Skip to content

Home

Jump to bottom
Cuong Duong Tuan edited this page Apr 12, 2018 · 11 revisions

Keyrod step-by-step guide

Site configuration

OpenNebula configuration

OpenNebula does not require any special configuration besides Keystorm running as authentication server.
Groups need to be added to OpenNebula configuration, for Sunstone:

  • Go to System->Groups
  • Click on Add icon, set the name (e.g. fedcloud.egi.eu), add to attributes parameter "KEYSTORM" with value "YES" and create

Keystorm configuration

More information on Keystorm configuration can be found on projects GitHub page
Recommended way to use Keystorm with OpenNebula is using Docker, there is Docker compose prepared for it (iniate Docker Swarm beforehand):

version: '3.3'
services:
  keystorm:
    image: therocciproject/keystorm:${COMPOSITORY_KEYSTORM_VERSION}
    command: ["-e",  "production"]
    environment:
      HOST: 0.0.0.0
      ONE_AUTH: /run/secrets/keystorm-opennebula-auth
      KEYSTORM_OPENNEBULA_ENDPOINT: ${COMPOSITORY_OPENNEBULA_ENDPOINT}
      KEYSTORM_MEMCACHE: memcached:11211
      KEYSTORM_TOKEN_CIPHER_FILE: /run/secrets/keystorm-token-cipher
      KEYSTORM_TOKEN_KEY_FILE: /run/secrets/keystorm-token-key
      KEYSTORM_TOKEN_IV_FILE: /run/secrets/keystorm-token-iv
      KEYSTORM_BEHIND_PROXY: "true"
      KEYSTORM_ENDPOINT: ${COMPOSITORY_KEYSTORM_ENDPOINT}
      KEYSTORM_ENCRYPT_SCOPED_TOKEN: "false"
      RAILS_LOG_TO_STDOUT: "yes"
    depends_on:
      - memcached
    secrets:
      - keystorm-opennebula-auth
      - keystorm-token-cipher
      - keystorm-token-key
      - keystorm-token-iv
  apache:
    image: therocciproject/apache-occi:${COMPOSITORY_APACHE_OCCI_VERSION}
    ports:
      - "5000:5000"
    environment:
      APACHE_HOST: "*"
      APACHE_PORT: 5000
      APACHE_LOG_ERROR: /var/log/apache-occi/error.log
      APACHE_LOG_ACCESS: /var/log/apache-occi/access.log
      APACHE_PROXY: http://keystorm:3000
      APACHE_OIDC_METADATA_URL: ${COMPOSITORY_OIDC_METADATA_URL}
      APACHE_OIDC_CLIENT_ID: ${COMPOSITORY_OIDC_CLIENT_ID}
      APACHE_OIDC_INTROSPECTION_ENDPOINT: ${COMPOSITORY_OIDC_INTROSPECTION_ENDPOINT}
      APACHE_OIDC_REDIRECT_URI: http://apache/v3/auth/OS-FEDERATION/websso/oidc/redirect
      VOMS_CONFIGURATION: ${COMPOSITORY_VOMS_CONFIGURATION}
      APACHE_OIDC_CLIENT_SECRET_FILE: /run/secrets/apache-oidc-client-secret
      APACHE_OIDC_CRYPTO_PASSPHRASE_FILE: /run/secrets/apache-oidc-crypto-passphrase
      DEBUG: 1
      APACHE_LOG_LEVEL: debug
    secrets:
      - apache-oidc-client-secret
      - apache-oidc-crypto-passphrase
    depends_on:
      - keystorm
  memcached:
    image: memcached:latest

secrets:
  apache-oidc-client-secret:
    external: true
  apache-oidc-crypto-passphrase:
    external: true
  keystorm-opennebula-auth:
    external: true
  keystorm-token-cipher:
    external: true
  keystorm-token-key:
    external: true
  keystorm-token-iv:
    external: true

Secret description:

  • apache-oidc-client-secret: Keystorm client ID, explained in next paragraph
  • apache-oidc-crypto-passphrase: random passphrase
  • keystorm-opennebula-auth: admin login credentials to OpenNebula in format oneadmin:password
  • keystorm-token-cipher: Cipher used, e.g. AES-128-CBC
  • keystorm-token-key: random passphrase with length of 16 characters
  • keystorm-token-iv: random initialization vector with length of 16 characters

