[ https://jira.fiware.org/browse/HELP-8667?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alvaro Alonso reopened HELP-8667:
---------------------------------
> [fiware-stackoverflow] Setting up PEP Proxy
> -------------------------------------------
>
> Key: HELP-8667
> URL: https://jira.fiware.org/browse/HELP-8667
> Project: Help-Desk
> Issue Type: Monitor
> Components: FIWARE-TECH-HELP
> Reporter: Backlog Manager
> Assignee: Alvaro Alonso
> Labels: fiware, fiware-orion, keystone
>
> Created question in FIWARE Q/A platform on 05-05-2017 at 17:05
> {color: red}Please, ANSWER this question AT{color} http://stackoverflow.com/questions/43808743/setting-up-pep-proxy
> +Question:+
> Setting up PEP Proxy
> +Description:+
> I've been working on regards the PEP-Proxy-Steelskin so I can provide some security layer to my Orion Context, however, there are some issues that have been blocking my progress.
> I will like to use the IDM and Keystone Global Instances.
> I've successfully install the pepProxy by following respective directions (https://github.com/telefonicaid/fiware-pep-steelskin), however, the result is always the same:
> {
> "name": "KEYSTONE_AUTHENTICATION_ERROR",
> "message": "There was a connection error while authenticating to Keystone: 500"
> }
> My configuration used at the config.js file is presented below:
> var config = {};
> // Protected Resource configuration
> //--------------------------------------------------
> // Configures the address of the component that is being proxied and the address of the proxy itself.
> config.resource = {
> original: {
> /**
> * Host that is being proxied.
> */
> host: 'account.lab.fiware.org',
> /**
> * Port where the proxied server is listening.
> */
> port: 10026
> },
> proxy: {
> /**
> * Port where the proxy is listening to redirect requests.
> */
> port: 1026,
> /**
> * Administration port for the proxy.
> */
> adminPort: 11211
> }
> };
> // Access Control configuration
> //--------------------------------------------------
> /**
> * This options can be used to configure the address and options of the Access Control, responsible of the request
> * validation.
> */
> config.access = {
> /**
> * Indicates whether the access control validation should be enabled. Defaults to false.
> */
> disable: false,
> /**
> * Protocol to use to access the Access Control.
> */
> protocol: 'http',
> /**
> * Host where the Access Control is located.
> */
> host: 'account.lab.fiware.org',
> /**
> * Port where the Access Control is listening.
> */
> port: 7070,
> /**
> * Path of the authentication action.
> */
> path: '/pdp/v3'
> }
> // User identity configuration
> //--------------------------------------------------
> /**
> * Information about the Identity Manager server from where the information about a user will be drawn.
> */
> config.authentication = {
> checkHeaders: false,
> module: 'keystone',
> user: 'pep_proxy_99c595...',
> password: 'e3025a2...',
> domainName: 'matest',
> retries: 3,
> cacheTTLs: {
> users: 1000,
> projectIds: 1000,
> roles: 60,
> validation: 120
> },
> options: {
> protocol: 'http',
> host: 'cloud.lab.fiware.org',
> port: 5000,
> path: '/v3/role_assignments',
> authPath: '/v3/auth/tokens'
> }
> };
> // Security configuration
> //--------------------------------------------------
> config.ssl = {
> /**
> * This flag activates the HTTPS protocol in the server. The endpoint always listen to the indicated port
> * independently of the chosen protocol.
> */
> active: false,
> /**
> * Key file to use for codifying the HTTPS requests. Only mandatory when the flag active is true.
> */
> keyFile: '',
> /**
> * SSL Certificate to present to the clients. Only mandatory when the flag active is true.
> */
> certFile: ''
> }
> /**
> * Default log level. Can be one of: 'DEBUG', 'INFO', 'WARN', 'ERROR', 'FATAL'
> */
> config.logLevel = 'FATAL';
> // List of component middlewares
> //-------------------------------------------------
> /**
> * To validate the request, the proxy needs some information that is dependant of the component: the action that a
> * request is going to execute. How to detect the action given the request is component-specific logic, that can be
> * codified in a middleware-like function that will be executed before the user validation. This logic must populate
> * the 'action' parameter of the request.
> */
> config.middlewares = {
> /**
> * Indicates the module from where the middlewares will be loaded.
> */
> require: 'lib/plugins/orionPlugin',
> /**
> * Indicates the list of middlewares to load.
> */
> functions: [
> 'extractCBAction'
> ]
> };
> /**
> * If this flag is activated, whenever the pepProxy is not able to redirect a request, instead of returning a 501 error
> * (that is the default functionality) the PEP Proxy process will exit with a -2 code.
> */
> config.dieOnRedirectError = false;
> /**
> * Name of the component. It will be used in the generation of the FRN.
> */
> config.componentName = 'orion';
> /**
> * Prefix to use in the FRN (Not to change, usually).
> */
> config.resourceNamePrefix = 'fiware:';
> /**
> * Indicates whether this PEP should have an admin bypass or not. If it does, whenever a user request arrives to the
> * PEP from a user that has the role defined in the "adminRoleId" property, that request is not validated against the
> * Access Control, but it is automatically proxied instead.
> */
> config.bypass = false;
> /**
> * ID of the admin user if it exists. Only effective if the "bypass" property is true.
> */
> config.bypassRoleId = '';
> /**
> * Configures the maximum number of clients that can be simultaneously queued while waiting for the PEP to
> * authenticate itself against Keystone (due to an expired token).
> */
> config.maxQueuedClients = 1000;
> module.exports = config;
> In this context:
> Is it right to use account.lab.fiware.org, as resource and access host or should I use a different one?
> Is it right to use cloud.lab.fiware.org, as authentication host?
> The user and password are automatically created by my IDM Global Instance. Roles and privileges are being assigned through the same Global Instance. Is this procedure appropriated or should I follow a different one?
> Am I missing something?
> Does anyone have any hint to my issues?
> Notes: I have already tried different post with success. In part because many of those solutions have installed their own keystone, for instance:
> PEP-Proxy-Steelskin Log configuration
> ,
> PEP proxy config file for integration of IDM GE, PEP proxy and Cosmos big data
> ,
> PEP-Proxy-Steelskin Log configuration. This one is the one that is more related to what I've been working on, but still, I believe is not up to date:
> Fiware Orion - pepProxy
--
This message was sent by Atlassian JIRA
(v6.4.1#64016)
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy