[英]Setting up PEP Proxy
我一直在研究PEP-Proxy-Steelskin,所以我可以為我的Orion Context提供一些安全層,但是,有些問題阻礙了我的進步。
我想使用IDM和Keystone全局實例。
我按照各自的指示( https://github.com/telefonicaid/fiware-pep-steelskin )成功安裝了pepProxy,但結果總是一樣的:
{
"name": "KEYSTONE_AUTHENTICATION_ERROR",
"message": "There was a connection error while authenticating to Keystone: 500"
}
我在config.js
文件中使用的配置如下所示:
var config = {};
// Protected Resource configuration
//--------------------------------------------------
// Configures the address of the component that is being proxied and the address of the proxy itself.
config.resource = {
original: {
/**
* Host that is being proxied.
*/
host: 'account.lab.fiware.org',
/**
* Port where the proxied server is listening.
*/
port: 10026
},
proxy: {
/**
* Port where the proxy is listening to redirect requests.
*/
port: 1026,
/**
* Administration port for the proxy.
*/
adminPort: 11211
}
};
// Access Control configuration
//--------------------------------------------------
/**
* This options can be used to configure the address and options of the Access Control, responsible of the request
* validation.
*/
config.access = {
/**
* Indicates whether the access control validation should be enabled. Defaults to false.
*/
disable: false,
/**
* Protocol to use to access the Access Control.
*/
protocol: 'http',
/**
* Host where the Access Control is located.
*/
host: 'account.lab.fiware.org',
/**
* Port where the Access Control is listening.
*/
port: 7070,
/**
* Path of the authentication action.
*/
path: '/pdp/v3'
}
// User identity configuration
//--------------------------------------------------
/**
* Information about the Identity Manager server from where the information about a user will be drawn.
*/
config.authentication = {
checkHeaders: false,
module: 'keystone',
user: 'pep_proxy_99c595...',
password: 'e3025a2...',
domainName: 'matest',
retries: 3,
cacheTTLs: {
users: 1000,
projectIds: 1000,
roles: 60,
validation: 120
},
options: {
protocol: 'http',
host: 'cloud.lab.fiware.org',
port: 5000,
path: '/v3/role_assignments',
authPath: '/v3/auth/tokens'
}
};
// Security configuration
//--------------------------------------------------
config.ssl = {
/**
* This flag activates the HTTPS protocol in the server. The endpoint always listen to the indicated port
* independently of the chosen protocol.
*/
active: false,
/**
* Key file to use for codifying the HTTPS requests. Only mandatory when the flag active is true.
*/
keyFile: '',
/**
* SSL Certificate to present to the clients. Only mandatory when the flag active is true.
*/
certFile: ''
}
/**
* Default log level. Can be one of: 'DEBUG', 'INFO', 'WARN', 'ERROR', 'FATAL'
*/
config.logLevel = 'FATAL';
// List of component middlewares
//-------------------------------------------------
/**
* To validate the request, the proxy needs some information that is dependant of the component: the action that a
* request is going to execute. How to detect the action given the request is component-specific logic, that can be
* codified in a middleware-like function that will be executed before the user validation. This logic must populate
* the 'action' parameter of the request.
*/
config.middlewares = {
/**
* Indicates the module from where the middlewares will be loaded.
*/
require: 'lib/plugins/orionPlugin',
/**
* Indicates the list of middlewares to load.
*/
functions: [
'extractCBAction'
]
};
/**
* If this flag is activated, whenever the pepProxy is not able to redirect a request, instead of returning a 501 error
* (that is the default functionality) the PEP Proxy process will exit with a -2 code.
*/
config.dieOnRedirectError = false;
/**
* Name of the component. It will be used in the generation of the FRN.
*/
config.componentName = 'orion';
/**
* Prefix to use in the FRN (Not to change, usually).
*/
config.resourceNamePrefix = 'fiware:';
/**
* Indicates whether this PEP should have an admin bypass or not. If it does, whenever a user request arrives to the
* PEP from a user that has the role defined in the "adminRoleId" property, that request is not validated against the
* Access Control, but it is automatically proxied instead.
*/
config.bypass = false;
/**
* ID of the admin user if it exists. Only effective if the "bypass" property is true.
