I'm trying to put to work the IDM+AuthZForce+PEP-Proxy-Wilma to secure the Orion context broker, but I'm having a bit of trouble, nothing works, all is up and running, but there's no autentication and no security.
I changed all the configuration files and nothing changed. I tried to populate the database (mongoDB or PostgreSQL) and nothing changed, too.
All services are running in a docker-compose instance.
Anyonce already has deployed this successfully?
I think you can get some help reading the following question/answers:
Fiware - How to integrate Keyrock IdM, Wilma PEP Proxy and Orion Context Broker?
I already configured Orion+Keyrock+Wilma. Here is the link for a simple tutorial on how to integrate them.
The AuthZForce is still mysterious for me. Recently I asked the following question about it:
FIWARE AuthZForce 5.4.1 is not installing
If you continue with some doubt related to Orion+Keyrock+Wilma, say it and perhaps I can help you.
I hope the suggested link can be useful for you.
Related
I am trying to run Orion Context Broker on Linux Mint using docker, but i cant start it. Also I tried installing MongoDB version 3.2 also on Linux Mint using docker, but cant find any installation solution.
Can someone help me?
Thank you for your help!!!
Orion, at startup, connects to Mongo. If mongo isn't accepting the connection, Orion exits. There is nothing the broker can do without its database.
So, that would explain why Orion doesn't start.
Why such an old version of Mongo?
Lastly, if you add detailed information on the problem you see, perhaps you can get some help. Without that, there's no way to help.
I would like to know what is the common deployment pattern for IDAS and Orion in a production environment. Are they usually deployed as docker images or as a native service? If they are as a docker images then do they usually go together in one container or separate containers?
Thank you.
I can provide an answer from the point of view of Orion Context Broker (I hope that some of my colleagues from IDAS team can answer also that part).
Deployment options (look for slides "How to get Orion" in this presentation) are the following ones:
Image in FIWARE Lab cloud
Docker contaniner
VirtualBox image
RPM installation (from FIWARE repositories)
Compiling from sources
For IDAS it depends on the specific IoT-Agent you are using.
If you are using Ultralight2.0/HTTP or MQTT to connect devices, all the information for installation is available here:
https://github.com/telefonicaid/fiware-IoTAgent-Cplusplus/blob/release/1.3.0/README.md
On the other hand, if you will use OMA LWM2M/CoAP to connect devcies, this info is here:
https://github.com/telefonicaid/lightweightm2m-iotagent/blob/master/docs/administrationGuide.md
Also, docker files are available here:
http://catalogue.fiware.org/enablers/backend-device-management-idas/creating-instances
Hope this helps.
Cheers,
I just found that mosquitto had got a websockets upgrade which allows it to
host the HTTP services.
I tried hosting a html file using the websockets feature on the port 8080.
The mosquitto broker seems to start fine and the mqtt services on the other ports seem to function properly. But when i try to access the html file over the localhost I get the a response saying no data sent by the server.
I am not sure where my mistake lies..Any ideas?
Mosquitto is not a HTTP server, it can not serve generic files.
The HTTP listener is only there to facilitate an upgrade to the websocket protocol in order to run MQTT over a websocket connection.
You might want to look out for a different broker that is flexible enough to do what you're looking for. I don't know of any MQTT broker that allows you to do that out of the box, but many are fairly extensible. For one I can talk about is VerneMQ, as I am one of the core developers. Developing a simple VerneMQ plugin that serves some static files over HTTP is a matter of a few lines of code, as the plugin only requires to setup some configuration for the internal webserver.
However, unfortunately we haven't yet documented this feature. But feel free to drop us a line if such an approach sounds interesting for you.
Cheers,
Andre
Following these two tutorials (https://www.anavi.org/article/182/ and http://wei-meilin.blogspot.tw/2014/05/red-hat-openshift-xpaas-simple-mqtt.html) I have installed a MQTT Broker using JBoss Fuse.
Although my mqtt-container disappears after a while (I don't know why) I can make a port-forwarding and test the broker.
But I would like to know how to connect directly to the broker. Do you know how to do it?
I have tried this tutorial (http://training.runcloudrun.com/advanced/16-Network-and-Protocols.md.html - AMQ Example) but I don't have access to "/var/lib/openshift/.httpd.d/sniproxy.cfg"
I am the author of the first tutorial that you pointed out. If you want to use MQTT without local port forwarding please have a look at the remark at the article on my blog and the AMQ cartridge that demonstrates the SNI features:
The port forwarding is not convenient for real life cases, especially if the MQTT clients are working on embedded devices such as microcontrollers and it is recommended to use a SNI Proxy as explained here: http://training.runcloudrun.com/advanced/16-Network-and-Protocols.md.html
I was using Online Openshift and that feature is only available for Enterprise edition.
Why doesn't Openshift have this feature (complete) in the Online mode?
One way to work around is to use the mqtt over websocket feature with a DIY cartridge. See the SO question "How can I access socket through Openshift" for some pointers to further details about how to run websocket on openshift.
