This is a mechanism to automatically spin up 2 virtual machines on an openstack cloud, and deploy devstack kilo, and set up Keystone to Keystone (K2K) federation using our automation scripts
This repository has three parts devstack-k2k
, auto-IdP
and auto-SP
-
devstack-k2k
- handles spinning up 2 vms, and deploying devstack with it
- using vagrant, and vagrant-openstack-provider
- once the k2k setup is fully automated, the vagrant script will also handle running the scripts in
auto-SP
andauto-IdP
- please see README under
devstack-k2k
for more details
-
auto-IdP
- This folder will be sync to your
k2k-idp
vm by vagrant - scripts that sets up K2K on the Identity Provider (IdP) side
- auto contains scripts that handles setting up 2-way K2K
- but under this case the vm
k2k-idp
will serve as a Service Provider
- but under this case the vm
- This folder will be sync to your
-
auto-SP
- This script will be sync to vm
k2k-sp
by vagrant - contains scripts that sets up K2K on the Servicer Provider (SP) side
- also contains scripts that sets up 2way k2k
- under this case
k2k-sp
will serve as an IdP
- under this case
- This script will be sync to vm
####1. clone the repo
Make sure you have auto-IdP
, auto-SP
and devstack-k2k
, within the same folder.
####2. Set up vagrant with your parameters
####3. vagrant up
This will take ~40 minutes, because we have to provision the two vms in sequence, because the script to set up IdP and SP has to be run in order...
(Maybe a) TODO: parallel the devstack provisioning and then run the scripts in sequence
cd devstack-k2k
vagrant up --no-provision
vagrant provision
Here I spin up 2 vms individually first for the purpose of assinging ip addresses to each vm in order to finish the K2K setup
####4. ssh into the vms and establish K2K connection (TO BE DEPRECRATED)
TODO: script this step to make life easier
The vagrant script handles the set up of K2K on both IdP and SP, you only need to ssh in to the IdP and run the /home/ubuntu/auto-IdP/k2k.sh
script and you will be able to see a scoped token of the Service provider generated for you.
If you are curious, the Vagrantfile
is the recipe of automatically bring up two vms k2k-idp
and k2k-sp
. Note that the server name does matter so don't change it unless you know what you are doing.
execute k2k fedration in Identity Provider and get a scoped token from SP
vagrant ssh k2k-idp
source ~/admin
cd ~/IdP
./k2k.sh
####5. Mix & Match (usecase 1: volume-attach & volume-detach)
Assume you didn't exit IDP after the previous step i.e. you are still ssh-ed in k2k-idp vm
cd /home/ubuntu/IdP && ./patch_nova.sh
If you want more explainaion read through the rest of the README
This is base on the assumtion that you have already set up one direction k2k
1st set up environment as IdP in the previous SP
cd ~/IdP
source ~/admin
./env_2way.sh
2nd set up environment as SP at the previous IdP
source ~/admin
cd ~/SP
./env_2way.sh
3th execute k2k fedration in IdP (previously SP) and get a scoped token from SP
source ~/admin
cd ~/IdP
./k2k_2way.sh
This set up follows rodrigods' tutorial of how to set up K2K for kilo. This is for Devstack environment in Kilo with Keystone v3
The following is a side note of radrigod's tutorial. It is not a thorough explaination of everything.
In short: What do we need to do?
-
SP
/etc/keystone/keystone.conf
[auth]
section/etc/apache2/sites-available/keystone.conf
- shibboleth should be installed by vagrant recipe but needs configuration
/etc/shibboleth/attribute-map.xml
attribute names/etc/shibboleth/shibboleth2.xml
SSO entity ID and MetadataProvider- keygen, and restart service
-
IdP
/etc/keystone/keystone.conf
[saml]
sectionkeystone_idp_metadata.json
should be generated by vagrant recipe- restart service
Attribute
in/etc/shibboleth/attribute-map.xml
is use for mapping the incoming client from IdP. For example, remote client will be"type": "openstack_user"
idp_entity_id
inkeystone.conf
file has to match withSSO entityID
in/etc/shibboleth/shibboleth2.xml
- make sure to edit
[saml]
section inkeyston.conf
file in both IdP and SP - The
build_client.py
script creates a client for admin user in SP - The
setupk2k_sp.py
script sets up IdP in SP, it creates the client for admin user, domain, group, role and project for federatoin and assign roles to the group, it also creates mapping, idp and protocol.- Federated user and group1 has to be in the project that you are planning to do keystone federation with, i.e. the project the unscoped federated token will scope to
- Federated user and group1 (i.e. user and group that has granted premission from IdP to get service from SP) will be mapped to
openstack_user
which is specified inattributes
- Federated user/group only have access to projects/domains that they have roles for. i.e. For a federated user/group to access a project in SP, we have to grant a role of the project to the federated user/group
- The id for IdP (idp_id in the following document) is the id we specify in
create_idp
function - THe id for protocal (protocal_id) and mapping (mapping_id) are also as we specified in
create_protocol
andcreate_mapping
functions
-
setupk2k_idp
script sets up SP in idp.sp_url
= IP address for SP +:5000
+/Shibboleth.sso/SAML2/ECP
auth_url
= IP address for SP +:5000
+/v3/OS-FEDERATION/identity_providers/
+idp_id
+/protocols/
+protocol_id
+/auth
- Id for SP in IdP (sp_id) is specified in
create_sp
function.
-
k2kclient.py
script gets unscoped token from SP, list availiabe projects/domains for federated user/group, and get scoped token using the unscoped token and project/group id- Strange bug: header
X-Auth-Token
can't be processed, butx-auth-token
works client.scoped_token
is the full scoped token for the specific project/domain (str)
- Strange bug: header