fiwarefiware-cosmos

PEP proxy config file for integration of IDM GE, PEP proxy and Cosmos big data


I have a question regarding PEP proxy file. My keystone service is running on 192.168.4.33:5000. My horizon service is running on 192.168.4.33:443.

My WebHDFS service is running on 192.168.4.180:50070 and i intend to run PEP Proxy on 192.168.4.180:80

But what i don't get is what should i put in place of config.account_host? Inside mysql database for keyrock manager there is "idm" user with "idm" password and every request i make via curl on Identity manager works.

But with this config:

config.account_host = 'https://192.168.4.33:443';
config.keystone_host = '192.168.4.33';
config.keystone_port = 5000;
config.app_host = '192.168.4.180';
config.app_port = '50070';
config.username = 'idm';
config.password = 'idm';

when i start pep-proxy with:

sudo node server.js

i get next error:

Starting PEP proxy in port 80. Keystone authentication ...
Error in keystone communication {"error": {"message": "The request you     
have made requires authentication.", "code": 401, "title":   
"Unauthorized"}}

Solution

  • First, I wouldn't type the port at your config.account_host, as it is not required there, but this doesn't interfere the operation.

    My guessing is that you are using your own KeyRock FIWARE Identity Manager with the default provision of roles.

    If you check the code, PEP Proxy sends a Domain Scoped request against KeyRock, as stands in the Keystone v3 API.

    So the thing is, the idm user you are using to authenticate PEP, probably doesn't have any domain roles. The workaround to check it would be:

    1. Try the Domain Scoped request:

      curl -i \
        -H "Content-Type: application/json" \
        -d '
      { "auth": {
          "identity": {
            "methods": ["password"],
            "password": {
              "user": {
                "name": "idm",
                "domain": { "id": "default" },
                "password": "idm" 
              }
            }
          },
          "scope": {
            "domain": {
              "id": "default" 
            }
          }
        }
      }' \
        http://192.168.4.33:5000/v3/auth/tokens ; echo
      

    If you get a 401 code, you are not authorized to make Domain Scoped requests.

    1. Check if the user has any role in this domain. For this you will need to get an Auth token using the Default Scope request:

        curl -i   -H "Content-Type: application/json"   -d '
      { "auth": {
          "identity": {
            "methods": ["password"],
            "password": {
              "user": {
                "name": "idm",
                "domain": { "id": "default" },
                "password": "idm" 
              }
            }
          }
        }
      }'   http://192.168.4.33:5000/v3/auth/tokens ; echo
      

    This will return a X-Subject-Token that you will need for the workaround.

    1. With that token, we will send a request to the default domain using the user we selected before, idm, to check if we have assigned any roles there:

      curl -i \
          -H "X-Auth-Token:<retrieved_token>" \
          -H "Content-type: application/json" \
      http://192.168.4.33:5000/v3/domains/default/users/idm/roles
      

    And probably, this request will give you a response like:

    {"links": {"self": "http://192.168.4.33:5000/v3/domains/default/users/idm/roles", "previous": null, "next": null}, "roles": []}

    1. In that case, you will need to create a role for that user. To create it, you will need to assing a role to the user idm in the default domain. For that, you will need to retrieve the role id of the role you want to assign. You can do this by sending the following request:

      curl -i \
          -H "X-Auth-Token:<retrieved_token>" \
          -H "Content-type: application/json" \
      http://192.168.4.33:5000/v3/roles
      

    It will return a JSON with all the available roles and its ids.

    1. Assign a role to the user idm in the default domain. There are 6 available: member, owner, trial, basic, community and admin. As idm is the main administrator, I would chose the admin id. So finally, with the admin id, we assign the role by doing:

      curl -s -X PUT \
          -H "X-Auth-Token:<retrieved_token>" \
          -H "Content-type: application/json" \
      http://192.168.4.33:5000/v3/domains/default/users/idm/roles/<role_id>
      

    Now you can try again Step 1, and if everything works, you should be able to start the PEP proxy:

    sudo node server.js
    

    Let me know how it goes!