设置 PEP 代理
Setting up PEP Proxy
我一直在研究 PEP-Proxy-Steelskin,因此我可以为我的 Orion Context 提供一些安全层,但是,有一些问题阻碍了我的进步。
我想使用 IDM 和 Keystone 全局实例。
我已经按照各自的说明成功安装了 pepProxy (https://github.com/telefonicaid/fiware-pep-steelskin),但是,结果总是一样的:
{
"name": "KEYSTONE_AUTHENTICATION_ERROR",
"message": "There was a connection error while authenticating to Keystone: 500"
}
我在 config.js 文件中使用的配置如下所示:
var config = {};
// Protected Resource configuration
//--------------------------------------------------
// Configures the address of the component that is being proxied and the address of the proxy itself.
config.resource = {
original: {
/**
* Host that is being proxied.
*/
host: 'account.lab.fiware.org',
/**
* Port where the proxied server is listening.
*/
port: 10026
},
proxy: {
/**
* Port where the proxy is listening to redirect requests.
*/
port: 1026,
/**
* Administration port for the proxy.
*/
adminPort: 11211
}
};
// Access Control configuration
//--------------------------------------------------
/**
* This options can be used to configure the address and options of the Access Control, responsible of the request
* validation.
*/
config.access = {
/**
* Indicates whether the access control validation should be enabled. Defaults to false.
*/
disable: false,
/**
* Protocol to use to access the Access Control.
*/
protocol: 'http',
/**
* Host where the Access Control is located.
*/
host: 'account.lab.fiware.org',
/**
* Port where the Access Control is listening.
*/
port: 7070,
/**
* Path of the authentication action.
*/
path: '/pdp/v3'
}
// User identity configuration
//--------------------------------------------------
/**
* Information about the Identity Manager server from where the information about a user will be drawn.
*/
config.authentication = {
checkHeaders: false,
module: 'keystone',
user: 'pep_proxy_99c595...',
password: 'e3025a2...',
domainName: 'matest',
retries: 3,
cacheTTLs: {
users: 1000,
projectIds: 1000,
roles: 60,
validation: 120
},
options: {
protocol: 'http',
host: 'cloud.lab.fiware.org',
port: 5000,
path: '/v3/role_assignments',
authPath: '/v3/auth/tokens'
}
};
// Security configuration
//--------------------------------------------------
config.ssl = {
/**
* This flag activates the HTTPS protocol in the server. The endpoint always listen to the indicated port
* independently of the chosen protocol.
*/
active: false,
/**
* Key file to use for codifying the HTTPS requests. Only mandatory when the flag active is true.
*/
keyFile: '',
/**
* SSL Certificate to present to the clients. Only mandatory when the flag active is true.
*/
certFile: ''
}
/**
* Default log level. Can be one of: 'DEBUG', 'INFO', 'WARN', 'ERROR', 'FATAL'
*/
config.logLevel = 'FATAL';
// List of component middlewares
//-------------------------------------------------
/**
* To validate the request, the proxy needs some information that is dependant of the component: the action that a
* request is going to execute. How to detect the action given the request is component-specific logic, that can be
* codified in a middleware-like function that will be executed before the user validation. This logic must populate
* the 'action' parameter of the request.
*/
config.middlewares = {
/**
* Indicates the module from where the middlewares will be loaded.
*/
require: 'lib/plugins/orionPlugin',
/**
* Indicates the list of middlewares to load.
*/
functions: [
'extractCBAction'
]
};
/**
* If this flag is activated, whenever the pepProxy is not able to redirect a request, instead of returning a 501 error
* (that is the default functionality) the PEP Proxy process will exit with a -2 code.
*/
config.dieOnRedirectError = false;
/**
* Name of the component. It will be used in the generation of the FRN.
*/
config.componentName = 'orion';
/**
* Prefix to use in the FRN (Not to change, usually).
*/
config.resourceNamePrefix = 'fiware:';
/**
* Indicates whether this PEP should have an admin bypass or not. If it does, whenever a user request arrives to the
* PEP from a user that has the role defined in the "adminRoleId" property, that request is not validated against the
* Access Control, but it is automatically proxied instead.
*/
config.bypass = false;
/**
* ID of the admin user if it exists. Only effective if the "bypass" property is true.
