Details
-
Type:
extRequest
-
Status: Closed
-
Priority:
Major
-
Resolution: Done
-
Fix Version/s: 2021
-
Component/s: None
-
Labels:None
-
Sender Email:
Description
Dear Pasquale,
Thank you for your answer. Our project is named NaviParking (FINODEX_093).
Writting about the "production environment" I mean the instance of our system which is used by real users. We have also a seperate system instance that is used by developers and testers ("test environment").
I am not sure if we can assume that we will be always able to use FI-LAB instance of Cosmos. A problem can appear in the further future if we have to create our own instance of Cosmos because FI-LAB does not allow us to use the global instance any longer. In such case we will have to migrate data from the global Cosmos instance to our own Cosmos instance.
Orion has no built-in authentication and authorization mechanisms and probably the best way for performing users authentication and authorization is placing PEP Proxy between frontend applications and Orion. PEP Proxy collaborates with an external identity management component (e.g. we can use KeyRock or FI-LAB identity management).
It seems that we will have to install our own instance of KeyRock to avoid problems in the future. Do you know some other (simpler) options?
Best regards,
Rafal Morawiec
Ekinno Lab Sp. z o.o.
ul. Toszecka 101
44-100 Gliwice
Poland
Phone: +48 690317369
E-mail: rafal.morawiec@ekinnolab.eu <marek.stawinski@ekinnolab.eu>
W dniu 29 października 2015 12:00:01 +01:00 fiware-finodex-coaching-request@lists.fiware.org napisał(-a):
> Send Fiware-finodex-coaching mailing list submissions to
> fiware-finodex-coaching@lists.fiware.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.fiware.org/listinfo/fiware-finodex-coaching
> or, via email, send a message with subject or body 'help' to
> fiware-finodex-coaching-request@lists.fiware.org
>
> You can reach the person managing the list at
> fiware-finodex-coaching-owner@lists.fiware.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Fiware-finodex-coaching digest..."
>
>
> Today's Topics:
>
> 1. Re: FI-LAB (Pasquale Vitale)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 29 Oct 2015 10:27:45 +0100
> From: Pasquale Vitale <<pvitale@eng.it>>
> To: <fiware-finodex-coaching@lists.fiware.org>
> Subject: Re: [Fiware-finodex-coaching] FI-LAB
> Message-ID: <5631E691.2040603@eng.it>
> Content-Type: text/plain; charset="windows-1252"; Format="flowed"
>
> Dear Rafal,
> yes, you can use the global instance of Cosmos and FIWARE account.
>
> But I want to understand the "production environments",
> you can use them in the FIWARE and you can still use them after the end
> of acceletator (other 9 months).
>
> Please could you tell me your project in FINODEX?
>
> Thank you and regards,
> Pasquale
>
>
>
> Il 26/10/2015 18:45, Rafal Morawiec ha scritto:
>
> > Hello,
> >
> > I have two questions related to FI-LAB. Generally, FI-LAB allows for
> > testing and evaluation of FiWare components. I am not sure if some
> > services offered by FI-LAB can be used in "production environments".
> >
> > Could we use the global instance of Cosmos in the final version of our
> > system? At the beginning Cosmos will not play a key role in our system
> > so we could use the existing Cosmos instance. This instance is
> > described on the page pointed below.
> >
> > <http://catalogue.fiware.org/enablers/bigdata-analysis-cosmos/instances>
> >
> > Could we use FI-LAB accounts for authentication of admins and mobile
> > apps? Initially, we planned to create our own instance of KeyRock for
> > identity management. However, it seems that usage of FI-LAB accounts
> > will be more convenient for us (we would like to use FI-LAB accounts
> > with PEP Proxy).
> >
> > Thank you in advance for your answer.
> >
> > Best regards,
> > Rafal Morawiec
> > Ekinno Lab Sp. z o.o.
