Details
-
Type:
extRequest
-
Status: Closed
-
Priority:
Major
-
Resolution: Done
-
Fix Version/s: 2021
-
Component/s: FIWARE-TECH-HELP
-
Labels:None
-
Sender Email:
-
HD-Chapter:Security
-
HD-Enabler:KeyRock
Description
Hi,
The following is a message received from the Kuan Intelligence team regarding AuthZForce and KeyRock, to be forwarded to the GE owners.
Best regards,
Marco
Marco Terrinoni
Consoft Sistemi s.p.a.
BU Application
Via Pio VII 127 - 10127 - Torino
Tel (+39) 011 3161571
Fax (+39) 011 3161583
_______________________________________________
Da: Yan Zhang yan.zhang@kuaninc.com
Inviato: lunedì 29 febbraio 2016 10:30
A: consoft-fiwarecoach@consoft.it
Cc: Xibo Wang <paulop5288@gmail.com>; Dmitry Moskalets <dimazaur@gmail.com>; Jiajie Li <jiajie.li@kuaninc.com>; Kenneth Ma <kenneth.ma@kuaninc.com>
Oggetto: Kuan intelligence query
Dear FIWARE coach,
Thanks a lot for your time today! Just now I queried you two questions about AuthZForce and KeyRock, and hoping to have your further description of answers. Following contents are the questions:
1. In the process of the integration of AuthZForce and our system, we deployed the functionalities of policy decision on our system. The question is if there are further functionalities or application on securing web application?
2. Another question is for keyrock, thanks for your mentioning that there wouldn't any dependency between KeyRock and AuthZForce. Our developer have met some problem in run time and also proposed some advice for installation that if the addition of two commands should be allowed:
>sudo apt-get update
>sudo apt-get install git
Also, the forwarded query message from our develop team is attached in the following content. Looking forward to your reply, many thanks!
Best regards
Yan Zhang
Hello!
I'm from Kuan Intelligence team.
We have a trouble with running KeyRock server.
Followed by documentation http://fiware-idm.readthedocs.org/en/latest/admin_guide.html but finally got some errors.
Could you please give an advice about it?
Many thanks.
[28/Feb/2016 20:15:18] "GET / HTTP/1.1" 500 59
DEBUG:idm_logger:Creating a new internal keystoneclient connection to http://127.0.0.1:5000/v3.
Unauthorized: The request you have made requires authentication. (HTTP 401)
Traceback (most recent call last):
File "/home/ubuntu/horizon/openstack_dashboard/fiware_api/keystone.py", line 776, in _get_element_and_cache
role = function(request, role)
File "/home/ubuntu/horizon/openstack_dashboard/fiware_api/keystone.py", line 801, in <lambda>
request, basic, lambda req, n: internal_keystoneclient(req).roles.find(name=n))
File "/home/ubuntu/horizon/openstack_dashboard/fiware_api/keystone.py", line 63, in internal_keystoneclient
cache.set(CACHE_CLIENT, keystoneclient.session.get_token(), INTERNAL_CLIENT_CACHE_TIME)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/session.py", line 610, in get_token
return (self.get_auth_headers(auth) or {}).get('X-Auth-Token')
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/session.py", line 589, in get_auth_ headers
return auth.get_headers(self, **kwargs)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/auth/base.py", line 114, in get_hea ders
token = self.get_token(session)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/auth/identity/base.py", line 104, i n get_token
return self.get_access(session).auth_token
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/auth/identity/base.py", line 144, i n get_access
self.auth_ref = self.get_auth_ref(session)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/auth/identity/v3.py", line 127, in get_auth_ref
authenticated=False, log=False, **rkwargs)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/session.py", line 488, in post
return self.request(url, 'POST', **kwargs)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/utils.py", line 318, in inner
return func(*args, **kwargs)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/session.py", line 389, in request
raise exceptions.from_response(resp, method, url)
Unauthorized: The request you have made requires authentication. (HTTP 401)
Traceback (most recent call last):
File "/usr/lib/python2.7/wsgiref/handlers.py", line 85, in run
self.result = application(self.environ, self.start_response)
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/contrib/staticfiles/handlers.py", l ine 67, in _call_
return self.application(environ, start_response)
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/core/handlers/wsgi.py", line 187, i n _call_
self.load_middleware()
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/core/handlers/base.py", line 47, in load_middleware
mw_instance = mw_class()
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/middleware/locale.py", line 24, in _init_
