[Edge-computing] Status of Keystone federation testing with tempest

Manuel Buil mbuil at suse.com
Tue Jan 15 15:53:29 UTC 2019


Hi Gerg0,

I had a K2K deployment working (I was able to fetch a token from the
SP) and I tried to document all the steps:

https://wiki.opnfv.org/display/EC/Keystone+Federation+demo+in+opensuse

Regarding the IdP config, this is what I wrote to check that
things  were fine at the IdP side:

# If the IdP configuration is correct, you should see the following in
/var/log/apache2/keystone_access.log when the user requests the token
through the federated_project:

172.29.236.11 - - [07/Nov/2018:18:53:04 +0000] "GET /v3 HTTP/1.1" 200
254 "-" "openstacksdk/0.17.2 keystoneauth1/3.10.0 python-
requests/2.19.1 CPython/2.7.13"
172.29.236.11 - - [07/Nov/2018:18:53:04 +0000] "POST /v3/auth/tokens
HTTP/1.1" 201 6234 "-" "openstacksdk/0.17.2 keystoneauth1/3.10.0
python-requests/2.19.1 CPython/2.7.13"

172.29.236.11 - - [07/Nov/2018:18:53:04 +0000] "POST /v3/auth/OS-
FEDERATION/saml2/ecp HTTP/1.1" 200 6535 "-" "openstacksdk/0.17.2
keystoneauth1/3.10.0 python-requests/2.19.1 CPython/2.7.13"
By looking at your logs it seems you are getting a config problem in
Shibboleth, however, Keystone is capable of providing the SAML
implementation for IdP, so in theory you don't need Shibboleth at the
IdP side. Could you check the steps I followed in that link in the
section "### MAKING EDGE1 IdP ###"? Have you documented the steps you
have followed? Perhaps we could compare them.
Regards,Manuel
On Thu, 2019-01-10 at 14:50 +0000, Csatari, Gergely (Nokia -
HU/Budapest) wrote:
> Hi, 
> 
> 
> 
> 
> 
> Okay, the problem was with the wrong IP configuration for the
> metadata fetching.
> 
> 
> 
> Now it is sorted out, but Shibboleth is still not happy.
> 
> 
> 
> 
> 
> 
> I've attached the error log I get now from the idp.
> 
> 
> 
> 
> 
> 
> If you have any idea for the reason please notify me.
> 
> 
> 
> 
> 
> 
> Br, 
> 
> 
> Gerg0
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: Csatari, Gergely (Nokia - HU/Budapest)
> 
> Sent: Monday, January 7, 2019 4:23:23 PM
> 
> To: nick at stackhpc.com; knikolla at bu.edu; colleen at gazlene.net; mbuil at su
> se.com; edge-computing at lists.openstack.org; Ildiko Vancsa; Beierl,
> Mark
> 
> Subject: Re: Status of Keystone federation testing with tempest
>  
> 
> 
> <!--
> p
> 	{margin-top:0;
> 	margin-bottom:0}
> -->
> 
> 
> 
> Hi, 
> 
> 
> 
> 
> 
> Just to send a signal, that I'm still working on this (with best
> effort).
> 
> 
> 
> 
> 
> 
> What I could figure out in the last some months, is that we need a
> "verify=False" parameter in the session.post of
> send_identity_provider_authn_request (in saml2_client.py) to be able
> to connect to the IdP using self
>  signed certificates. 
> 
> 
> 
> 
> 
> Now I'm able to communicate with the IdP and I can see, that there is
> a problem with the IdP config.
> 
> 
> 
> This is the log of Shibboleth:
> 
> 2019-01-07 11:33:55,165 - WARN
> [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] -
> Profile Action SelectProfileConfiguration: Profile http://shibboleth.
> net/ns/profiles/saml2/sso/ecp is not available for RP configuration
> shibboleth.UnverifiedRelyingParty
>  (RPID http://127.0.0.1/shibboleth)
> 
> 2019-01-07 11:33:55,167 - WARN
> [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
> occurred while processing the request: InvalidProfileConfiguration
> 
> 
> 
> 
> I keep debugging this and update you about the results. 
> 
> 
> 
> 
> 
> Would it help if I would push all modified things to GitHub with a
> description how am I doing the configuration?
> 
> 
> 
> 
> 
> 
> Br, 
> 
> 
> Gerg0
> 
> 
> 
> 
> 
> 
> 
> 
> From: Csatari, Gergely (Nokia - HU/Budapest)
> 
> Sent: Saturday, September 15, 2018 12:36 AM
> 
> To: nick at stackhpc.com; knikolla at bu.edu; colleen at gazlene.net; mbuil at su
> se.com; edge-computing at lists.openstack.org
> 
> Subject: Re: Status of Keystone federation testing with tempest
>  
> 
> 
> 
> Hi, 
> 
> 
> 
> 
> 
> Some update on the open issues:
> - Make this work 😉: Okay, I realized,
>  that I use the wrong certificate in the Idp. Based on the IdP-s
> description I should generate a p12 certificate using the certificate
> and the key used by the Shibboleth Sp. When I try to generate the
> certificate I get a strange error:
> 
> 
> 
> 
> 
> 
> 
> openssl pkcs12 -inkey /etc/shibboleth/sp-key.pem -in
> /etc/shibboleth/sp-cert.pem -out ../keystone-shibboleth-idp-
> dockerized/shibboleth-idp/credentials/idp-browser.p12
> 
> 
> 
> 
> 
> 
> 139822780584384:error:0D0680A8:asn1 encoding
> routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1129:
> 
> 139822780584384:error:0D07803A:asn1 encoding
> routines:asn1_item_embed_d2i:nested asn1
> error:../crypto/asn1/tasn_dec.c:289:Type=PKCS12
> 
> 
> 
> 
> 
> Google tells me that this is becouse one of my pem files are in the
> wrong format. This is really strange as the error persist even after
> I regenerated these files with
> 
> 
> 
> shib-keygen -f -y 1
