progetti:cloud-areapd:aai_integration_with_keystone:integration_in_openstack_kilo
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
progetti:cloud-areapd:aai_integration_with_keystone:integration_in_openstack_kilo [2017/03/10 09:37] – andreett@infn.it | progetti:cloud-areapd:aai_integration_with_keystone:integration_in_openstack_kilo [2017/09/28 11:21] (current) – [Installation of the AAI integration] andreett@infn.it | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== AAI integrations in Openstack Mitaka ====== | ||
+ | Authors: Paolo Andreetto (INFN Padova) | ||
+ | |||
+ | ==== Requirements ==== | ||
+ | * CentOS Linux release 7.1 | ||
+ | * Openstack | ||
+ | |||
+ | |||
+ | ==== Shibboleth installation ==== | ||
+ | |||
+ | === Installing repositories === | ||
+ | <code bash> | ||
+ | wget -O / | ||
+ | wget -O / | ||
+ | </ | ||
+ | |||
+ | === Installing required modules === | ||
+ | <code bash> | ||
+ | yum -y install ca-policy-egi-core fetch-crl shibboleth httpd mod_ssl | ||
+ | </ | ||
+ | |||
+ | === Starting cron service " | ||
+ | <code bash> | ||
+ | systemctl enable fetch-crl-cron && systemctl start fetch-crl-cron | ||
+ | </ | ||
+ | |||
+ | === Installing certificate - key and setting their permissions === | ||
+ | Deploy the service certificate file in /// | ||
+ | Change the ownership and permissions for those files: | ||
+ | <code bash> | ||
+ | chmod 400 / | ||
+ | chmod 600 / | ||
+ | chown shibd.shibd / | ||
+ | chown shibd.shibd / | ||
+ | </ | ||
+ | |||
+ | ==== Shibboleth service’s configuration ==== | ||
+ | |||
+ | === Downloading the attribute-map file === | ||
+ | <code bash> | ||
+ | wget -O / | ||
+ | </ | ||
+ | |||
+ | === Configuring the shibboleth daemon === | ||
+ | The file /// | ||
+ | |||
+ | <code xml shibboleth2.xml> | ||
+ | < | ||
+ | xmlns: | ||
+ | xmlns: | ||
+ | xmlns: | ||
+ | xmlns: | ||
+ | clockSkew=" | ||
+ | |||
+ | < | ||
+ | | ||
+ | | ||
+ | |||
+ | < | ||
+ | checkAddress=" | ||
+ | |||
+ | <SSO target=" | ||
+ | | ||
+ | SAML2 SAML1 | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | | ||
+ | <Handler type=" | ||
+ | | ||
+ | | ||
+ | |||
+ | <Handler type=" | ||
+ | <Handler type=" | ||
+ | <Handler type=" | ||
+ | </ | ||
+ | |||
+ | <Errors redirectErrors=" | ||
+ | |||
+ | < | ||
+ | < | ||
+ | uri=" | ||
+ | backingFilePath="/ | ||
+ | reloadInterval=" | ||
+ | </ | ||
+ | | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | |||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | <CRL> | ||
+ | < | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | </ | ||
+ | | ||
+ | < | ||
+ | < | ||
+ | |||
+ | </ | ||
+ | </ | ||
+ | |||
+ | === Verifying the configuration procedure === | ||
+ | Use the command: | ||
+ | <code bash> | ||
+ | (see note below) | ||
+ | |||
+ | === Starting the shibboleth daemon === | ||
+ | <code bash> | ||
+ | systemctl enable shibd && systemctl start shibd | ||
+ | </ | ||
+ | |||
+ | ^ Troubleshooting ^ ^ | ||
+ | | | if the command above reports the error: < | ||
+ | | | if the command above reports the errors: < | ||
+ | this will greatly limit functionality | ||
+ | ERROR XMLTooling.libcurl.InputStream : error while fetching | ||
+ | https:// | ||
+ | ERROR XMLTooling.libcurl.InputStream : on Red Hat 6+, make sure libcurl used is built with OpenSSL | ||
+ | ERROR XMLTooling.ParserPool : fatal error on line 0, column 0, message: internal error in NetAccessor | ||
+ | ERROR OpenSAML.MetadataProvider.XML : error while loading resource | ||
+ | (https:// | ||
+ | ERROR OpenSAML.MetadataProvider.XML : metadata instance was invalid at time of acquisition | ||
+ | CRIT OpenSAML.Metadata.Chaining : failure initializing MetadataProvider: | ||
+ | Metadata instance was invalid at time of acquisition.</ | ||
+ | |||