*/
config.bypassRoleId = '';
/**
* Configures the maximum number of clients that can be simultaneously queued while waiting for the PEP to
* authenticate itself against Keystone (due to an expired token).
*/
config.maxQueuedClients = 1000;
module.exports = config;
在此上下文中:
- 使用
account.lab.fiware.org 作为资源和访问主机是否正确,还是我应该使用其他主机?
- 使用
cloud.lab.fiware.org 作为身份验证主机是否正确?
- 用户名和密码由我的 IDM 全局实例自动创建。角色和权限是通过同一个全局实例分配的。此程序是否适用,还是我应该遵循其他程序?
- 我是不是漏掉了什么?
有人对我的问题有任何提示吗?
注意:我已经尝试过不同的post并成功。部分原因是其中许多解决方案都安装了自己的 keystone,例如:
PEP-Proxy-Steelskin Log configuration
,
,
PEP-Proxy-Steelskin Log configuration。这个是与我一直在做的事情更相关的一个,但我认为仍然不是最新的:
我@netzahdzc 很抱歉,如果这不是您希望的答复,但我已经有一段时间没有使用 Fiware 技术了,所以我不记得所有的事情,但我会尽力提供帮助。
Is it right to use account.lab.fiware.org, as resource and access host or should I use a different one?
我认为你使用的是正确的,请参考我在 GitHub 的项目的配置文件,这个项目是 "old" 所以一些东西可能已经从 Fiware 端改变了...正如您在 PepProxy 中看到的那样 - config.js 我使用的实例与您相同:
config.account_host = 'https://account.lab.fiware.org';
config.keystone_host = 'cloud.lab.fiware.org';
config.keystone_port = 4730;
Is it right to use cloud.lab.fiware.org, as authentication host?
在我使用的配置中(上面)你可以看到 account_host 是 account.lab.fiware.org keystone_host(用于身份验证)是 cloud.lab.fiware.org,所以我认为你是对的。
The user and password are automatically created by my IDM Global Instance. Roles and privileges are being assigned through the same Global Instance. Is this procedure appropriated or should I follow a different one?
我没有深入研究这个问题,但回想一下,是的,你是对的,角色和权限应该由 Keystone 全局实例处理,但我不知道自从我使用它以来事情是否发生了变化.
抱歉,如果我不能提供更多帮助,请尝试看看您是否可以使用我的一些配置,或者至少它是否可以帮助您。你也可以尝试和Daniel Morán Jiménez谈谈,我相信他能比我更好地帮助你。
你的提议成功了吗?
我认为如果你想使用 IdM 的全局实例,作为身份验证的身份提供者,你必须填充 config.js 值,如下面的代码片段所示,但我不是确定它是否会起作用。
// User identity configuration
//--------------------------------------------------
/**
* Information about the Identity Manager server from where the information about a user will be drawn.
*/
config.authentication = {
checkHeaders: true,
module: 'keystone',
user: 'pep_proxy_1234...',
password: 'my-autogenerated-password',
domainName: 'Default',
retries: 3,
cacheTTLs: {
users: 1000,
projectIds: 1000,
roles: 60,
validation: 120
},
options: {
protocol: 'http',
host: 'cloud.lab.fiware.org',
port: 4730,
path: '/v3/role_assignments',
authPath: '/v3/auth/tokens'
}
};
当然,用值替换字段 user 和 password
由您的 IDM 全局实例自动创建。
不过,我认为你应该使用PEP代理GE的参考实现(Wilma PEP Proxy),以防你仍然想使用Fiware Cloud的全局实例。
您正在使用 Telefonica implementation of this GE which from my point of view has some differences with Wilma and I am not 100% sure if it can be integrated with the reference implementations of the IdM Keyrock and the Authorization PDP Authzforce which use the global instance of Fiware Cloud。
一种完全不同的方法,它可能是使用您自己的 IdM、PDP 授权和 PEP 代理通用启用程序 (GE) 实例。在那种情况下,您仍然可以使用这三个组件的引用实现,或者您可以使用 Steelskin PEP 代理。如果您遵循 Steelskin 路径,我鼓励您使用 Keystone-spassword and Keypass which are the Telefonica's implementations of the IdM and the Authorization PDP respectively. Here,您可以找到有关安装和配置此 GE 的详细步骤。
最后,如果您想遵循 "references" GE 路径,您可以在这个 slides.
