This subtasks deals with the pilots for attribute management
By delivering an integrated AAI framework, AARC will improve ..... We started several pilots to address the needs and problems faced by.......
The use cases
- ..
- ..
- ..
These use cases have been translated to requirements and have been described in the Deliverable "DJRA1.1:Analysis of user community and service provider requirements"
Page xx of this document provides a dedicated description of the issues.....currently face with regard to federated identity management. Requirements R?, R?... are applicable to this context and have been guiding our work in this pilot.
Proposed and piloted solutions to address these issues
- We established a pilot proxy.....
The current status of this work has been presented at the general AARC meeting in Utrecht in May 2016. See this Slide presentation for more details. SA1.2 Pilots. Updates
Requirements | Components in Blue Print Architecture | Status and Results |
---|---|---|
| ||
Requirements R?.....R? | Status per June, 1st 2016
|
Status per June 1st 2016
- ....
- ....
Information about the Openstack pilot set-up
We deployed an Openstack testbed on two virtual machines:
- am02.pilots.aarc-project.eu is the controller node
- am05.pilots.aarc-project.eu is the compute node
The OpenStack version installed is Liberty, on the operating system Ubuntu 14.04. The OpenStack components deployed are: keystone, neutron, nova, glance and horizon
The keystone component was configured to work in a federated environment: it acts as (Shibboleth) Service Provider. No local accounts were created on it, apart the admin one.
When an user goes to the horizon login page, there are two options:
- login with Keystone credentials (which obviuosly hasn't got)
- login through SAML assertion
Chosen the SAML option, the user is redirected on a page where can select the preferred Identity Provider for performing the authentication: currently it was configured only the IDP of the pilot testbed (am-proxy.pilots.aarc-project.eu).
Once filled-in its data, the user is brought back to horizon where he can finally access to the openstack functionalities.
The actions he can perform depend on:
- the local group which the user is mapped to
- the role assigned to the user in that particular group for one of the existing OpenStack project
On OpenStack it was created 3 projects for the AARC pilot users: aarc-pilot, aarc-pilot2 and aarc-pilot3.
The local groups reflect the eduPersonAffiliation attribute owned by the users in their IDP: member, student, employee, faculty and staff.
The role assigned for a particular project can be: user or admin
aarc-pilot | aarc-pilot2 | aarc-pilot3 | |
---|---|---|---|
staff | admin | admin | admin |
student | user | ||
faculty | user | user | |
member | admin | user | |
employee | user | user | admin |
The following is a simplified rule just for explaining how the IDP users are mapped to ephemeral account:
[ { "local": [ { "user": { "name": "{0}" } }, { "group": { "id": "2694979ea7fb41a9a6adf00eb212a335" } } ], "remote": [ { "type": "eppn" }, { "type": "unscoped-affiliation", "any_one_of": [ "faculty" ] } ] } ] |
---|
All the users having "faculty" in the eduPersonAffiliation attribute are mapped to the local group which has got the id=2694979ea7fb41a9a6adf00eb212a335 and as local username is used the eppn.
The dashboard login page is https://am02.pilots.aarc-project.eu/horizon/
Some tech details. Notes on some issues found
- When trying to login into horizon using the local accounts defined in openstack (admin and demo users), the access fails with the following error reported in the log /var/log/apache2/error.log:
[Mon May 09 16:14:45.903360 2016] [:error] [pid 5980:tid 140331975448320] SSL exception connecting to https://am02.pilots.aarc-project.eu:5000/v3/auth/tokens: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [Mon May 09 16:14:45.903966 2016] [:error] [pid 5980:tid 140331975448320] Login failed for user "admin" |
---|
For solving it we had to set "OPENSTACK_SSL_NO_VERIFY = True" in the horizon configuration. It is also important having the CAs added in the python-requests in horizon (as mentioned in https://wiki.egi.eu/wiki/Federated_Cloud_APIs_and_SDKs#CA_Certificates )
- When trying the federated login via the SAML authentication, if you get the following error page:
UnauthorizedThis server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. |
---|
and in the /var/log/apache2/keystone.log there is the following error:
2016-05-18 12:33:34.035509 AH01629: authorization failure (no authenticated user): /v3/auth/OS-FEDERATION/websso/saml2 |
---|
you may have hit this bug http://trwa.ca/2014/10/shibboleth-2-5-apache-2-4-and-breaking-apache-basic-auth/
So creating this file
root@controller:~# cat /etc/apache2/conf-available/shib2.conf ShibCompatValidUser On |
---|
and enabling it in shibboleth solves the issue
Information about the COmanage Registry set-up
We deployed a COmanage Registry service on the virtual machine am03.pilots.aarc-project.eu:
- chosen the organizational identiy unpooled option
The registry was configured as service provider: the IDP contacted is am-proxy.pilots.aarc-project.eu
- the registry admin is professor3
- created for the moment 2 COs: aarc-white and aarc-yellow
- at each COs correspond a dedicated project in OpenStack
- we are testing the user mapping to the several projects in OpenStack: depending on the role in their COs, users have got different rights in their project