*/
config.bypassRoleId = '';
/**
* Configures the maximum number of clients that can be simultaneously queued while waiting for the PEP to
* authenticate itself against Keystone (due to an expired token).
*/
config.maxQueuedClients = 1000;
module.exports = config;
在這方面:
account.lab.fiware.org
作為資源和訪問主機是否正確,還是應該使用不同的主機? cloud.lab.fiware.org
作為身份驗證主機是否正確? 有沒有人對我的問題有任何暗示?
注意:我已經嘗試過不同的帖子並取得了成功。 部分是因為其中許多解決方案都安裝了自己的keystone,例如: PEP-Proxy-Steelskin日志配置 , PEP代理配置文件,用於集成IDM GE,PEP代理和Cosmos大數據 , PEP-Proxy-Steelskin日志配置 。 這個與我一直在做的事情更相關,但我相信還不是最新的: Fiware Orion - pepProxy
我@netzahdzc對不起,如果這不是您希望的回復,但我暫時不使用Fiware技術,所以我不記得一切,但我會盡力幫助。
使用account.lab.fiware.org作為資源和訪問主機是否正確,還是應該使用不同的主機?
我認為你使用的是正確的,請參考GitHub項目的配置文件,這個項目是“舊”的,所以有些東西可能已經從Fiware方面改變了......正如你在PepProxy中看到的那樣 - config.js我使用的實例和你一樣:
config.account_host = 'https://account.lab.fiware.org';
config.keystone_host = 'cloud.lab.fiware.org';
config.keystone_port = 4730;
使用cloud.lab.fiware.org作為身份驗證主機是否正確?
在我使用的配置(上圖)中,您可以看到account_host是account.lab.fiware.org , keystone_host (用於身份驗證)是cloud.lab.fiware.org ,所以我認為你是對的。
用戶和密碼由我的IDM Global Instance自動創建。 角色和權限通過相同的全局實例分配。 這個程序是否被挪用或者我應該遵循另一個程序?
我不會深入研究這個問題但是對於回憶是的你是對的,角色和權限應該由Keystone Global Instance處理,但我不知道自從我使用它以來是否有變化。
很抱歉,如果我無法提供幫助,請嘗試查看您是否可以使用我的某些配置,或者至少它可以幫助您。 您也可以嘗試與DanielMoránJiménez交談,我相信他可以幫助您更好地照顧我。
你有什么建議嗎?
我認為如果你想使用IdM的全局實例,作為身份驗證的身份提供者,你必須填充config.js值,如下面的代碼片段所示,但我不確定它是否會起作用。
// User identity configuration
//--------------------------------------------------
/**
* Information about the Identity Manager server from where the information about a user will be drawn.
*/
config.authentication = {
checkHeaders: true,
module: 'keystone',
user: 'pep_proxy_1234...',
password: 'my-autogenerated-password',
domainName: 'Default',
retries: 3,
cacheTTLs: {
users: 1000,
projectIds: 1000,
roles: 60,
validation: 120
},
options: {
protocol: 'http',
host: 'cloud.lab.fiware.org',
port: 4730,
path: '/v3/role_assignments',
authPath: '/v3/auth/tokens'
}
};
當然,將字段user和password替換為IDM Global Instance自動創建的值。
但是,我認為您應該使用PEP代理GE( Wilma PEP代理 )的參考實現,以防您仍然想要使用Fiware Cloud的全局實例。
您正在使用Telefonica實施此GE ,從我的觀點來看,它與Wilma存在一些差異,我不能100%確定它是否可以與IdM Keyrock和授權PDP Authzforce的參考實現集成,后者使用全局實例Fiware Cloud 。
一種完全不同的方法,可能是使用您自己的IdM實例,PDP授權和PEP代理通用啟動器(GE)。 在這種情況下,您仍然可以使用這三個組件的引用實現,或者您可以使用Steelskin PEP代理。 如果您遵循Steelskin路徑,我建議您使用Keystone-spassword和Keypass ,它們分別是Telefonica的IdM和授權PDP實現。 在這里,您可以找到有關安裝和配置此GE的一步一步的優秀信息。
最后,如果您想要遵循“參考”GE路徑,您可以在此幻燈片中找到一些亮點。
問候,
埃米利亞諾
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.