[Edge-computing] Status of Keystone federation testing with tempest

Csatari, Gergely (Nokia - HU/Budapest) gergely.csatari at nokia.com
Wed Sep 12 21:25:32 UTC 2018 

Hi,


Some update on the open issues.

   - Make this work 😉 - here I have some progress, however I can not explain why. Now keystone is able to reach Shibboleth and Shibboleth answers with FatalProfileException "A valid authentication statement was not found in the incoming message.". I continue to figure out what is the problem.
   - Set the idp address in the correct place - This is done thanks to gmann.
   - Figure out how to start a Container in a Keystone plugin or a tempest plugin - Here I try to use https://github.com/openstack/devstack-plugin-container however I'm not sure if this is the right tool to start containers in DevStack environment.
   - Figure out ow to integrate with CI - no progress on this

I'm still happy get any help either in mail, IRC or in person on the PTG.

Thanks,
Gerg0





________________________________
From: Csatari, Gergely (Nokia - HU/Budapest)
Sent: Friday, August 31, 2018 1:03:43 PM
To: nick at stackhpc.com; knikolla at bu.edu; colleen at gazlene.net; mbuil at suse.com; edge-computing at lists.openstack.org
Subject: Status of Keystone federation testing with tempest


Hi,


I'm working on this for a while, but as I am not a big expert of IdP, Keysone or Tempest I have a bit slow progress. I decided to share what I did and what are my current probelms to 1) inform the team about the progress 2) keep a record for myself 3) hoping for help and/or hints.


So I did this:

1) Get an Ubuntu

2) Install devstack with

enable_plugin keystone git://git.openstack.org/openstack/keystone
enable_service keystone-saml2-federation
Here I already ran into some package maangement issues due to some libcurl3 and libcurl4 incompatibility issue what I solved using https://launchpad.net/~xapienz/+archive/ubuntu/curl34

3) Install the Keystone tempest plugin

4) Build a Shibboleth IdP container based on https://github.com/Unicon/shibboleth-idp-dockerized with the configuration I believe is correct. I have a feeling that we will need to set a proper organisation for this if we want to publish this to Docker Hub. By the way is there a container registry maintained in the OpenStack development infra?

5) Run the container and expose 8080, 4443 and 8443 ports

This is a half success. Shibboleth contacts Keystone (or actually the Shibboleth apache module) for metadata update, but it works only on the first attempt. The regular updates are not working for some reason.

Also I was not able to get a positive answer from the status script of Shibboleth itself, so i just decided to move a bit forward.

6) Set idp_url to https://localhost:8080/idp/profile/SAML2/SOAP/ECP in _request_unscoped_token inside the Keystone tempest plugin. Here I have no idea where the configuration is actually stores and where should I set this in a nice way.

7) Run the tempest tests. Now here I get an error message which tells me about SSL version numbers (hands.hake: Error([('SSL routines', 'ssl3_get_record', 'wrong version number')],)",),))). I tried to use different ssl versions with Curl, but it complains about the lack of support in libsso.


So here I am now.


Things what I deffinetly should figure out:

   - Make this work 😉

   - Set the idp address in the correct place

   - Figure out how to start a Container in a Keystone plugin or a tempest plugin

   - Figure out ow to integrate with CI


Any comments are welcome.

Br,
Gerg0

Curl 3 and 4 : Evgeny Brazgin - launchpad.net<https://launchpad.net/~xapienz/+archive/ubuntu/curl34>
launchpad.net
PPA contains libcurl4 package, which supports both libcurl3 and libcurl4 API.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/edge-computing/attachments/20180912/47674ee2/attachment.html>

More information about the Edge-computing mailing list