The mosquitto seems to have implemented the websocket feature though I have not verified by testing it out.
I've spent most of the day trying to configure the Fiware PEP proxy Wilma to secure an Orion Context Broker i have running on a development server. The documentation here: http://forge.fiware.org/plugins/mediawiki/wiki/fiware/index.php/PEP_Proxy_-Wilma-_Installation_and_Administration_Guide is not clear.
Here is my setup:
A Fiware Keyrock instance running on server1, port 3000
A PEP Proxy running on server 1
An Orion Context Broker running on server2, port 1026
The manual states to edit the config.js script. Here is what i changed (Stackoverflow prevents me from entering url's so replace http.. with http:)
config.account_host = 'http..//localhost:3000';
config.keystone_host = 'http..//server1';
config.keystone_port = 3000;
config.app_host = 'server2';
config.app_port = '1026';
config.username = '***** username of the user in Keyrock *****';
config.password = '***** password of the user in Keyrock *****';
Here is the error
~/fi-ware-pep-proxy$ node server.js
express deprecated app.configure:
Check app.get('env') in an if statement server.js:30:5 Starting PEP proxy. Keystone authentication ... Error in keystone communication
Error: getaddrinfo ENOTFOUND
at errnoException (dns.js:37:11)
at Object.onanswer [as oncomplete] (dns.js:124:16)
My Orion and Keyrock instances are up and running. I can query them with curl or a browser.
I really have no idea what i should be filling in the config.js to get this set up.
I hope this helps. We are working on deploying some of the Generic Enablers, included IdM, Wilma PEP and Orion among others using docker and docker-compose.
This environment, called Fiware-devguide-APP is actually under construction, but you can test's the environment (already working) and also check our configuration here.
We are updating all the documentation!
For this, we have the images here.
Docker and docker-compose are required.
If you already have them, to start all the apps integrated in Devguide, you just have to clone the repository:
git clone https://github.com/Bitergia/fiware-devguide-app.git
And then run docker-compose using the .yml file in the fiware-devguide-app/docker/compose:
docker-compose -f docker-compose.yml up -d
So you will have up all the containers! Finally, add the ip of the devguide container (compose_devguide_1) to your /etc/hosts and you will be able to browse it :)
Explanation:
We've went through several configurations for this. I assume you are interested in IdM and Wilma PEP, so here it goes what we did:
We've installed a IdM GE from the scratch providing the users, roles, and permissions desired. Here you can find what we added at test_data method:
We've added test users
Couple organizations
Our app
Roles for the application
And permissions for the actions
Note that all those provision could have been done also using Keystone REST API
Also here you can find the Dockerfile i.e. how it has been installed.
We've installed an Authzforce for the role management as explained in the tour guide. You will need it as wilma-pep will send the PDP requests to validate requests against the resource protected.
Finally the PEP Wilma. Here you can find the configuration files.
How does it work?
Here goes the trick. Let's assume the env Authzforce (Access Control), IdM, PEP Wilma, Orion (the app to be protected) and the devguide. As we use docker-compose, all this steps are done almost at the same time! :)
In authzforce, we need to create a domain as stands in the documentation, and we do it here.
The script itself retrieves the domain ID and, it parses the config.js file of the PEP Wilma in this line using the right path.
The config.js is simple:
account_host and keystone_host are in the same container 'idm'. Docker-compose handle this by adding aliases to the /etc/hosts of each container, which makes the process much easier and we don't need to handle the IP's ourselves.
app_host and app_port are the IP and port of the app to protect, in our case is 'orion'!
config.username and config.password. We've created a user 'pepproxy' in the provision we explained before, exactly here. (Note that this user must have domain roles assigned in order to work, as done here).
And the azf configuration, which contains also the 'authzforce' host and where the path is parsed as explained before.
Adding the authzforce configuration to IdM and PEP (i.e. domain)
Get an Oauth2 token as it explains here.
Finally, with this token and everything running, you can open the compose_devguide_1. It has different resources that can be reached depending on the roles you have assigned at IdM. For example, 'user0#test.com' can access to all the resources, meanwhile the other one can access just to the restaurants.
Hope I was clear enough.
Best!
right now requests from PEPs are not directly sent to the IdM. They uses an Openstack compliant server (Keystone Proxy). So if you want to use it you have to install also this component. Any way in two weeks we are going to change this behaviour.
Hope this helps
We are installing a Fiware enviroment in a local machine; we pretend to have an orion context broker with a Keyrock idm instance. We understand that we need to use a Pep Proxy in order to check the tokens of the requests to the orion context broker. We use Keyrock idm, so we are wondering whether we can do this or not. Is there any way to use them now without installing anything else or we are supposed to install de keystone proxy too?
This is the keystone proxy that we have found:
https://github.com/ging/fi-ware-keystone-proxy
If this is the case; How do we have to configure the pep proxy? Where do we have to put the data to connect to the Keyrock idm and where are we supposed to indicate the keystone information?
new versions are ready. Now you only need Keyrock and PEP Proxy. As explained here validations go directly to IdM. Hope this helps.