This is a mechanism to automatically spin up 2 virtual machines on an openstack cloud, and deploy devstack kilo, and set up Keystone to Keystone (K2K) federation using our automation scripts

This repository has three parts devstack-k2k, auto-IdP and auto-SP

• devstack-k2k

  • handles spinning up 2 vms, and deploying devstack with it
  • using vagrant, and vagrant-openstack-provider
  • once the k2k setup is fully automated, the vagrant script will also handle running the scripts in auto-SP and auto-IdP
  • please see README under devstack-k2k for more details

• auto-IdP

  • This folder will be sync to your k2k-idp vm by vagrant
  • scripts that sets up K2K on the Identity Provider (IdP) side
  • auto contains scripts that handles setting up 2-way K2K
    • but under this case the vm k2k-idp will serve as a Service Provider

• auto-SP

  • This script will be sync to vm k2k-sp by vagrant
  • contains scripts that sets up K2K on the Servicer Provider (SP) side
  • also contains scripts that sets up 2way k2k
    • under this case k2k-sp will serve as an IdP

####1. clone the repo

Make sure you have auto-IdP, auto-SP and devstack-k2k, within the same folder.

####2. Set up vagrant with your parameters

instructions

####3. vagrant up

This will take ~40 minutes, because we have to provision the two vms in sequence, because the script to set up IdP and SP has to be run in order...

(Maybe a) TODO: parallel the devstack provisioning and then run the scripts in sequence

cd devstack-k2k
vagrant up --no-provision
vagrant provision

Here I spin up 2 vms individually first for the purpose of assinging ip addresses to each vm in order to finish the K2K setup

####4. ssh into the vms and establish K2K connection (TO BE DEPRECRATED)

TODO: script this step to make life easier

The vagrant script handles the set up of K2K on both IdP and SP, you only need to ssh in to the IdP and run the /home/ubuntu/auto-IdP/k2k.sh script and you will be able to see a scoped token of the Service provider generated for you.

If you are curious, the Vagrantfile is the recipe of automatically bring up two vms k2k-idp and k2k-sp. Note that the server name does matter so don't change it unless you know what you are doing.

execute k2k fedration in Identity Provider and get a scoped token from SP

vagrant ssh k2k-idp
source ~/admin
cd ~/IdP
./k2k.sh

####5. Mix & Match (usecase 1: volume-attach & volume-detach)

Assume you didn't exit IDP after the previous step i.e. you are still ssh-ed in k2k-idp vm

cd /home/ubuntu/IdP && ./patch_nova.sh

If you want more explainaion read through the rest of the README

This is base on the assumtion that you have already set up one direction k2k

1st set up environment as IdP in the previous SP

cd ~/IdP
source ~/admin
./env_2way.sh

2nd set up environment as SP at the previous IdP

source ~/admin
cd ~/SP
./env_2way.sh

3th execute k2k fedration in IdP (previously SP) and get a scoped token from SP

source ~/admin
cd ~/IdP
./k2k_2way.sh

This set up follows rodrigods' tutorial of how to set up K2K for kilo. This is for Devstack environment in Kilo with Keystone v3

The following is a side note of radrigod's tutorial. It is not a thorough explaination of everything.

In short: What do we need to do?

• SP

  • /etc/keystone/keystone.conf [auth] section
  • /etc/apache2/sites-available/keystone.conf
  • shibboleth should be installed by vagrant recipe but needs configuration
  • /etc/shibboleth/attribute-map.xml attribute names
  • /etc/shibboleth/shibboleth2.xml SSO entity ID and MetadataProvider
  • keygen, and restart service

• IdP

  • /etc/keystone/keystone.conf [saml] section
  • keystone_idp_metadata.json should be generated by vagrant recipe
  • restart service

• Attribute in /etc/shibboleth/attribute-map.xml is use for mapping the incoming client from IdP. For example, remote client will be "type": "openstack_user"
• idp_entity_id in keystone.conf file has to match with SSO entityID in /etc/shibboleth/shibboleth2.xml
• make sure to edit [saml] section in keyston.conf file in both IdP and SP
• The build_client.py script creates a client for admin user in SP
• The setupk2k_sp.py script sets up IdP in SP, it creates the client for admin user, domain, group, role and project for federatoin and assign roles to the group, it also creates mapping, idp and protocol.
  • Federated user and group1 has to be in the project that you are planning to do keystone federation with, i.e. the project the unscoped federated token will scope to
  • Federated user and group1 (i.e. user and group that has granted premission from IdP to get service from SP) will be mapped to openstack_user which is specified in attributes
  • Federated user/group only have access to projects/domains that they have roles for. i.e. For a federated user/group to access a project in SP, we have to grant a role of the project to the federated user/group
  • The id for IdP (idp_id in the following document) is the id we specify in create_idp function
  • THe id for protocal (protocal_id) and mapping (mapping_id) are also as we specified in create_protocol and create_mapping functions

• setupk2k_idp script sets up SP in idp.

  • sp_url = IP address for SP + :5000 + /Shibboleth.sso/SAML2/ECP
  • auth_url = IP address for SP + :5000 + /v3/OS-FEDERATION/identity_providers/ + idp_id + /protocols/ + protocol_id + /auth
  • Id for SP in IdP (sp_id) is specified in create_sp function.

• k2kclient.py script gets unscoped token from SP, list availiabe projects/domains for federated user/group, and get scoped token using the unscoped token and project/group id

  • Strange bug: header X-Auth-Token can't be processed, but x-auth-token works
  • client.scoped_token is the full scoped token for the specific project/domain (str)