+ | ==== HTTP service’s configuration ==== | ||
+ | |||
+ | === Configuration of the module " | ||
+ | if the module isn't already configured, define the following attributes: | ||
+ | <code bash> | ||
+ | SSLCertificateFile / | ||
+ | SSLCertificateKeyFile / | ||
+ | </ | ||
+ | in the configuration file for SSL apache plugin. In general the file is ''/ | ||
+ | |||
+ | === Configuration of the service “shibbolet” for the Openstack-Dashboard === | ||
+ | In the file ''/ | ||
+ | <code bash> | ||
+ | < | ||
+ | AuthType shibboleth | ||
+ | ShibRequestSetting requireSession 1 | ||
+ | require shib-session | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | === Configuration file of the Dashboard === | ||
+ | Add the following instructions, | ||
+ | <code bash> | ||
+ | WSGIScriptAlias / | ||
+ | </ | ||
+ | |||
+ | In order to avoid [[https:// | ||
+ | <code bash> | ||
+ | ServerName https:// | ||
+ | UseCanonicalName On | ||
+ | </ | ||
+ | |||
+ | === Restarting of the service '' | ||
+ | <code bash> | ||
+ | systemctl restart httpd | ||
+ | </ | ||
+ | |||
+ | ==== Installation of the AAI integration ==== | ||
+ | |||
+ | === Download the repository containing the integration packages === | ||
+ | Repository for Kilo: | ||
+ | <code bash> | ||
+ | wget -O / | ||
+ | </ | ||
+ | |||
+ | Repository for Mitaka: | ||
+ | <code bash> | ||
+ | wget -O / | ||
+ | </ | ||
+ | |||
+ | === Installation of the keystone plugin === | ||
+ | <code bash> | ||
+ | yum -y install keystone-skey-auth | ||
+ | </ | ||
+ | |||
+ | === Installation of the dashboard wrappers === | ||
+ | For the project Cloud Area Padovana: | ||
+ | <code bash> | ||
+ | yum -y install openstack-auth-cap | ||
+ | </ | ||
+ | |||
+ | For the project Cloud Veneto: | ||
+ | <code bash> | ||
+ | yum -y install openstack-auth-cedc | ||
+ | </ | ||
+ | |||
+ | |||
+ | === Generating the secret key === | ||
+ | |||
+ | The secret key is the shared secret between Horizon and Keystone. | ||
+ | It must be deployed by hand on both side and it can be generated with the following command: | ||
+ | <code bash> | ||
+ | |||
+ | The generated key must be specified, between double quotes, as the parameter " | ||
+ | <code python> | ||
+ | KEYSTONE_SECRET_KEY = " | ||
+ | </ | ||
+ | |||
+ | === Setting up the database === | ||
+ | In the file /// | ||
+ | according to the [[https:// | ||
+ | This snippet is an example for a mysql based installation: | ||
+ | <code python> | ||
+ | DATABASES = { | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | The database must be created manually and all permissions granted before performing any further action: | ||
+ | |||
+ | <code sql> | ||
+ | create database horizon_aai; | ||
+ | grant all on horizon_aai.* to ' | ||
+ | grant all on horizon_aai.* to ' | ||
+ | </ | ||
+ | |||
+ | The database can be populated with the command: | ||
+ | <code bash> | ||
+ | runuser -s /bin/bash -c ' | ||
+ | </ | ||
+ | |||
+ | The creation of an admin user in the database is not required. | ||
+ | |||
+ | === Setting up the notication system === | ||
+ | The notification system must be configured according to [[https:// | ||
+ | The file to be modified is /// | ||
+ | Several notifications are sent directly to site administrators, | ||
+ | |||
+ | This snippet is an example of configuration for accessing a protected SMTP server: | ||
+ | <code python> | ||
+ | EMAIL_BACKEND = ' | ||
+ | EMAIL_HOST = ' | ||
+ | EMAIL_PORT = 587 | ||
+ | EMAIL_HOST_USER = ' | ||
+ | EMAIL_HOST_PASSWORD = ' | ||
+ | SERVER_EMAIL = ' | ||
+ | MANAGERS = ((' | ||
+ | </ | ||
+ | |||
+ | === Install notification templates === | ||
+ | In the file /// | ||
+ | <code python> | ||
+ | NOTIFICATION_TEMPLATE_DIR = '/ | ||
+ | </ | ||
+ | === Other changes === | ||
