Details
-
Type: Monitor
-
Status: Closed
-
Priority: Major
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: 2021
-
Component/s: FIWARE-TECH-HELP
-
Labels:None
-
HD-Chapter:Security
-
HD-Enabler:KeyRock
Description
Created question in FIWARE Q/A platform on 09-03-2016 at 09:03
Please, ANSWER this question AT https://ask.fiware.org/question/419/idm-keystone-authentication-error-for-both-wilma-and-steelkin/
Question:
IdM, Keystone authentication error for both (wilma and steelkin)
Description:
Hi All,
We have deployed our own Keyrock IDM instance and try to configure a PEP-Proxy as layer os security in front of a Context Broker+Cygnus instance. but we can not perform any operation with any of both PEP-Proxies: Wilma or Steelskin. We can manage users, obtain and validate tokens (using the keystone API as reference), but for any other operation we always get an error:
Using pepProxy steelkin, we got:
Status Code: 500
Response:
{
"name": "PEPPROXYAUTHENTICATION_REJECTED",
"message": "Proxy authentication was rejected with code: 401"
}
with this configuration (reelevant fields only):
// Protected Resource configuration
config.resource = {
original:
,
proxy:
};
// Access Control configuration
config.access = {
disable: true,
protocol: 'http',
host: '192.168.1.101',
port: 4002,
path: '/pdp/v3'
}
// User identity configuration
config.authentication = {
checkHeaders: false,
module: 'keystone',
user: 'pepproxyc2*', //generated by KeyRock IDM
password: '31', //generated by KeyRock IDM
domainName: 'default',
retries: 3,
cacheTTLs:
,
options:
};
// Security configuration
config.ssl = {
active: false,
keyFile: '',
certFile: ''
}
config.logLevel = 'DEBUG';
// List of component middlewares
config.middlewares = {
require: 'lib/plugins/orionPlugin',
functions: [
'extractCBAction'
]
};
config.dieOnRedirectError = false;
config.componentName = 'orion';
config.resourceNamePrefix = 'fiware:';
config.bypass = false;
config.bypassRoleId = '';
Keyrock:
domain: default
service: keystone
/v3/auth/tokens
Using wilma proxy, we get :
2016-03-08 17:08:19.361 - INFO: IDM-Client - Checking token with IDM...
2016-03-08 17:08:19.365 - ERROR: Server - Caught exception: SyntaxError: Unexpected token E
with this config.js file (reelevant fields only):
config.pep_port = 10000;
config.https = undefined;
config.accounthost = 'http://192.168.1.101:8000'; //KeyRock IDM - horizon instance.
config.keystonehost = 'http://192.168.1.101'; //KeyRock IDM - keystone instance.
config.keystone_port = 4002;
config.apphost = 'http://192.168.1.102';
config.appport = '4000';
config.app_ssl = false;
config.username = 'pepproxy5e'; //generated by KeyRock IDM
config.password = 'ce'; //generated by KeyRock IDM
config.azf = {
enabled: false,
host: 'auth.lab.fiware.org',
port: 6019,
path: '/authzforce/domains/',
custompolicy: undefined // use undefined to default policy checks (HTTP verb + path).
};
config.publicpaths = ['/login', '/signup'];
All GEs are deployed in our local machines and perform well individually.
Best regards
Gustavo
Activity
Field | Original Value | New Value |
---|---|---|
Component/s | FIWARE-TECH-HELP [ 10278 ] |
Assignee | Alvaro Alonso [ aalonsog ] |
Status | Open [ 1 ] | In Progress [ 3 ] |
Status | In Progress [ 3 ] | Answered [ 10104 ] |
Resolution | Done [ 10000 ] | |
Status | Answered [ 10104 ] | Closed [ 6 ] |
Summary | [fiware-askbot] IdM, Keystone authentication error for both (wilma and steelkin) | FIWARE.Question.Tech.IdM, Keystone authentication error for both (wilma and steelkin) |
HD-Enabler | KeyRock [ 10889 ] | |
Description |
Created question in FIWARE Q/A platform on 09-03-2016 at 09:03 {color: red}Please, ANSWER this question AT{color} https://ask.fiware.org/question/419/idm-keystone-authentication-error-for-both-wilma-and-steelkin/ +Question:+ IdM, Keystone authentication error for both (wilma and steelkin) +Description:+ Hi All, We have deployed our own Keyrock IDM instance and try to configure a PEP-Proxy as layer os security in front of a Context Broker+Cygnus instance. but we can not perform any operation with any of both PEP-Proxies: Wilma or Steelskin. We can manage users, obtain and validate tokens (using the keystone API as reference), but for any other operation we always get an error: Using pepProxy steelkin, we got: Status Code: 500 Response: { "name": "PEPPROXYAUTHENTICATION_REJECTED", "message": "Proxy authentication was rejected with code: 401" } with this configuration (reelevant fields only): // Protected Resource configuration config.resource = { original: { host: 'localhost', port: 1026 }, proxy: { port: 4003, adminPort: 11211 } }; // Access Control configuration config.access = { disable: true, protocol: 'http', host: '192.168.1.101', port: 4002, path: '/pdp/v3' } // User identity configuration config.authentication = { checkHeaders: false, module: 'keystone', user: 'pepproxyc2*', //generated by KeyRock IDM password: '31', //generated by KeyRock IDM domainName: 'default', retries: 3, cacheTTLs: { users: 1000, projectIds: 1000, roles: 60 }, options: { protocol: 'http', host: '192.168.1.101', port: 