How can we add security between Orion broker and Cepheus?
How can we use Cepheus with a protected Orion broker (pep is used to secure the access to the broker)?
Thanks and best regards.
Fiware-Cepheus currently does not act as an OAuth client and does not make requests to an IDM server to retrieve the OAuth token by itself.
However Fiware-Cepheus handles the three HTTP headers required by Orion Policy Enforcement Point (PEP) proxies : x-auth-token, fiware-servicepath and fiware-service.
Theses headers values can be set for either Cepheus Broker or Cepheus CEP from configuration settings.
For Cepheus Broker, this configuration is currently static. See Configuration section of the Admin manual.
remote.serviceName=tenant
remote.servicePath=test/example
remote.authToken=OAUTH_TOKEN
For Cepheus CEP, this configuration is more dynamic as it is part of the CEP rules provisioning and can be done independently for each outgoing event. See Configuration section of the User manual.
"out": [
{
"id": "FloorX",
"type": "Floor",
"attributes": [
{
"name": "temperature",
"type": "double",
"metadata": [
{
"name": "unit",
"type": "string"
}
]
}
],
"brokers": [
{
"url": "http://orion.fiware.org:3000",
"serviceName": "tenant",
"servicePath": "test/example",
"authToken": "OAUTH_TOKEN"
}
]
}
]
Related
When I try to push a custom metric to the Oracle Cloud Monitoring service using the Oracle Cloud CLI, I receive the following error:
ServiceError:
{
"code": "NotAuthorizedOrNotFound",
"message": "Authorization failed or requested resource not found.",
"opc-request-id": "request id",
"status": 404
}
This occurs when using the Administrator account and when using an instance principal which has monitoring permission.
Here is the JSON that I am pushing to the Monitoring service:
[
{
"namespace": "myFirstNamespace",
"compartmentId": "tenant id",
"resourceGroup": "myFirstResourceGroup",
"name": "successRate",
"dimensions": {
"resourceId": "ocid1.exampleresource.region1.phx.exampleuniqueID",
"appName": "myAppA"
},
"metadata": {
"unit": "percent",
"displayName": "MyAppA Success Rate"
},
"datapoints": [
{
"timestamp": "2021-06-01T22:19:20Z",
"value": 83.0
}
]
}
]
The CLI command that I am using is:
oci monitoring metric-data post --metric-data file://metric-data.json
The OCI CLI command should be:
oci monitoring metric-data post --metric-data file://metric-data.json --endpoint https://telemetry-ingestion.{{ region }}.oraclecloud.com
replacing {{ region }} with your region.
The --endpoint https://telemetry-ingestion.{{ region }}.oraclecloud.com parameter needs to be added.
Looks like some authorization issue. Please cross check if the instance principle has all the required permission assigned. Please review this document Publishing Custom Metrics and Overview of Monitoring
I was reading the QuantumLeap docs and I was wondering how those Generic Enablers are integrated, I mean, I've deployed the docker containers and apparently are all running, in fact I've been able to create a device in the IoTagent-LoRaWAN with the POST request which I'm also able to retrieve with the GET request to http://localhost:4061/iot/devices; however and it's apparently receiving the info from TTN as the log shows:
fiware-iot-agent | {"timestamp":"2020-06-24T19:23:04.759Z","level":"info","message":"New message in topic"}
fiware-iot-agent | {"timestamp":"2020-06-24T19:23:04.760Z","level":"info","message":"IOTA provisioned devices:"}
fiware-iot-agent | {"timestamp":"2020-06-24T19:23:04.760Z","level":"info","message":"Decoding CaynneLPP message:AQIBbA=="}
fiware-iot-agent | {"timestamp":"2020-06-24T19:23:04.760Z","level":"error","message":"Could not cast message to NGSI"}
However ... there is a last error message that I don't know if could cause problems, "level":"error","message":"Could not cast message to NGSI"
Also ... I don't know how should I proced now with OrionCB and QuantumLeap because ... QuantumLeap docs talk about create an OrionCB subscription, but ... I had understood from OrionCB docs that subscriptions are created to follow a previously created entity, so .. should I create both?
Is QuantumLeap storing info from any created subscription in OrionCB? How can I tight an entity to that IoTagent-LoRaWAN device created?
Thank you all!
Well, It was apparently again a problem with docker-compose.yml file; it was not deploying correctly the mongoDB container thus OrionCB cannot connect to it.
When all containers are deployed the IoTagent should be able to create an new entity when you add a new device, then creating the proper subscription in OrionCB pointing the notifications to QuantumLeap should work:
{
"description": "Test subscription",
"subject": {
"entities": [
{
"idPattern": ".*",
"type": "Room"
}
],
"condition": {
"attrs": [
"temperature"
]
}
},
"notification": {
"http": {
"url": "http://quantumleap:8668/v2/notify"
},
"attrs": [
"temperature"
],
"metadata": ["dateCreated", "dateModified"]
},
"throttling": 5
}
I'm using Orion with Keyrock, PEPproxy, Cygnus and STH-comet, but I'm having many issues with the subscriptions part. I want to send only one request to orion to subscribe all atributes of all entities in many services like Cygnus and STH. I'm using this body but I don't know how to add other notification URL.
{
"subject":{
"entities": [
{
"type": "Nodo_aire",
"idPattern": ".*"
}
],
"condition":{
"attrs": []
}
},
"notification":{
"http":{"url":"http://192.168.1.51:5050/notify"},
"attrs": [],
"attrsFormat":"legacy"
},
"expires": "2099-12-31T23:00:00.00Z",
"throttling": 5
}
I was reading the Orion documentation and the NGSIv2, but i dont find a related section or a solution in these documents.
