[Edge-computing] Status of Keystone federation testing with tempest

Csatari, Gergely (Nokia - HU/Budapest) gergely.csatari at nokia.com
Fri Aug 31 11:03:43 UTC 2018


I'm working on this for a while, but as I am not a big expert of IdP, Keysone or Tempest I have a bit slow progress. I decided to share what I did and what are my current probelms to 1) inform the team about the progress 2) keep a record for myself 3) hoping for help and/or hints.

So I did this:

1) Get an Ubuntu

2) Install devstack with

enable_plugin keystone git://git.openstack.org/openstack/keystone
enable_service keystone-saml2-federation
Here I already ran into some package maangement issues due to some libcurl3 and libcurl4 incompatibility issue what I solved using https://launchpad.net/~xapienz/+archive/ubuntu/curl34

3) Install the Keystone tempest plugin

4) Build a Shibboleth IdP container based on https://github.com/Unicon/shibboleth-idp-dockerized with the configuration I believe is correct. I have a feeling that we will need to set a proper organisation for this if we want to publish this to Docker Hub. By the way is there a container registry maintained in the OpenStack development infra?

5) Run the container and expose 8080, 4443 and 8443 ports

This is a half success. Shibboleth contacts Keystone (or actually the Shibboleth apache module) for metadata update, but it works only on the first attempt. The regular updates are not working for some reason.

Also I was not able to get a positive answer from the status script of Shibboleth itself, so i just decided to move a bit forward.

6) Set idp_url to https://localhost:8080/idp/profile/SAML2/SOAP/ECP in _request_unscoped_token inside the Keystone tempest plugin. Here I have no idea where the configuration is actually stores and where should I set this in a nice way.

7) Run the tempest tests. Now here I get an error message which tells me about SSL version numbers (hands.hake: Error([('SSL routines', 'ssl3_get_record', 'wrong version number')],)",),))). I tried to use different ssl versions with Curl, but it complains about the lack of support in libsso.

So here I am now.

Things what I deffinetly should figure out:

   - Make this work 😉

   - Set the idp address in the correct place

   - Figure out how to start a Container in a Keystone plugin or a tempest plugin

   - Figure out ow to integrate with CI

Any comments are welcome.


Curl 3 and 4 : Evgeny Brazgin - launchpad.net<https://launchpad.net/~xapienz/+archive/ubuntu/curl34>
PPA contains libcurl4 package, which supports both libcurl3 and libcurl4 API.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/edge-computing/attachments/20180831/e5bbf5e7/attachment-0001.html>

More information about the Edge-computing mailing list