> > ul. Toszecka 101
> > 44-100 Gliwice
> > Poland
> > Phone: +48 690317369
> > E-mail: rafal.morawiec@ekinnolab.eu<mailto:<marek.stawinski@ekinnolab.eu>>
> >
> >
> >
> > Since January 1st, old domains won't be supported and messages sent to any domain different to @lists.fiware.org will be lost.
> > Please, send your messages using the new domain (Fiware-finodex-coaching@lists.fiware.org) instead of the old one.
> > _______________________________________________
> > Fiware-finodex-coaching mailing list
> > Fiware-finodex-coaching@lists.fiware.org
> > <https://lists.fiware.org/listinfo/fiware-finodex-coaching>
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <<http://lists.fiware.org/pipermail/fiware-finodex-coaching/attachments/20151029/e6c68be9/attachment-0001.html>>
>
> ------------------------------
>
> Since January 1st, old domains won't be supported and messages sent to any domain different to @lists.fiware.org will be lost.
> Please, send your messages using the new domain (Fiware-finodex-coaching@lists.fiware.org) instead of the old one.
> _______________________________________________
> Fiware-finodex-coaching mailing list
> Fiware-finodex-coaching@lists.fiware.org
> <https://lists.fiware.org/listinfo/fiware-finodex-coaching>
>
> End of Fiware-finodex-coaching Digest, Vol 8, Issue 9
> *****************************************************
>
Since January 1st, old domains won't be supported and messages sent to any domain different to @lists.fiware.org will be lost.
Please, send your messages using the new domain (Fiware-finodex-coaching@lists.fiware.org) instead of the old one.
_______________________________________________
Fiware-finodex-coaching mailing list
Fiware-finodex-coaching@lists.fiware.org
https://lists.fiware.org/listinfo/fiware-finodex-coaching
[Created via e-mail received from: Rafal Morawiec <rafal.morawiec@ekinnolab.eu>]
Issue Links
- clones
-
HELC-1118
FIWARE.Request.Coach.FINODEX.Re: Fiware-finodex-coaching Digest, Vol 8, Issue 9
-
- Closed
-
Activity
The authentication & authorization framework mechanism is orthogonal to "core" Orion (by core Orion I mean the Orion component itself, i.e. the one which runs as a service and exposes the NGSI API). FIWARE recomends to use the system based on PEP proxy + IdM + Access Control but of course you can use whatever other mechanism to protect the Orion API.
However, I'm not an expert in authentication & authorization (I'm an expert in Orion itself 
so I cannot provide too much advice to this regards. Maybe Álvaro (in CC), which work is more related with the security framework in FIWARE could provide better advice.
(Also answered by email).
I'm assigning the issue to Álvaro, in the hope he can provide better advice than me in security aspects. Álvaro, if you find this issue is not for you, please re-asign to the right people in the Security chapter. Thanks!
Pasquale, clonning this by hand doesn't do the right 'clonning'. There's the tool that clones it properly.
This has been explained already. Additionally,
Hi,
if you want to base the authentication/authorization in other IdPs identity (Google, Facebook, etc) you have to study the possibilities they offer to do so. You should be able to use the same idea than in FIWARE, create oauth2 tokens with those IdPs and then put a kind of PEP Proxy (perhaps you can use even Wilma) on top of your orion to validate the tokens with such IdPs.
So the architecture is the same but the tokens provider (IdP) is different.
BR
Dear Fermin,
could you help this user?
He said:
"I am interested in alternatives for KeyRock. Using FI-LAB accounts is good for prototypes and testing. It seems we need our own instance of KeyRock if we want to use the system with real users. This separate KeyRock instance will be collaborating with PEP Proxy instance located between our fronted applications and our Orion instance.
However, in my opinion, it would be fine to authenticate Orion users with social media accounts (e.g. LinkedIn accounts, Facebook accounts). Can you see such possibilities?"
Thank you
best regards,
Pasquale