c ' | ||
+ | </ | ||
+ | |||
+ | The creation of an admin user in the database is not required. | ||
+ | |||
+ | === Setting up the notication system === | ||
+ | The notification system must be configured according to [[https:// | ||
+ | The file to be modified is /// | ||
+ | Several notifications are sent directly to site administrators, | ||
+ | |||
+ | This snippet is an example of configuration for accessing a protected SMTP server: | ||
+ | <code python> | ||
+ | EMAIL_BACKEND = ' | ||
+ | EMAIL_HOST = ' | ||
+ | EMAIL_PORT = 587 | ||
+ | EMAIL_HOST_USER = ' | ||
+ | EMAIL_HOST_PASSWORD = ' | ||
+ | SERVER_EMAIL = ' | ||
+ | MANAGERS = ((' | ||
+ | </ | ||
+ | |||
+ | === Configure the INFN IdP === | ||
+ | |||
+ | In the virtual host section of the dashboard the following definitions must be declared | ||
+ | < | ||
+ | WSGIScriptAlias / | ||
+ | |||
+ | < | ||
+ | AuthType shibboleth | ||
+ | ShibRequestSetting requireSession 1 | ||
+ | require shib-session | ||
+ | ShibRequestSetting applicationId default | ||
+ | ShibRequestSetting entityID https:// | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | In the virtual host section of the Keystone service (main) the following definitions must be declared | ||
+ | < | ||
+ | < | ||
+ | AuthType shibboleth | ||
+ | Require shib-session | ||
+ | ShibRequestSetting requireSession 1 | ||
+ | ShibRequestSetting applicationId default | ||
+ | ShibRequestSetting entityID https:// | ||
+ | ShibRequireSession On | ||
+ | ShibExportAssertion Off | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | If the testing IdP has to be used in the file /// | ||
+ | a new metadata provider in the chain must be defined: | ||
+ | <code xml> | ||
+ | < | ||
+ | < | ||
+ | uri=" | ||
+ | backingFilePath="/ | ||
+ | </ | ||
+ | </ | ||
+ | and the entityID is https:// | ||
+ | |||
+ | === Configuration for the UniPD IdP === | ||
+ | |||
+ | In the virtual host section of the dashboard the following definitions must be declared | ||
+ | < | ||
+ | WSGIScriptAlias / | ||
+ | |||
+ | < | ||
+ | AuthType shibboleth | ||
+ | ShibRequestSetting requireSession 1 | ||
+ | ShibRequestSetting applicationId default | ||
+ | ShibRequestSetting entityID https:// | ||
+ | require shib-session | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | In the virtual host section of the Keystone service (main) the following definitions must be declared | ||
+ | < | ||
+ | < | ||
+ | AuthType shibboleth | ||
+ | Require shib-session | ||
+ | ShibRequestSetting requireSession 1 | ||
+ | ShibRequestSetting applicationId default | ||
+ | ShibRequestSetting entityID https:// | ||
+ | ShibRequireSession On | ||
+ | ShibExportAssertion Off | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | |||
+ | === Configuration for INDIGO IAM === | ||
+ | |||
+ | In the virtual host section of the dashboard the following definitions must be declared | ||
+ | < | ||
+ | WSGIScriptAlias / | ||
+ | |||
+ | < | ||
+ | AuthType openid-connect | ||
+ | Require | ||
+ | LogLevel debug | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | In the virtual host section of the Keystone service (main) the following definitions must be declared | ||
+ | < | ||
+ | < | ||
+ | AuthType openid-connect | ||
+ | Require | ||
+ | LogLevel debug | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | In the file /// | ||
+ | |||
+ | <code python> | ||
+ | HORIZON_CONFIG[' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | Download the metadata from INDIGO IAM: | ||
+ | <code bash> | ||
+ | wget -O / | ||
+ | </ | ||
+ | |||
+ | Create the client configuration file for INDIGO IAM /// | ||