Some environment variables need to be set before launching compose, keep in mind to change localhost to actual site URL and to generate Client ID/secret at EGI OIDC devel site - ID part goes to COMPOSITORY_OIDC_CLIENT_ID and secret needs to be saved as docker secret apache-oidc-client-secret:

export APACHE_OIDC_REDIRECT_LOCATION=http://apache/v3/auth/OS-FEDERATION/websso/oidc/redirect
export COMPOSITORY_KEYSTORM_VERSION=latest
export COMPOSITORY_APACHE_OCCI_VERSION=latest
export COMPOSITORY_OPENNEBULA_ENDPOINT=http://localhost:2633/RPC2
export COMPOSITORY_KEYSTORM_ENDPOINT=https://localhost:5000
export COMPOSITORY_OIDC_METADATA_URL=https://aai-dev.egi.eu/oidc/.well-known/openid-configuration
export COMPOSITORY_OIDC_CLIENT_ID=KEYSTORM_API_ID
export COMPOSITORY_OIDC_INTROSPECTION_ENDPOINT=https://aai-dev.egi.eu/oidc/introspect
export COMPOSITORY_VOMS_CONFIGURATION='{"vos":[{"name":"ops","endpoints":[{"name":"lcg-voms2.cern.ch.lsc","dns":["/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch","/DC=ch/DC=cern/CN=CERN Grid Certification Authority"]},{"name":"voms2.cern.ch.lsc","dns":["/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch","/DC=ch/DC=cern/CN=CERN Grid Certification Authority"]},{"name":"lcg-voms.cern.ch.lsc","dns":["/DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch","/DC=ch/DC=cern/CN=CERN Trusted Certification Authority"]},{"name":"voms.cern.ch.lsc","dns":["/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch","/DC=ch/DC=cern/CN=CERN Trusted Certification Authority"]}]},{"name":"biomed","endpoints":[{"name":"cclcgvomsli01.in2p3.fr.lsc","dns":["/O=GRID-FR/C=FR/O=CNRS/OU=CC-IN2P3/CN=cclcgvomsli01.in2p3.fr","/C=FR/O=CNRS/CN=GRID2-FR"]}]},{"name":"enmr.eu","endpoints":[{"name":"voms-02.pd.infn.it.lsc","dns":["/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-02.pd.infn.it","/C=IT/O=INFN/CN=INFN Certification Authority"]},{"name":"voms2.cnaf.infn.it.lsc","dns":["/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms2.cnaf.infn.it","/C=IT/O=INFN/CN=INFN Certification Authority"]}]},{"name":"highthroughputseq.egi.eu","endpoints":[{"name":"voms1.grid.cesnet.cz.lsc","dns":["/DC=org/DC=terena/DC=tcs/C=CZ/ST=Hlavni mesto Praha/L=Praha 6/O=CESNET/CN=voms1.grid.cesnet.cz","/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA eScience SSL CA 3"]},{"name":"voms2.grid.cesnet.cz.lsc","dns":["/DC=cz/DC=cesnet-ca/O=CESNET/CN=voms2.grid.cesnet.cz","/DC=cz/DC=cesnet-ca/O=CESNET CA/CN=CESNET CA 3"]}]},{"name":"vo.nextgeoss.eu","endpoints":[{"name":"voms1.grid.cesnet.cz.lsc","dns":["/DC=org/DC=terena/DC=tcs/C=CZ/ST=Hlavni mesto Praha/L=Praha 6/O=CESNET/CN=voms1.grid.cesnet.cz","/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA eScience SSL CA 3"]},{"name":"voms2.grid.cesnet.cz.lsc","dns":["/DC=cz/DC=cesnet-ca/O=CESNET/CN=voms2.grid.cesnet.cz","/DC=cz/DC=cesnet-ca/O=CESNET CA/CN=CESNET CA 3"]}]},{"name":"drihm.eu","endpoints":[{"name":"vomsmania.cnaf.infn.it.lsc","dns":["/C=IT/O=INFN/OU=Host/L=CNAF/CN=vomsmania.cnaf.infn.it","/C=IT/O=INFN/CN=INFN Certification Authority"]},{"name":"vomsIGI-NA.unina.it.lsc","dns":["/C=IT/O=INFN/OU=Host/L=Federico II/CN=vomsIGI-NA.unina.it","/C=IT/O=INFN/CN=INFN Certification Authority"]}]},{"name":"dteam","endpoints":[{"name":"voms.hellasgrid.gr.lsc","dns":["/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms.hellasgrid.gr","/C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid CA 