中找到一些亮点
此致,
埃米利亚诺
我一直在研究 PEP-Proxy-Steelskin,因此我可以为我的 Orion Context 提供一些安全层,但是,有一些问题阻碍了我的进步。
我想使用 IDM 和 Keystone 全局实例。
我已经按照各自的说明成功安装了 pepProxy (https://github.com/telefonicaid/fiware-pep-steelskin),但是,结果总是一样的:
{
"name": "KEYSTONE_AUTHENTICATION_ERROR",
"message": "There was a connection error while authenticating to Keystone: 500"
}
我在 config.js 文件中使用的配置如下所示:
var config = {};
// Protected Resource configuration
//--------------------------------------------------
// Configures the address of the component that is being proxied and the address of the proxy itself.
config.resource = {
original: {
/**
* Host that is being proxied.
*/
host: 'account.lab.fiware.org',
/**
* Port where the proxied server is listening.
*/
port: 10026
},
proxy: {
/**
* Port where the proxy is listening to redirect requests.
*/
port: 1026,
/**
* Administration port for the proxy.
*/
adminPort: 11211
}
};
// Access Control configuration
//--------------------------------------------------
/**
* This options can be used to configure the address and options of the Access Control, responsible of the request
* validation.
*/
config.access = {
/**
* Indicates whether the access control validation should be enabled. Defaults to false.
*/
disable: false,
/**
* Protocol to use to access the Access Control.
*/
protocol: 'http',
/**
* Host where the Access Control is located.
*/
host: 'account.lab.fiware.org',
/**
* Port where the Access Control is listening.
*/
port: 7070,
/**
* Path of the authentication action.
*/
path: '/pdp/v3'
}
// User identity configuration
//--------------------------------------------------
/**
* Information about the Identity Manager server from where the information about a user will be drawn.
*/
config.authentication = {
checkHeaders: false,
module: 'keystone',
user: 'pep_proxy_99c595...',
password: 'e3025a2...',
domainName: 'matest',
retries: 3,
cacheTTLs: {
users: 1000,
projectIds: 1000,
roles: 60,
validation: 120
},
options: {
protocol: 'http',
host: 'cloud.lab.fiware.org',
port: 5000,
path: '/v3/role_assignments',
authPath: '/v3/auth/tokens'
}
};
// Security configuration
//--------------------------------------------------
config.ssl = {
/**
* This flag activates the HTTPS protocol in the server. The endpoint always listen to the indicated port
* independently of the chosen protocol.
*/
active: false,
/**
* Key file to use for codifying the HTTPS requests. Only mandatory when the flag active is true.
*/
keyFile: '',
/**
* SSL Certificate to present to the clients. Only mandatory when the flag active is true.
*/
certFile: ''
}
/**
* Default log level. Can be one of: 'DEBUG', 'INFO', 'WARN', 'ERROR', 'FATAL'
*/
config.logLevel = 'FATAL';
// List of component middlewares
//-------------------------------------------------
/**
* To validate the request, the proxy needs some information that is dependant of the component: the action that a
* request is going to execute. How to detect the action given the request is component-specific logic, that can be
* codified in a middleware-like function that will be executed before the user validation. This logic must populate
* the 'action' parameter of the request.
*/
config.middlewares = {
/**
* Indicates the module from where the middlewares will be loaded.
*/
require: 'lib/plugins/orionPlugin',
/**
* Indicates the list of middlewares to load.
*/
functions: [
'extractCBAction'
]
};
/**
* If this flag is activated, whenever the pepProxy is not able to redirect a request, instead of returning a 501 error
* (that is the default functionality) the PEP Proxy process will exit with a -2 code.
*/
config.dieOnRedirectError = false;
/**
* Name of the component. It will be used in the generation of the FRN.
*/
config.componentName = 'orion';
/**
* Prefix to use in the FRN (Not to change, usually).
*/
config.resourceNamePrefix = 'fiware:';
/**
* Indicates whether this PEP should have an admin bypass or not. If it does, whenever a user request arrives to the
* PEP from a user that has the role defined in the "adminRoleId" property, that request is not validated against the
* Access Control, but it is automatically proxied instead.
*/
config.bypass = false;
/**
* ID of the admin user if it exists. Only effective if the "bypass" property is true.
*/
config.bypassRoleId = '';
/**
* Configures the maximum number of clients that can be simultaneously queued while waiting for the PEP to
* authenticate itself against Keystone (due to an expired token).
*/
config.maxQueuedClients = 1000;
module.exports = config;
在此上下文中:
- 使用
account.lab.fiware.org作为资源和访问主机是否正确,还是我应该使用其他主机? - 使用
cloud.lab.fiware.org作为身份验证主机是否正确? - 用户名和密码由我的 IDM 全局实例自动创建。角色和权限是通过同一个全局实例分配的。此程序是否适用,还是我应该遵循其他程序?
- 我是不是漏掉了什么?
有人对我的问题有任何提示吗?
注意:我已经尝试过不同的post并成功。部分原因是其中许多解决方案都安装了自己的 keystone,例如:
PEP-Proxy-Steelskin Log configuration
,
我@netzahdzc 很抱歉,如果这不是您希望的答复,但我已经有一段时间没有使用 Fiware 技术了,所以我不记得所有的事情,但我会尽力提供帮助。
Is it right to use account.lab.fiware.org, as resource and access host or should I use a different one?
我认为你使用的是正确的,请参考我在 GitHub 的项目的配置文件,这个项目是 "old" 所以一些东西可能已经从 Fiware 端改变了...正如您在 PepProxy 中看到的那样 - config.js 我使用的实例与您相同:
config.account_host = 'https://account.lab.fiware.org';
config.keystone_host = 'cloud.lab.fiware.org';
config.keystone_port = 4730;
Is it right to use cloud.lab.fiware.org, as authentication host?
在我使用的配置中(上面)你可以看到 account_host 是 account.lab.fiware.org keystone_host(用于身份验证)是 cloud.lab.fiware.org,所以我认为你是对的。
The user and password are automatically created by my IDM Global Instance. Roles and privileges are being assigned through the same Global Instance. Is this procedure appropriated or should I follow a different one?
我没有深入研究这个问题,但回想一下,是的,你是对的,角色和权限应该由 Keystone 全局实例处理,但我不知道自从我使用它以来事情是否发生了变化.
抱歉,如果我不能提供更多帮助,请尝试看看您是否可以使用我的一些配置,或者至少它是否可以帮助您。你也可以尝试和Daniel Morán Jiménez谈谈,我相信他能比我更好地帮助你。
你的提议成功了吗?
我认为如果你想使用 IdM 的全局实例,作为身份验证的身份提供者,你必须填充 config.js 值,如下面的代码片段所示,但我不是确定它是否会起作用。
// User identity configuration
//--------------------------------------------------
/**
* Information about the Identity Manager server from where the information about a user will be drawn.
*/
config.authentication = {
checkHeaders: true,
module: 'keystone',
user: 'pep_proxy_1234...',
password: 'my-autogenerated-password',
domainName: 'Default',
retries: 3,
cacheTTLs: {
users: 1000,
projectIds: 1000,
roles: 60,
validation: 120
},
options: {
protocol: 'http',
host: 'cloud.lab.fiware.org',
port: 4730,
path: '/v3/role_assignments',
authPath: '/v3/auth/tokens'
}
};
当然,用值替换字段 user 和 password 由您的 IDM 全局实例自动创建。
不过,我认为你应该使用PEP代理GE的参考实现(Wilma PEP Proxy),以防你仍然想使用Fiware Cloud的全局实例。
您正在使用 Telefonica implementation of this GE which from my point of view has some differences with Wilma and I am not 100% sure if it can be integrated with the reference implementations of the IdM Keyrock and the Authorization PDP Authzforce which use the global instance of Fiware Cloud。
一种完全不同的方法,它可能是使用您自己的 IdM、PDP 授权和 PEP 代理通用启用程序 (GE) 实例。在那种情况下,您仍然可以使用这三个组件的引用实现,或者您可以使用 Steelskin PEP 代理。如果您遵循 Steelskin 路径,我鼓励您使用 Keystone-spassword and Keypass which are the Telefonica's implementations of the IdM and the Authorization PDP respectively. Here,您可以找到有关安装和配置此 GE 的详细步骤。
最后,如果您想遵循 "references" GE 路径,您可以在这个 slides.
中找到一些亮点此致,
埃米利亚诺