for url_pattern in get_resolver(None).url_patterns:
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/core/urlresolvers.py", line 365, in url_patterns
patterns = getattr(self.urlconf_module, "urlpatterns", self.urlconf_module)
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/core/urlresolvers.py", line 360, in urlconf_module
self._urlconf_module = import_module(self.urlconf_name)
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/utils/importlib.py", line 40, in im port_module
_import_(name)
File "/home/ubuntu/horizon/openstack_dashboard/urls.py", line 36, in <module>
from openstack_dashboard.dashboards.idm_admin.user_accounts \
File "/home/ubuntu/horizon/openstack_dashboard/dashboards/idm_admin/user_accounts/views.py", line 28, in <mod ule>
from openstack_dashboard.dashboards.idm_admin.user_accounts \
File "/home/ubuntu/horizon/openstack_dashboard/dashboards/idm_admin/user_accounts/forms.py", line 195, in <mo dule>
class UpdateAccountForm(forms.SelfHandlingForm, UserAccountsLogicMixin):
File "/home/ubuntu/horizon/openstack_dashboard/dashboards/idm_admin/user_accounts/forms.py", line 202, in Upd ateAccountForm
choices=get_account_choices())
File "/home/ubuntu/horizon/openstack_dashboard/dashboards/idm_admin/user_accounts/forms.py", line 172, in get _account_choices
use_idm_account=True),
File "/home/ubuntu/horizon/openstack_dashboard/fiware_api/keystone.py", line 801, in get_basic_role
request, basic, lambda req, n: internal_keystoneclient(req).roles.find(name=n))
File "/home/ubuntu/horizon/openstack_dashboard/fiware_api/keystone.py", line 780, in _get_element_and_cache
exceptions.handle(request)
File "/home/ubuntu/horizon/horizon/exceptions.py", line 291, in handle
messages.error(request, message or fallback)
File "/home/ubuntu/horizon/horizon/messages.py", line 83, in error
fail_silently=fail_silently)
File "/home/ubuntu/horizon/horizon/messages.py", line 41, in add_message
if not horizon_message_already_queued(request, message):
File "/home/ubuntu/horizon/horizon/messages.py", line 28, in horizon_message_already_queued
if request.is_ajax():
AttributeError: 'NoneType' object has no attribute 'is_ajax'
DEBUG:idm_logger:Creating a new internal keystoneclient connection to http://127.0.0.1:5000/v3.
Unauthorized: The request you have made requires authentication. (HTTP 401)
Traceback (most recent call last):
File "/home/ubuntu/horizon/openstack_dashboard/fiware_api/keystone.py", line 776, in _get_element_and_cache
role = function(request, role)
File "/home/ubuntu/horizon/openstack_dashboard/fiware_api/keystone.py", line 801, in <lambda>
request, basic, lambda req, n: internal_keystoneclient(req).roles.find(name=n))
File "/home/ubuntu/horizon/openstack_dashboard/fiware_api/keystone.py", line 63, in internal_keystoneclient
cache.set(CACHE_CLIENT, keystoneclient.session.get_token(), INTERNAL_CLIENT_CACHE_TIME)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/session.py", line 610, in get_token
return (self.get_auth_headers(auth) or {}).get('X-Auth-Token')
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/session.py", line 589, in get_auth_ headers
return auth.get_headers(self, **kwargs)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/auth/base.py", line 114, in get_hea ders
token = self.get_token(session)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/auth/identity/base.py", line 104, i n get_token
return self.get_access(session).auth_token
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/auth/identity/base.py", line 144, i n get_access
self.auth_ref = self.get_auth_ref(session)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/auth/identity/v3.py", line 127, in get_auth_ref
authenticated=False, log=False, **rkwargs)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/session.py", line 488, in post
return self.request(url, 'POST', **kwargs)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/utils.py", line 318, in inner
return func(*args, **kwargs)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/session.py", line 389, in request
raise exceptions.from_response(resp, method, url)
Unauthorized: The request you have made requires authentication. (HTTP 401)
Traceback (most recent call last):
File "/usr/lib/python2.7/wsgiref/handlers.py", line 85, in run
self.result = application(self.environ, self.start_response)
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/contrib/staticfiles/handlers.py", l ine 67, in _call_
return self.application(environ, start_response)
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/core/handlers/wsgi.py", line 187, i n _call_
self.load_middleware()
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/core/handlers/base.py", line 47, in load_middleware
mw_instance = mw_class()