Orion doesn't support (at least in the newest version) multi-URL subscriptions. However, there is an easy workaround: to implement a subscription for each one of the URLs.
I'm following this example to create a simple scenario where I register a new device into the IoT Agent and it forwards it to the Context Broker. Then I want to check if the created device exists in the Context Broker, and I can seem to find it.
These are the steps I'm doing:
1. using Postman I'm sending a post request to the IoT Agent:
url: http://eidas5.lab.fi-ware.org:5371/iot/devices
headers:
APIKEY:4jggokgpepnvsb2uv4s40d59ov
Fiware-Service:openiot
Fiware-ServicePath:/
Content-Type:application/json
Accept:application/json
body:
{
"devices": [
{ "device_id": "DEV_ID",
"entity_name": "ENTITY_ID",
"entity_type": "thing",
"protocol": "PDI-IoTA-UltraLight",
"timezone": "Europe/Madrid",
"attributes": [
{ "object_id": "t",
"name": "temperature",
"type": "int"
} ],
"static_attributes": [
{ "name": "att_name",
"type": "string",
"value": "value"
}
]
}
]
}
Then I confirm that the device is registered with a GET request to the url http://eidas5.lab.fi-ware.org:5371/iot/devices/DEV_ID
request headers:
APIKEY:4jggokgpepnvsb2uv4s40d59ov
Fiware-Service:openiot
Fiware-ServicePath:/
Content-Type:application/json
Accept:application/json
everything seems ok so far, now I want to check where this device is in the context broker:
According to the docs:
Devices will be represented as NGSI entities in the ContextBroker at 130.206.80.40:1026 (within the FIWARE service-path "OpenIoT").
So with a GET request I should be able to see the new device,but I can't. I even tryed using the fiware-servicepath and fiware-service headers as above, and I can't find it.
Any advice on this?
fiware-service should be open-iot and fiware-servicepath /
have a look at
http://fiwaretourguide.readthedocs.io/en/latest/connection-to-the-internet-of-things/how-to-read-measures-captured-from-iot-devices/
I am just starting with BlueMix and in my space I have:
a Cloud Integration service: using a Basic Secure Connection, for which I have created an API endpoint; then in that Cloud Integration service I have added the corresponding API by importing a swagger 1.2 file, and published that customAPI to my organization;
a pretty simple node.js application;
From the Cloud Integration service> API view, I can get the URLs for the different resources (for instance http://endpoint_ip:endpoint_port/api/version/path_to_resource), so I can hardcode these URLs in my node.js application and it works.
But if I bind the Cloud Integration service and even the customAPI to my node.js application, I don't get any information in VCAP_SERVICES about the endpoint URL; but I have seen examples of VCAP_SERVICES where the API URL is available.
Below is my VCAP_SERVICES
{"CloudIntegration": [
{
"name": "Cloud Integration-b9",
"label": "CloudIntegration",
"plan": "cloudintegrationplan",
"credentials": {
"userid": "apiuser#CloudIntegration",
"password": "S!2w3e40",
"apis": [
{
"name": "Catalog Manager API",
"desc": "Catalog Manager API",
"resource": ""
}
]
}
}
]
}
What I am trying to achieve is to avoid hardcoding URLs in my application, since I can bind a BlueMix service to it, and perhaps get info from the environment.
Am I doing something wrong? Or is that not the way it is supposed to work?
Also I don't really get why there is nothing in the VCAP_SERVICES.CloudIntegration[0].credentials.apis[0].resource even though I have my customAPI specifies resources.
#Rick
Make sure you "publish" your API after configuring the Cloud Integration service. Then service credentials will reflect the changes:
"CloudIntegration": [
{
"name": "Cloud Integration-v5",
"label": "CloudIntegration",
"plan": "cloudintegrationplan",
"credentials": {
"userid": "apiuser#CloudIntegration",
"password": "S!2w3e40",
"apis": [
{
"name": "SwaggerPetStore",
"desc": "SwaggerPetStore",
"resource": "http",
"baseurl": "http://mypypatchank.mybluemix.net"
}
]
}
}
]
in the same way, if you use the API management service, you will have a corresponding VCAP_SERVICES entry
"Swagger Petstore v1 : Sandbox 551b2dcf0cf2521d98d061d4 prod": [
{
"name": "Swagger Petstore v1 : Sandbox prod-w0",
"label": "Swagger Petstore v1 : Sandbox 551b2dcf0cf2521d98d061d4 prod",
"plan": "plan1 : Sandbox prod",
"credentials": {
"clientID": "55cfe3fa-ff59-474c-a1b6-46d3cc9871",
"clientSecret": "uK3xM3eF4cA1qF7yW8mC2lP6wS6aG7sQ5cL2yJ4sC6iS1dE7",
"url": "https://api.eu.apim.ibmcloud.com/garciatemx1ibmcom/sb/api"
}
}
]
Since your goal is to "to avoid hardcoding URLs in my application, since I can bind a BlueMix service to it, and perhaps get info from the environment." I would like to suggest using a user provided service.
This will create a user provided service and start interactive input for you to enter the api url and a password. You can add more parameters if you need.
cf cups servicename -p "url, password"
Bind this service to your application and restage. You can access these parameters in your Node.js application easily with the cfenv module.
var cfenv = require("cfenv");
var appEnv = cfenv.getAppEnv();
var myService = appEnv.getService("servicename");
//use myService.credentials.url to access the url value.
//use myService.credentials.password to access the password value.
The user provided services VCAP_SERVICES looks like:
{
"user-provided": [
{
"name": "servicename",
"label": "user-provided",
"credentials": {
"url": "myURL",
"password": "myPassword"
}
}
]
}