+ | It is necessary to force the version 3 for keystone API. | ||
+ | In the file /// | ||
+ | <code python> | ||
+ | OPENSTACK_API_VERSIONS = { | ||
+ | " | ||
+ | } | ||
+ | OPENSTACK_HOST = " | ||
+ | # Keystone accessible in plaintext | ||
+ | # | ||
+ | # Keystone protected with SSL/TLS | ||
+ | OPENSTACK_KEYSTONE_URL = " | ||
+ | OPENSTACK_SSL_CACERT = "/ | ||
+ | </ | ||
+ | |||
+ | In the configuration file /// | ||
+ | For the project Cloud Area Padovana: | ||
+ | <code python> | ||
+ | HORIZON_CONFIG = { | ||
+ | #other definitions | ||
+ | ' | ||
+ | } | ||
+ | </ | ||
+ | For the project Cloud Veneto: | ||
+ | <code python> | ||
+ | HORIZON_CONFIG = { | ||
+ | #other definitions | ||
+ | ' | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | Since the configuration file of the dashboard contains sensitive parameters it is necessary to change its permissions: | ||
+ | <code bash> | ||
+ | chmod 640 / | ||
+ | </ | ||
+ | |||
+ | |||
+ | === Restarting of the service " | ||
+ | <code bash> | ||
+ | systemctl restart httpd | ||
+ | </ | ||
+ | |||
+ | ^ Troubleshooting ^ ^ | ||
+ | | | If the log in the file /// | ||
+ | yum -y install python-lesscpy | ||
+ | cd / | ||
+ | systemctl restart httpd | ||
+ | </ | ||
+ | |||
+ | ^ Tips ^ ^ | ||
+ | | | The log for Horizon can be enabled defining a new handler, a new formatter and a new logger in the LOGGING table of the file /// | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | }, | ||
+ | }, | ||
+ | # other definitions | ||
+ | ' | ||
+ | # other definitions | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | }, | ||
+ | } | ||
+ | ' | ||
+ | # other definitions | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | }, | ||
+ | }</ | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | }</ | ||
+ | | | If you're configuring SSL support for connections between Horizon and Keystone don't use the IP address for OPENSTACK_HOST, | ||
+ | | | It's strongly recommanded to use memcached for storing session attributes, instead of signed cookies. Login cannot be correctly performed if too many data are stored in a cookie. The cache definition is specified into the file /// | ||
+ | CACHES = { | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | } | ||
+ | }</ | ||
+ | | | It is possible to restore manually the standard Openstack logos with the following commands: <code bash>cp / | ||
+ | / | ||
+ | cp / | ||
+ | / | ||
+ | cp / | ||
+ | / | ||
+ | | | If necessary the service metadata (service description, | ||
+ | |||
+ | ==== Configuration of the Keystone service ==== | ||
+ | |||
+ | === Configuration of the authentication | ||
+ | Change the " | ||
+ | <code bash> | ||
+ | [auth] | ||
+ | methods=sKey, | ||
+ | password=keystone.auth.plugins.password.Password | ||
+ | token=keystone.auth.plugins.token.Token | ||
+ | sKey = keystone_skey_auth.skey.SecretKeyAuth | ||
+ | </ | ||
+ | |||
+ | Create a new section in the file /// | ||
+ | <code bash> | ||
+ | [skey] | ||
+ | secret_key = " | ||
+ | </ | ||
+ | |||
+ | The secret key defined in the keystone configuration file is the same key specified by the parameter " | ||
+ | |||
+ | Configure fernet tokens support in the service with the following definitions in /// | ||
+ | <code bash> | ||
+ | [token] | ||
+ | provider = keystone.token.providers.fernet.Provider | ||
+ | |||
+ | [fernet_tokens] | ||
+ | key_repository = / | ||
+ | </ | ||
+ | |||
+ | Create the fernet key repository: | ||
+ | <code bash> | ||
+ | mkdir -p / | ||
+ | keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone | ||
+ | </ | ||
+ | |||
+ | === Restarting the keystone service === | ||
+ | If the keystone service is running in stand-alone mode: | ||
+ | <code bash> | ||
+ | systemctl restart openstack-keystone | ||
+ | </ | ||