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/middleware/locale.py", line 24, in _init_
for url_pattern in get_resolver(None).url_patterns:
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/core/urlresolvers.py", line 365, in url_patterns
patterns = getattr(self.urlconf_module, "urlpatterns", self.urlconf_module)
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/core/urlresolvers.py", line 360, in urlconf_module
self._urlconf_module = import_module(self.urlconf_name)
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/utils/importlib.py", line 40, in im port_module
_import_(name)
File "/home/ubuntu/horizon/openstack_dashboard/urls.py", line 36, in <module>
from openstack_dashboard.dashboards.idm_admin.user_accounts \
File "/home/ubuntu/horizon/openstack_dashboard/dashboards/idm_admin/user_accounts/views.py", line 28, in <mod ule>
from openstack_dashboard.dashboards.idm_admin.user_accounts \
File "/home/ubuntu/horizon/openstack_dashboard/dashboards/idm_admin/user_accounts/forms.py", line 195, in <mo dule>
class UpdateAccountForm(forms.SelfHandlingForm, UserAccountsLogicMixin):
File "/home/ubuntu/horizon/openstack_dashboard/dashboards/idm_admin/user_accounts/forms.py", line 202, in Upd ateAccountForm
choices=get_account_choices())
File "/home/ubuntu/horizon/openstack_dashboard/dashboards/idm_admin/user_accounts/forms.py", line 172, in get _account_choices
use_idm_account=True),
File "/home/ubuntu/horizon/openstack_dashboard/fiware_api/keystone.py", line 801, in get_basic_role
request, basic, lambda req, n: internal_keystoneclient(req).roles.find(name=n))
File "/home/ubuntu/horizon/openstack_dashboard/fiware_api/keystone.py", line 780, in _get_element_and_cache
exceptions.handle(request)
File "/home/ubuntu/horizon/horizon/exceptions.py", line 291, in handle
messages.error(request, message or fallback)
File "/home/ubuntu/horizon/horizon/messages.py", line 83, in error
fail_silently=fail_silently)
File "/home/ubuntu/horizon/horizon/messages.py", line 41, in add_message
if not horizon_message_already_queued(request, message):
File "/home/ubuntu/horizon/horizon/messages.py", line 28, in horizon_message_already_queued
if request.is_ajax():
AttributeError: 'NoneType' object has no attribute 'is_ajax'
DEBUG:idm_logger:Creating a new internal keystoneclient connection to http://127.0.0.1:5000/v3.
Unauthorized: The request you have made requires authentication. (HTTP 401)
Traceback (most recent call last):
File "/home/ubuntu/horizon/openstack_dashboard/fiware_api/keystone.py", line 776, in _get_element_and_cache
role = function(request, role)
File "/home/ubuntu/horizon/openstack_dashboard/fiware_api/keystone.py", line 801, in <lambda>
request, basic, lambda req, n: internal_keystoneclient(req).roles.find(name=n))
File "/home/ubuntu/horizon/openstack_dashboard/fiware_api/keystone.py", line 63, in internal_keystoneclient
cache.set(CACHE_CLIENT, keystoneclient.session.get_token(), INTERNAL_CLIENT_CACHE_TIME)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/session.py", line 610, in get_token
return (self.get_auth_headers(auth) or {}).get('X-Auth-Token')
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/session.py", line 589, in get_auth_headers
return auth.get_headers(self, **kwargs)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/auth/base.py", line 114, in get_headers
token = self.get_token(session)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/auth/identity/base.py", line 104, in get_token
return self.get_access(session).auth_token
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/auth/identity/base.py", line 144, in get_access
self.auth_ref = self.get_auth_ref(session)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/auth/identity/v3.py", line 127, in get_auth_ref
authenticated=False, log=False, **rkwargs)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/session.py", line 488, in post
return self.request(url, 'POST', **kwargs)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/utils.py", line 318, in inner
return func(*args, **kwargs)
File "/home/ubuntu/horizon/.venv/src/python-keystoneclient/keystoneclient/session.py", line 389, in request
raise exceptions.from_response(resp, method, url)
Unauthorized: The request you have made requires authentication. (HTTP 401)
Traceback (most recent call last):
File "/usr/lib/python2.7/wsgiref/handlers.py", line 85, in run
self.result = application(self.environ, self.start_response)
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/contrib/staticfiles/handlers.py", line 67, in _call_
return self.application(environ, start_response)
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/core/handlers/wsgi.py", line 187, in _call_
self.load_middleware()
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/core/handlers/base.py", line 47, in load_middleware
