3

I've spent most of the day trying to configure the Fiware PEP proxy Wilma to secure an Orion Context Broker i have running on a development server. The documentation here: http://forge.fiware.org/plugins/mediawiki/wiki/fiware/index.php/PEP_Proxy_-Wilma-_Installation_and_Administration_Guide is not clear.

Here is my setup:

  • A Fiware Keyrock instance running on server1, port 3000
  • A PEP Proxy running on server 1
  • An Orion Context Broker running on server2, port 1026

The manual states to edit the config.js script. Here is what i changed (Stackoverflow prevents me from entering url's so replace http.. with http:)


config.account_host = 'http..//localhost:3000';

config.keystone_host = 'http..//server1';
config.keystone_port = 3000;

config.app_host = 'server2';
config.app_port = '1026';

config.username = '***** username of the user in Keyrock *****';
config.password = '***** password of the user in Keyrock *****';

Here is the error


~/fi-ware-pep-proxy$ node server.js express deprecated app.configure: Check app.get('env') in an if statement server.js:30:5 Starting PEP proxy. Keystone authentication ... Error in keystone communication Error: getaddrinfo ENOTFOUND at errnoException (dns.js:37:11) at Object.onanswer [as oncomplete] (dns.js:124:16)


My Orion and Keyrock instances are up and running. I can query them with curl or a browser.

I really have no idea what i should be filling in the config.js to get this set up.

frb
  • 3,738
  • 2
  • 21
  • 51
Robin
  • 103
  • 9
  • I am trying to configure the EXACT same configuration using those three GEs and just want to know if you received an answer yet? – Vrankela Jul 27 '15 at 13:24
  • We let this rest a while, hoping the Fiware GE's would mature in the meantime. Recently we picked this up again and now have working local instances of KeyRock IdM, Wilma PEP Proxy and Wirecloud GE that are correctly linked together. There are still a number of important bugs in the KeyRock and Wilma GE's that the GE developers are working on, but the most important functions are up and running for us. In a few weeks i will have time to write up how we accomplished this. In the meantime, all the issues we ran into are on stackoverflow (asked by me). – Robin May 26 '16 at 07:47

4 Answers4

4

I hope this helps. We are working on deploying some of the Generic Enablers, included IdM, Wilma PEP and Orion among others using docker and docker-compose.

This environment, called Fiware-devguide-APP is actually under construction, but you can test's the environment (already working) and also check our configuration here.

We are updating all the documentation!

For this, we have the images here.

Docker and docker-compose are required.

If you already have them, to start all the apps integrated in Devguide, you just have to clone the repository:

git clone https://github.com/Bitergia/fiware-devguide-app.git

And then run docker-compose using the .yml file in the fiware-devguide-app/docker/compose:

docker-compose -f docker-compose.yml up -d

So you will have up all the containers! Finally, add the ip of the devguide container (compose_devguide_1) to your /etc/hosts and you will be able to browse it :)

Explanation:

We've went through several configurations for this. I assume you are interested in IdM and Wilma PEP, so here it goes what we did:

  1. We've installed a IdM GE from the scratch providing the users, roles, and permissions desired. Here you can find what we added at test_data method:

Note that all those provision could have been done also using Keystone REST API

Also here you can find the Dockerfile i.e. how it has been installed.

  1. We've installed an Authzforce for the role management as explained in the tour guide. You will need it as wilma-pep will send the PDP requests to validate requests against the resource protected.

  2. Finally the PEP Wilma. Here you can find the configuration files.

How does it work?

Here goes the trick. Let's assume the env Authzforce (Access Control), IdM, PEP Wilma, Orion (the app to be protected) and the devguide. As we use docker-compose, all this steps are done almost at the same time! :)

  1. In authzforce, we need to create a domain as stands in the documentation, and we do it here.

  2. The script itself retrieves the domain ID and, it parses the config.js file of the PEP Wilma in this line using the right path.

  3. The config.js is simple:

    • account_host and keystone_host are in the same container 'idm'. Docker-compose handle this by adding aliases to the /etc/hosts of each container, which makes the process much easier and we don't need to handle the IP's ourselves.
    • app_host and app_port are the IP and port of the app to protect, in our case is 'orion'!
    • config.username and config.password. We've created a user 'pepproxy' in the provision we explained before, exactly here. (Note that this user must have domain roles assigned in order to work, as done here).
    • And the azf configuration, which contains also the 'authzforce' host and where the path is parsed as explained before.
  4. Adding the authzforce configuration to IdM and PEP (i.e. domain)

  5. Get an Oauth2 token as it explains here.

  6. Finally, with this token and everything running, you can open the compose_devguide_1. It has different resources that can be reached depending on the roles you have assigned at IdM. For example, 'user0@test.com' can access to all the resources, meanwhile the other one can access just to the restaurants.

