[英]Fiware - How to integrate Keyrock IdM, Wilma PEP Proxy and Orion Context Broker?
I read all the documentation of Keyrock and Wilma and I watched all the videos in the FIWARE Academy, but I still do not get success in this integration. 我阅读了Keyrock和Wilma的所有文档,并且在FIWARE学院观看了所有视频,但是在这种集成中我仍然没有成功。 I am searching for this since a few days ago, but without success.
从几天前开始,我一直在搜索,但是没有成功。 I think the FIWARE documentation could have tutorials, hands on...
我认为FIWARE文档可能会有教程,动手实践...
I have a VM with Orion Context Broker and a container with Keyrock IdM and Wilma PEP Proxy. 我有一个带有Orion上下文代理的VM,一个带有Keyrock IdM和Wilma PEP代理的容器。 I am trying to generate an access token to grant access for an application, but I still did not get it.
我正在尝试生成访问令牌以授予对应用程序的访问权限,但是我仍然没有得到它。 Besides, I would like to know how can I securely exchange messages between the Orion Context Broker and some IoT devices.
此外,我想知道如何在Orion Context Broker和某些IoT设备之间安全地交换消息。 Indeed, it is complicated to think about IoT devices having to access a screen and put their credentials to authenticate and to be authorized like the Keyrock IdM examples show.
确实,像Keyrock IdM示例所示,考虑物联网设备必须访问屏幕并放置其凭据进行身份验证和授权很复杂。 What do you sugest?
你什么意思?
Regarding Orion, it depends on the interface to be secured, either the service API (ie the listening REST server that Orion runs typically at port 1026), the notification API or both: 关于Orion,取决于要保护的接口,或者是服务API(即Orion通常在端口1026运行的侦听REST服务器),通知API或同时满足以下两者:
-https
CLI parameter (which works in combination with -key
and -cert
). -https
CLI参数(其结合工作-key
和-cert
)。 This section of the documentation elaborates on it. X-Auth-Token
header needed by a PEP instance protecting your endpoint). X-Auth-Token
标头)您的端点)。 Note that this is currently done in an static way, ie Orion is not able to interact directly with IDM/AccessControl to set the X-Auth-Token
value dynamically after expiration, etc. However, it would be possible to develop a process able to do this and set the proper header (if you are interested in this I'd recommend to check "How to add a custom header in outgoing notifications with Orion?" post). X-Auth-Token
值,等等。但是,有可能开发出一种能够这样做并设置适当的标题(如果对此感兴趣,我建议您选中“如何在Orion的传出通知中添加自定义标题?” )。 UPDATE: since verion 1.7.0, Orion implements native HTTPS notifications (ie without needing Rush). 更新:从版本1.7.0开始,Orion实施本机HTTPS通知(即无需Rush)。
Seeing the answer of @albertinisg here , I found a bash script for token request. 在这里看到@albertinisg的答案,我找到了一个用于令牌请求的bash脚本 。 I changed it to use with my local instances and it worked.
我将其更改为与本地实例一起使用,并且可以正常工作。
After registering my application at FIWARE Portal ( more information here ), I had to make a POST request to http://idm:8000/oauth2/token (idm is my local instance of Keyrock). 在FIWARE Portal上注册我的应用程序后( 在此处了解更多信息 ),我不得不向http:// idm:8000 / oauth2 / token (idm是Keyrock的本地实例)发出POST请求。 With this valid token, I can access the content in Orion.
有了这个有效的令牌,我就可以访问Orion中的内容。
import requests, json, getpass
TOKEN_URL = "http://idm:5000/v2.0/tokens"
USER = raw_input("Username: ")
PASSWORD = getpass.getpass("Password: ")
PAYLOAD = "{\"auth\": {\"passwordCredentials\": {\"username\":\""+USER+"\", \"password\":\""+PASSWORD+"\"}}}"
HEADERS = {'content-type': 'application/json'}
RESP = requests.post(TOKEN_URL, data=PAYLOAD, headers=HEADERS)
PEP Proxy (Wilma) configuration (config.js): PEP代理(Wilma)配置(config.js):
config.app_host = 'my_orion_ip'; //change to your Orion address
config.app_port = '1026'; //change to your Orion port
config.username = 'pep_proxy_credential_obtained_at_portal';
config.password = 'password_obtained_at_portal';
With the valid token and the PEP Proxy (Wilma) server running with this configuration, it is possible to control the access to Orion doing a request to PEP Proxy address. 通过使用该配置运行有效令牌和PEP代理(Wilma)服务器,可以控制对Orion的访问,并向PEP代理地址发出请求。 The PEP Proxy will redirect this request to IdM (Keyrock) so that IdM can verify the user/device credentials.
PEP代理会将此请求重定向到IdM(Keyrock),以便IdM可以验证用户/设备凭据。 If the credentials are valid, the user/device will receive a valid token and now PEP Proxy can allow the access to Orion.
如果凭据有效,则用户/设备将收到有效令牌,并且现在PEP代理可以允许访问Orion。
For HTTPS communication, I configured a Nginx server to act like a reverse proxy (.conf file): 对于HTTPS通信,我将Nginx服务器配置为充当反向代理(.conf文件):
server {
listen 443;
server_name orion;
ssl on;
ssl_certificate /etc/nginx/ssl/orion.crt;
ssl_certificate_key /etc/nginx/ssl/orion.key;
...
...
location / {
#root orion:1026; #/var/www/yourdomain.com;
#index index.php index.html index.htm;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://orion:1026;
proxy_read_timeout 90;
proxy_redirect http://orion:1026 https://orion;
}
}
I made a simple tutorial about the integration of FIWARE Orion, Wilma and Keyrock: https://www.slideshare.net/daltoncezane/integrating-fiware-orion-keyrock-and-wilma 我做了一个有关FIWARE Orion,Wilma和Keyrock集成的简单教程: https ://www.slideshare.net/daltoncezane/integrating-fiware-orion-keyrock-and-wilma
I hope this answer can help someone else. 我希望这个答案可以帮助其他人。
The following presentation shows you step by step how to create a FIWARE-Based IoT Platform and to secure it using a PEP Proxy, Keystone and Keypass. 以下演示逐步介绍了如何创建基于FIWARE的IoT平台以及如何使用PEP代理,Keystone和Keypass对其进行保护。
https://docs.google.com/presentation/d/18LaWZSK4h2wncPF6hNAwK5MToLvJesR3XLrzsqrsmrw/edit?usp=sharing https://docs.google.com/presentation/d/18LaWZSK4h2wncPF6hNAwK5MToLvJesR3XLrzsqrsmrw/edit?usp=sharing
I hope this helps 我希望这有帮助
thanks 谢谢
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.