+ | If the keystone service is running as a WSGI application in Apache: | ||
+ | <code bash> | ||
+ | systemctl restart httpd | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Configuration of the cron scripts ==== | ||
+ | |||
+ | Create the configuration file /// | ||
+ | <code bash> | ||
+ | USERNAME=admin | ||
+ | TENANTNAME=admin | ||
+ | PASSWD=**** | ||
+ | AUTHURL=https:// | ||
+ | CAFILE=/ | ||
+ | NOTIFICATION_PLAN=5, | ||
+ | </ | ||
+ | |||
+ | The configuration file must be readable only by root: | ||
+ | <code bash> | ||
+ | chmod 600 / | ||
+ | </ | ||
+ | |||
+ | Create the cron file /// | ||
+ | < | ||
+ | 5 0 * * * root python / | ||
+ | 10 0 * * * | ||
+ | 0 9 * * 1 | ||
+ | |||
+ | </ | ||
+ | |||
+ | ^ Tips ^ ^ | ||
+ | | | Since the script accesses the database, for installations on multiple nodes which share the same backend, it's recommanded to have different crontab configurations for different nodes | | ||
+ | | | The configuration file for the logging system of all the scripts is /// | ||
+ | |||
+ | ==== The guest project ==== | ||
+ | |||
+ | The guest project can be created by the cloud administrator directly with the dashboard. | ||
+ | From the " | ||
+ | Only one guest project can be created. | ||
+ | |||
+ | ==== Setup for INFN-AAI testing ==== | ||
+ | |||
+ | In the file /// | ||
+ | <code xml> | ||
+ | < | ||
+ | < | ||
+ | uri=" | ||
+ | backingFilePath="/ | ||
+ | </ | ||
+ | </ | ||
+ | and the entityID must point to the corresponding URL | ||
+ | <code xml> | ||
+ | <SSO target=" | ||
+ | | ||
+ | SAML2 SAML1 | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ==== Setup for UniPD-IdP (production) ==== | ||
+ | |||
+ | In the file /// | ||
+ | <code xml> | ||
+ | < | ||
+ | AuthType shibboleth | ||
+ | ShibRequestSetting requireSession 1 | ||
+ | ShibRequestSetting applicationId default | ||
+ | ShibRequestSetting target https:// | ||
+ | ShibRequestSetting entityID https:// | ||
+ | require shib-session | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | A new alias must be created in the file /// | ||
+ | <code bash> | ||
+ | WSGIScriptAlias / | ||
+ | </ | ||
+ | |||
+ | In the file /// | ||
+ | <code python> | ||
+ | HORIZON_CONFIG[' | ||
+ | {' | ||
+ | ] | ||
+ | </ | ||
+ | |||
+ | Restart the daemons: | ||
+ | <code bash> | ||
+ | systemctl restart shibd | ||
+ | systemctl restart httpd | ||
+ | </ | ||
+ | |||
+ | ==== Setup for IDEM (testing) ==== | ||
+ | |||
+ | The public key must be downloaded from IDEM site: | ||
+ | <code bash> | ||
+ | wget https:// | ||
+ | chmod 444 / | ||
+ | </ | ||
+ | |||
+ | In the file /// | ||
+ | |||
+ | <code xml> | ||
+ | < | ||
+ | < | ||
+ | <Host scheme=" | ||
+ | <Path name=" | ||
+ | </ | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | | ||
+ | | ||
+ | |||
+ | <!-- previous definitions --> | ||
+ | | ||
+ | < | ||
+ | <!-- previous definitions --> | ||
+ | < | ||
+ | uri=" | ||
+ | backingFilePath="/ | ||
+ | < | ||
+ | </ | ||
+ | </ | ||
+ | | ||
+ | < | ||
+ | < | ||
+ | checkAddress=" | ||
+ | <SSO target=" | ||
+ | | ||
+ | | ||
+ | SAML2 SAML1 | ||
+ | </ | ||
+ | </ | ||
+ | </ | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | In the file /// | ||
+ | <code xml> | ||
+ | < | ||
+ | AuthType shibboleth | ||
+ | ShibRequestSetting requireSession 1 | ||
+ | require shib-session | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | A new alias must be created in the file /// | ||
+ | <code bash> | ||
+ | WSGIScriptAlias / | ||
+ | </ | ||
+ | |||
+ | In the file /// | ||
+ | <code python> | ||
+ | HORIZON_CONFIG[' | ||
+ | {' | ||
+ | ] | ||
+ | </ | ||
+ | |||
+ | ==== References ==== | ||
+ | |||
+ | * INFN AAI Support: aai-support@lists.infn.it | ||
+ | * UniPD SSO Support : supporto.sso@unipd.it |