Hope I was clear enough.

Best!

albertinisg
  • 491
  • 4
  • 12
  • Is this possiblte to do without authZforce? I want to establish an env with keyrock, pep proxy and context broker. By my situation is that I have CB and pep proxy installed on one machine and I want to consume the global instance of keyrock from fiware lab. What are my options for such a scenario? – Vrankela Aug 20 '15 at 08:48
  • The thing is, how are you going to validate the requests against PEP without Authzforce? PEP sends the PDP requests against Authzforce to validate resources, so Authzforce is needed. With this, I'm not saying your scenario is not possible, what I mean is that it is possible but using the global Authzforce :) – albertinisg Aug 20 '15 at 09:32
  • Ok, so I incorporate authZforce. Do I install it on my machine (where my pep proxy and Context Broker are) or do I use a global Authzforce (which I have no idea where it is)? – Vrankela Aug 20 '15 at 11:11
  • 1
    If you are using the Keyrock global instance, you can't configure there your own Authzforce, so you will need to use the global one. PEP Wilma at it's `config.js.template` has some configuration regarding [Authzforce](https://github.com/ging/fi-ware-pep-proxy/blob/master/config.js.template#L29), so I guess that this is the Authzforce global instance (but if not, ask the administrators for it). – albertinisg Aug 20 '15 at 12:17
  • Revisiting KeyRock installation after a few months. Our config.js questions have been answered elsewhere. However the links in your description of bitergia seem to be broken. The docker compose file on github refers to images that seem to have been renamed at some point and is now broken. – Robin May 07 '16 at 22:30
  • We are trying to run our own KeyRock instance but having trouble configuring it. There is now a docker hub image called fiware/idm which runs out of the box, and the remaining question for us is how to add users, organisations and applications without creating a fiware labs environment. Your setup seems promising, but i am not clear where the data is being created (due to broken links in your answer). – Robin May 07 '16 at 22:31
0

right now requests from PEPs are not directly sent to the IdM. They uses an Openstack compliant server (Keystone Proxy). So if you want to use it you have to install also this component. Any way in two weeks we are going to change this behaviour.

Hope this helps

  • Thanks for your reply. What will the behaviour be in two weeks? Will connecting to an iDM like Keyrock be supported? – Robin Apr 16 '15 at 12:42
  • 2
    Two months further, still no answer.... The Wilma PEP software has been updated at: forge.fiware.org but the user and installation manual have not unfortunately. Does the current version of the Wilma PEP proxy support Keyrock IDM out of the box or not? If we need to install the Keystone proxy a quick guide would save a lot of people a lot of time. Thanks in advance! – Robin Jun 15 '15 at 09:52
0

We are installing a Fiware enviroment in a local machine; we pretend to have an orion context broker with a Keyrock idm instance. We understand that we need to use a Pep Proxy in order to check the tokens of the requests to the orion context broker. We use Keyrock idm, so we are wondering whether we can do this or not. Is there any way to use them now without installing anything else or we are supposed to install de keystone proxy too?

This is the keystone proxy that we have found:

https://github.com/ging/fi-ware-keystone-proxy

If this is the case; How do we have to configure the pep proxy? Where do we have to put the data to connect to the Keyrock idm and where are we supposed to indicate the keystone information?

0

new versions are ready. Now you only need Keyrock and PEP Proxy. As explained here validations go directly to IdM. Hope this helps.

Álvaro Alonso
  • 385
  • 1
  • 3
  • 1
    The architecture is clear but the installation and administration guide is unchanged since january 2015: http://forge.fiware.org/plugins/mediawiki/wiki/fiware/index.php/PEP_Proxy_-_Wilma_-_Installation_and_Administration_Guide And it only has an example of a config.js file for Keystone. An example of of a config.js for a Keyrock instance would be really helpful. Right now we are trying to guess what the config should be. What should we put in the config.account_host, config.keystone_host and config.keystone_port properties? Or are new properties introduced for the Keyrock IdM? – Robin Jun 16 '15 at 13:31