2016"]},{"name":"voms2.hellasgrid.gr.lsc","dns":["/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms2.hellasgrid.gr","/C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid CA 2016"]}]},{"name":"chipster.csc.fi","endpoints":[{"name":"voms.fgi.csc.fi.lsc","dns":["/O=Grid/O=NorduGrid/CN=host/voms.fgi.csc.fi","/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority 2015"]}]},{"name":"gputest.metacentrum.cz","endpoints":[{"name":"voms1.grid.cesnet.cz.lsc","dns":["/DC=org/DC=terena/DC=tcs/C=CZ/ST=Hlavni mesto Praha/L=Praha 6/O=CESNET/CN=voms1.grid.cesnet.cz","/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA eScience SSL CA 3"]},{"name":"voms2.grid.cesnet.cz.lsc","dns":["/DC=cz/DC=cesnet-ca/O=CESNET/CN=voms2.grid.cesnet.cz","/DC=cz/DC=cesnet-ca/O=CESNET CA/CN=CESNET CA 3"]}]},{"name":"demo.fedcloud.egi.eu","endpoints":[{"name":"voms1.grid.cesnet.cz.lsc","dns":["/DC=org/DC=terena/DC=tcs/C=CZ/ST=Hlavni mesto Praha/L=Praha 6/O=CESNET/CN=voms1.grid.cesnet.cz","/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA eScience SSL CA 3"]},{"name":"voms2.grid.cesnet.cz.lsc","dns":["/DC=cz/DC=cesnet-ca/O=CESNET/CN=voms2.grid.cesnet.cz","/DC=cz/DC=cesnet-ca/O=CESNET CA/CN=CESNET CA 3"]}]},{"name":"vo.elixir-europe.org","endpoints":[{"name":"voms1.grid.cesnet.cz.lsc","dns":["/DC=org/DC=terena/DC=tcs/C=CZ/ST=Hlavni mesto Praha/L=Praha 6/O=CESNET/CN=voms1.grid.cesnet.cz","/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA eScience SSL CA 3"]},{"name":"voms2.grid.cesnet.cz.lsc","dns":["/DC=cz/DC=cesnet-ca/O=CESNET/CN=voms2.grid.cesnet.cz","/DC=cz/DC=cesnet-ca/O=CESNET CA/CN=CESNET CA 3"]}]},{"name":"peachnote.com","endpoints":[{"name":"voms1.grid.cesnet.cz.lsc","dns":["/DC=org/DC=terena/DC=tcs/C=CZ/ST=Hlavni mesto Praha/L=Praha 6/O=CESNET/CN=voms1.grid.cesnet.cz","/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA eScience SSL CA 3"]},{"name":"voms2.grid.cesnet.cz.lsc","dns":["/DC=cz/DC=cesnet-ca/O=CESNET/CN=voms2.grid.cesnet.cz","/DC=cz/DC=cesnet-ca/O=CESNET CA/CN=CESNET CA 3"]}]},{"name":"fedcloud.egi.eu","endpoints":[{"name":"voms1.grid.cesnet.cz.lsc","dns":["/DC=org/DC=terena/DC=tcs/C=CZ/ST=Hlavni mesto Praha/L=Praha 6/O=CESNET/CN=voms1.grid.cesnet.cz","/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA eScience SSL CA 3"]},{"name":"voms2.grid.cesnet.cz.lsc","dns":["/DC=cz/DC=cesnet-ca/O=CESNET/CN=voms2.grid.cesnet.cz","/DC=cz/DC=cesnet-ca/O=CESNET CA/CN=CESNET CA 3"]}]},{"name":"training.egi.eu","endpoints":[{"name":"voms1.grid.cesnet.cz.lsc","dns":["/DC=org/DC=terena/DC=tcs/C=CZ/ST=Hlavni mesto Praha/L=Praha 6/O=CESNET/CN=voms1.grid.cesnet.cz","/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA eScience SSL CA 3"]},{"name":"voms2.grid.cesnet.cz.lsc","dns":["/DC=cz/DC=cesnet-ca/O=CESNET/CN=voms2.grid.cesnet.cz","/DC=cz/DC=cesnet-ca/O=CESNET CA/CN=CESNET CA 3"]}]}]}'

After exporting the environmental variables, create the stack with

$ docker stack deploy -c docker-compose.yml keystorm-oidc

Obtaining credentials

Using CLI

Your command should look something like this:
$ keyrod token -p egi.eu -s https://localhost:5000 -r refresh_token -i client_id -t client_secret -o https://aai-dev.egi.eu/oidc/token
If there is any group available for you, you will get list of groups to join:
Choose one of these groups: [fedcloud.egi.eu]
After authentication you should receive your OpenNebula login in format user@identity_provider:password

Clone this wiki locally