mw_instance = mw_class()
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/middleware/locale.py", line 24, in _init_
for url_pattern in get_resolver(None).url_patterns:
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/core/urlresolvers.py", line 365, in url_patterns
patterns = getattr(self.urlconf_module, "urlpatterns", self.urlconf_module)
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/core/urlresolvers.py", line 360, in urlconf_module
self._urlconf_module = import_module(self.urlconf_name)
File "/home/ubuntu/horizon/.venv/local/lib/python2.7/site-packages/django/utils/importlib.py", line 40, in import_module
_import_(name)
File "/home/ubuntu/horizon/openstack_dashboard/urls.py", line 36, in <module>
from openstack_dashboard.dashboards.idm_admin.user_accounts \
File "/home/ubuntu/horizon/openstack_dashboard/dashboards/idm_admin/user_accounts/views.py", line 28, in <module>
from openstack_dashboard.dashboards.idm_admin.user_accounts \
File "/home/ubuntu/horizon/openstack_dashboard/dashboards/idm_admin/user_accounts/forms.py", line 195, in <module>
class UpdateAccountForm(forms.SelfHandlingForm, UserAccountsLogicMixin):
File "/home/ubuntu/horizon/openstack_dashboard/dashboards/idm_admin/user_accounts/forms.py", line 202, in UpdateAccountForm
choices=get_account_choices())
File "/home/ubuntu/horizon/openstack_dashboard/dashboards/idm_admin/user_accounts/forms.py", line 172, in get_account_choices
use_idm_account=True),
File "/home/ubuntu/horizon/openstack_dashboard/fiware_api/keystone.py", line 801, in get_basic_role
request, basic, lambda req, n: internal_keystoneclient(req).roles.find(name=n))
File "/home/ubuntu/horizon/openstack_dashboard/fiware_api/keystone.py", line 780, in _get_element_and_cache
exceptions.handle(request)
File "/home/ubuntu/horizon/horizon/exceptions.py", line 291, in handle
messages.error(request, message or fallback)
File "/home/ubuntu/horizon/horizon/messages.py", line 83, in error
fail_silently=fail_silently)
File "/home/ubuntu/horizon/horizon/messages.py", line 41, in add_message
if not horizon_message_already_queued(request, message):
File "/home/ubuntu/horizon/horizon/messages.py", line 28, in horizon_message_already_queued
if request.is_ajax():
AttributeError: 'NoneType' object has no attribute 'is_ajax'
–
Regards,
Dmitry Moskalets
-----------------------------------------
Mr Yan Zhang
Chief Technology Officer
Kuan Intelligence Ltd
75 Whitechapel Road,
London, E1 1DU.
Tel: 020 7426 0365
https://mailfoogae.appspot.com/t?sender=aeWFuLnpoYW5nQGt1YW5pbmMuY29t&type=zerocontent&guid=1b391e0f-6a93-4fae-87fc-ae5db9b9f63eᐧ
Since January 1st, old domains won't be supported and messages sent to any domain different to @lists.fiware.org will be lost.
Please, send your messages using the new domain (Fiware-ceedtech-coaching@lists.fiware.org) instead of the old one.
_______________________________________________
Fiware-ceedtech-coaching mailing list
Fiware-ceedtech-coaching@lists.fiware.org
https://lists.fiware.org/listinfo/fiware-ceedtech-coaching
Issue Links
- relates to
-
HELC-1288
FIWARE.Request.Coach.CEED-Tech.Kuan intelligence query
-
- Closed
-
Activity
Hi Cyril,
What about the question regarding AuthZForce instead? Can you provide an answer?
Thank you very much for your time.
BR,
Marco
OK, the first question is:
In the process of the integration of AuthZForce and our system, we deployed the functionalities of policy decision on our system. The question is if there are further functionalities or application on securing web application?
Not sure the question is about Authzforce actually. Are you asking whether there is any other features/applications (like Generic Enablers I assume) in FIWARE Security Chapter - besides AuthZForce or KeyRock - that can help secure web applications ?
In this case, there is the PEP Proxy which plays the role of the PEP and reverse proxy in front of your web applications, i.e. it intercepts requests and connects to KeyRock and Authzforce to validate access token and authorize access to the application respectively.
Regards,
Cyril
Thank you Cyril.
Uhmm, probably that was the purpose of team's question...
Thanks, I'm going to forward your answer to the CEED Tech's team.
Could you help with the second question, Alvaro Alonso ? Thanks.
Hi,
I'm already discussing the problem with Dmitry via email (he asked me in a separate thread)
BR
Alvaro, I'd appreciate having the exchange here; otherwise, I miss it. Thanks
Hi Manuel, I mean he has sent me a private email (directly to my email address).
Hi Dmitry,
following our discussion here, you have to follow the intructions in
http://fiware-idm.readthedocs.org/en/latest/admin_guide.html#configuration
to configure horizon.
BR
Re-assigned to the IdM owner for the second question on Keyrock.