Fiware - How to integrate Keyrock IdM, Wilma PEP Proxy and Orion Context Broker?

我只是一个虾纸丫 提交于 2019-11-28 14:20:36

Seeing the answer of @albertinisg here, I found a bash script for token request. I changed it to use with my local instances and it worked.

After registering my application at FIWARE Portal (more information here), I had to make a POST request to http://idm:8000/oauth2/token (idm is my local instance of Keyrock). With this valid token, I can access the content in Orion.

import requests, json, getpass

TOKEN_URL = "http://idm:5000/v2.0/tokens"

USER = raw_input("Username: ")
PASSWORD = getpass.getpass("Password: ")
PAYLOAD = "{\"auth\": {\"passwordCredentials\": {\"username\":\""+USER+"\", \"password\":\""+PASSWORD+"\"}}}"
HEADERS =  {'content-type': 'application/json'}
RESP = requests.post(TOKEN_URL, data=PAYLOAD, headers=HEADERS)

PEP Proxy (Wilma) configuration (config.js):

config.app_host = 'my_orion_ip'; //change to your Orion address
config.app_port = '1026'; //change to your Orion port

config.username = 'pep_proxy_credential_obtained_at_portal';
config.password = 'password_obtained_at_portal';

With the valid token and the PEP Proxy (Wilma) server running with this configuration, it is possible to control the access to Orion doing a request to PEP Proxy address. The PEP Proxy will redirect this request to IdM (Keyrock) so that IdM can verify the user/device credentials. If the credentials are valid, the user/device will receive a valid token and now PEP Proxy can allow the access to Orion.

For HTTPS communication, I configured a Nginx server to act like a reverse proxy (.conf file):

server {
   listen       443;
   server_name  orion;

   ssl                  on;
   ssl_certificate      /etc/nginx/ssl/orion.crt;
   ssl_certificate_key  /etc/nginx/ssl/orion.key;
   ...
   ...
   location / {
      #root   orion:1026;   #/var/www/yourdomain.com;
       #index  index.php index.html index.htm;
       proxy_set_header        Host $host;
       proxy_set_header        X-Real-IP $remote_addr;
       proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header        X-Forwarded-Proto $scheme;

       # Fix the “It appears that your reverse proxy set up is broken" error.
       proxy_pass          http://orion:1026;
       proxy_read_timeout  90;
       proxy_redirect      http://orion:1026 https://orion;
   }
}

I made a simple tutorial about the integration of FIWARE Orion, Wilma and Keyrock: https://www.slideshare.net/daltoncezane/integrating-fiware-orion-keyrock-and-wilma

I hope this answer can help someone else.

Regarding Orion, it depends on the interface to be secured, either the service API (i.e. the listening REST server that Orion runs typically at port 1026), the notification API or both:

  • Regarding service API:
    • Authentication & authorization: it can be implemented through PEP. The following documentation introduces two PEP alternative implementations. However, note that PEP doesn't work standalone, as it also needs the IDM and Access Control to work. I understand that @Alvaro can explain this topic in detail (with regards to Wilma PEP). It is out of my knowledge.
    • Encryption: it can be implemented by a proxy acting as HTTPS-to-HTTP bridge (e.g. ngnix) or by Orion itself using the -https CLI parameter (which works in combination with -key and -cert). This section of the documentation elaborates on it.
  • Regarding notification API:
    • Authentication & authorization: the current implementation of custom notifications (see "Custom notifications" section in the NGSIv2 specification) allows you to include custom HTTP headers that could be used for authentication (e.g. the X-Auth-Token header needed by a PEP instance protecting your endpoint). Note that this is currently done in an static way, i.e. Orion is not able to interact directly with IDM/AccessControl to set the X-Auth-Token value dynamically after expiration, etc. However, it would be possible to develop a process able to do this and set the proper header (if you are interested in this I'd recommend to check "How to add a custom header in outgoing notifications with Orion?" post).
    • Encryption: it can be implemented relaying in Rush component. This section of the documentation elaborates on it.

UPDATE: since verion 1.7.0, Orion implements native HTTPS notifications (i.e. without needing Rush).

The following presentation shows you step by step how to create a FIWARE-Based IoT Platform and to secure it using a PEP Proxy, Keystone and Keypass.

https://docs.google.com/presentation/d/18LaWZSK4h2wncPF6hNAwK5MToLvJesR3XLrzsqrsmrw/edit?usp=sharing

I hope this helps

thanks

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!