+ | < | ||
+ | { | ||
+ | " | ||
+ | " | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | Create the service configuration file for INDIGO IAM /// | ||
+ | < | ||
+ | { | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | === Other changes === | ||
+ | It is necessary to force the version 3 for keystone API. | ||
+ | In the file /// | ||
+ | <code python> | ||
+ | OPENSTACK_API_VERSIONS = { | ||
+ | " | ||
+ | } | ||
+ | OPENSTACK_HOST = " | ||
+ | # Keystone accessible in plaintext | ||
+ | # | ||
+ | # Keystone protected with SSL/TLS | ||
+ | OPENSTACK_KEYSTONE_URL = " | ||
+ | OPENSTACK_SSL_CACERT = "/ | ||
+ | </ | ||
+ | |||
+ | It's strongly recommanded to use memcached for storing session attributes, instead of signed cookies. Login cannot be correctly performed if too many data are stored in a cookie. The cache definition is specified into the file /// | ||
+ | CACHES = { | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | } | ||
+ | }</ | ||
+ | |||
+ | Since the configuration file of the dashboard contains sensitive parameters it is necessary to change its permissions: | ||
+ | <code bash> | ||
+ | chown root.apache / | ||
+ | chmod 640 / | ||
+ | </ | ||
+ | |||
+ | === Restarting of the services === | ||
+ | |||
+ | It is strongly recommended to verify the configuration of the shibboleth service with the command: | ||
+ | <code bash> | ||
+ | before starting the service: | ||
+ | <code bash> | ||
+ | systemctl enable shibd && systemctl start shibd | ||
+ | </ | ||
+ | |||
+ | <code bash> | ||
+ | systemctl restart httpd | ||
+ | </ | ||
+ | |||
+ | ^ Tips ^ ^ | ||
+ | | | The log for Horizon can be enabled defining a new handler, a new formatter and a new logger in the LOGGING table of the file /// | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | }, | ||
+ | }, | ||
+ | # other definitions | ||
+ | ' | ||
+ | # other definitions | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | }, | ||
+ | } | ||
+ | ' | ||
+ | # other definitions | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | }, | ||
+ | }</ | ||
+ | | | If necessary the service metadata (service description, | ||
+ | |||
+ | ==== Configuration of the Keystone service ==== | ||
+ | |||
+ | Change the following sections in the file /// | ||
+ | <code bash> | ||
+ | [federation] | ||
+ | trusted_dashboard = https:// | ||
+ | |||
+ | [mapped] | ||
+ | remote_id_attribute = Shib-Identity-Provider | ||
+ | |||
+ | [auth] | ||
+ | methods = password, | ||
+ | </ | ||
+ | |||
+ | Restart the keystone service : | ||
+ | <code bash> | ||
+ | systemctl restart httpd | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Configuration of the cron scripts ==== | ||
+ | |||
+ | Create the configuration file /// | ||
+ | <code bash> | ||
+ | USERNAME=admin | ||
+ | TENANTNAME=admin | ||
+ | PASSWD=**** | ||
+ | AUTHURL=https:// | ||
+ | CAFILE=/ | ||
+ | NOTIFICATION_PLAN=5, | ||
+ | </ | ||
+ | |||
+ | The configuration file must be readable only by root: | ||
+ | <code bash> | ||
+ | chmod 600 / | ||
+ | </ | ||
+ | |||
+ | ^ Tips ^ ^ | ||
+ | | | The crontab configuration file is located at /// | ||
+ | | | Since the script accesses the database, for installations on multiple nodes which share the same backend, it's recommanded to have different crontab configurations for different nodes | | ||
+ | | | The configuration file for the logging system of all the scripts is /// | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ==== References ==== | ||
+ | |||
+ | * INFN AAI Support: aai-support@lists.infn.it | ||
+ | * UniPD SSO Support : supporto.sso@unipd.it |