> 
> 
> 
> 
>    - Figure out how to start a Container in a
> 
> Keystone plugin or a tempest plugin - no progress on this
>    - Figure out ow to integrate with CI - no progress on this
>    - Figure out how to use static certificates and keys, so the same
> IdP container image can be used.
> 
> 
> 
> If you are bigger fans of IRC than email I can start sending these
> updates to the keystone channel.
> 
> 
> 
> 
> 
> 
> Br,
> 
> 
> 
> Gerg0
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: Csatari, Gergely (Nokia - HU/Budapest)
> 
> Sent: Wednesday, September 12, 2018 11:25:32 PM
> 
> To: nick at stackhpc.com; knikolla at bu.edu; colleen at gazlene.net; mbuil at su
> se.com; edge-computing at lists.openstack.org
> 
> Subject: Re: Status of Keystone federation testing with tempest
>  
> 
> 
> 
> 
> Hi, 
> 
> 
> 
> 
> 
> Some update on the open issues. 
> 
> 
> 
>    - Make this work 😉 - here I have some progress, however I can no
> t explain why. Now keystone is able to reach Shibboleth and
> Shibboleth answers with FatalProfileException "A valid authentication
>  statement was not found in the incoming message.". I continue to
> figure out what is the problem.
> 
> 
> 
>    - Set the idp address in the correct place - This is done thanks
> to gmann. 
>    - Figure out how to start a Container in a
> 
> Keystone plugin or a tempest plugin - Here I try to use https://githu
> b.com/openstack/devstack-plugin-container however I'm not sure if
> this
>  is the right tool to start containers in DevStack environment.
>    - Figure out ow to integrate with CI - no progress on this
> 
> 
> 
> I'm still happy get any help either in mail, IRC or in person on the
> PTG.
> 
> 
> 
> 
> 
> 
> Thanks, 
> 
> 
> Gerg0
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: Csatari, Gergely (Nokia - HU/Budapest)
> 
> Sent: Friday, August 31, 2018 1:03:43 PM
> 
> To: nick at stackhpc.com; knikolla at bu.edu; colleen at gazlene.net; mbuil at su
> se.com; edge-computing at lists.openstack.org
> 
> Subject: Status of Keystone federation testing with tempest
>  
> 
> 
> 
> <!--
> p
> 	{margin-top:0;
> 	margin-bottom:0}
> -->
> 
> 
> 
> Hi, 
> 
> 
> 
> 
> 
> I'm working on this for a while, but as I am not a big expert of IdP,
> Keysone or Tempest I have a bit slow progress. I decided to share
> what I did and what are my current probelms to 1) inform the team
> about the progress
>  2) keep a record for myself 3) hoping for help and/or hints.
> 
> 
> 
> So I did this:
> 1) Get an Ubuntu 
> 
> 
> 2) Install devstack with 
> enable_plugin keystone git://git.openstack.org/openstack/keystone
> 
> enable_service keystone-saml2-federation
> Here I already ran into some package maangement issues due to some
> libcurl3 and libcurl4 incompatibility issue what I solved using
> 
> https://launchpad.net/~xapienz/+archive/ubuntu/curl34
> 
> 3) Install the Keystone tempest plugin
> 4) Build a Shibboleth IdP container based on
> 
> https://github.com/Unicon/shibboleth-idp-dockerized with the
> configuration I believe is correct. I have a feeling that we will
> need to set a proper organisation for this if we want to publish this
> to Docker Hub. By the way is there a container registry
>  maintained in the OpenStack development infra?
> 5) Run the container and expose 8080, 4443 and 8443 ports
> This is a half success. Shibboleth contacts Keystone (or actually the
> Shibboleth apache module) for metadata update, but it works only on
> the first attempt. The regular updates are not working for some
> reason.
> 
> 
> 
> Also I was not able to get a positive answer from the status script
> of Shibboleth itself, so i just decided to move a bit forward.
> 
> 
> 
> 6) Set idp_url to 
> https://localhost:8080/idp/profile/SAML2/SOAP/ECP in
> _request_unscoped_token inside the Keystone tempest plugin. Here I
> have no idea where the configuration is actually stores and where
> should I set this in a nice way.
> 7) Run the tempest tests. Now here I get an error message which tells
> me about SSL version numbers (hands.hake: Error([('SSL routines',
> 'ssl3_get_record', 'wrong version number')],)",),))).
>  I tried to use different ssl versions with Curl, but it complains
> about the lack of support in libsso.
> 
> 
> 
> So here I am now. 
> 
> 
> 
> 
> 
> Things what I deffinetly should figure out:
> 
> 
> 
>    - Make this work 😉
> 
> 
>    - Set the idp address in the correct place
>    - Figure out how to start a Container in a Keystone plugin or a
> tempest plugin
>    - Figure out ow to integrate with CI
> 
> 
> 
> 
> 
> 
> 
> 
> Any comments are welcome. 
> 
> 
> 
> 
> 
> Br, 
> 
> 
> Gerg0
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Curl 3 and 4 : Evgeny Brazgin - launchpad.net
> 
> launchpad.net
> 
> PPA contains libcurl4 package, which supports both libcurl3 and
> libcurl4 API.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/edge-computing/attachments/20190115/ea795aef/attachment-0001.html>


More information about the Edge-computing mailing list