4002, path: '/v3/role_assignments', authPath: '/v3/auth/tokens' } }; // Security configuration config.ssl = { active: false, keyFile: '', certFile: '' } config.logLevel = 'DEBUG'; // List of component middlewares config.middlewares = { require: 'lib/plugins/orionPlugin', functions: [ 'extractCBAction' ] }; config.dieOnRedirectError = false; config.componentName = 'orion'; config.resourceNamePrefix = 'fiware:'; config.bypass = false; config.bypassRoleId = ''; Keyrock: domain: default service: keystone /v3/auth/tokens Using wilma proxy, we get : 2016-03-08 17:08:19.361 - INFO: IDM-Client - Checking token with IDM... 2016-03-08 17:08:19.365 - ERROR: Server - Caught exception: SyntaxError: Unexpected token E with this config.js file (reelevant fields only): config.pep_port = 10000; config.https = undefined; config.accounthost = 'http://192.168.1.101:8000'; //KeyRock IDM - horizon instance. config.keystonehost = 'http://192.168.1.101'; //KeyRock IDM - keystone instance. config.keystone_port = 4002; config.apphost = 'http://192.168.1.102'; config.appport = '4000'; config.app_ssl = false; config.username = 'pepproxy5e'; //generated by KeyRock IDM config.password = 'ce'; //generated by KeyRock IDM config.azf = { enabled: false, host: 'auth.lab.fiware.org', port: 6019, path: '/authzforce/domains/', custompolicy: undefined // use undefined to default policy checks (HTTP verb + path). }; config.publicpaths = ['/login', '/signup']; All GEs are deployed in our local machines and perform well individually. Best regards Gustavo |
Created question in FIWARE Q/A platform on 09-03-2016 at 09:03 {color: red}Please, ANSWER this question AT{color} https://ask.fiware.org/question/419/idm-keystone-authentication-error-for-both-wilma-and-steelkin/ +Question:+ IdM, Keystone authentication error for both (wilma and steelkin) +Description:+ Hi All, We have deployed our own Keyrock IDM instance and try to configure a PEP-Proxy as layer os security in front of a Context Broker+Cygnus instance. but we can not perform any operation with any of both PEP-Proxies: Wilma or Steelskin. We can manage users, obtain and validate tokens (using the keystone API as reference), but for any other operation we always get an error: Using pepProxy steelkin, we got: Status Code: 500 Response: { "name": "PEPPROXYAUTHENTICATION_REJECTED", "message": "Proxy authentication was rejected with code: 401" } with this configuration (reelevant fields only): // Protected Resource configuration config.resource = { original: { host: 'localhost', port: 1026 }, proxy: { port: 4003, adminPort: 11211 } }; // Access Control configuration config.access = { disable: true, protocol: 'http', host: '192.168.1.101', port: 4002, path: '/pdp/v3' } // User identity configuration config.authentication = { checkHeaders: false, module: 'keystone', user: 'pepproxyc2*', //generated by KeyRock IDM password: '31', //generated by KeyRock IDM domainName: 'default', retries: 3, cacheTTLs: { users: 1000, projectIds: 1000, roles: 60 }, options: { protocol: 'http', host: '192.168.1.101', port: 4002, path: '/v3/role_assignments', authPath: '/v3/auth/tokens' } }; // Security configuration config.ssl = { active: false, keyFile: '', certFile: '' } config.logLevel = 'DEBUG'; // List of component middlewares config.middlewares = { require: 'lib/plugins/orionPlugin', functions: [ 'extractCBAction' ] }; config.dieOnRedirectError = false; config.componentName = 'orion'; config.resourceNamePrefix = 'fiware:'; config.bypass = false; config.bypassRoleId = ''; Keyrock: domain: default service: keystone /v3/auth/tokens Using wilma proxy, we get : 2016-03-08 17:08:19.361 - INFO: IDM-Client - Checking token with IDM... 2016-03-08 17:08:19.365 - ERROR: Server - Caught exception: SyntaxError: Unexpected token E with this config.js file (reelevant fields only): config.pep_port = 10000; config.https = undefined; config.accounthost = 'http://192.168.1.101:8000'; //KeyRock IDM - horizon instance. config.keystonehost = 'http://192.168.1.101'; //KeyRock IDM - keystone instance. config.keystone_port = 4002; config.apphost = 'http://192.168.1.102'; config.appport = '4000'; config.app_ssl = false; config.username = 'pepproxy5e'; //generated by KeyRock IDM config.password = 'ce'; //generated by KeyRock IDM config.azf = { enabled: false, host: 'auth.lab.fiware.org', port: 6019, path: '/authzforce/domains/', custompolicy: undefined // use undefined to default policy checks (HTTP verb + path). }; config.publicpaths = ['/login', '/signup']; All GEs are deployed in our local machines and perform well individually. Best regards Gustavo |
HD-Chapter | Security [ 10841 ] |
Summary | FIWARE.Question.Tech.IdM, Keystone authentication error for both (wilma and steelkin) | FIWARE.Question.Tech.Security.IDM-KeyRock.IdM, Keystone authentication error for both (wilma and steelkin) |
Fix Version/s | 2021 [ 12600 ] |
Transition | Time In Source Status | Execution Times | Last Executer | Last Execution Date | |||||
---|---|---|---|---|---|---|---|---|---|
|
3d 22h 3m | 1 | Alvaro Alonso | 14/Mar/16 9:06 AM | |||||
|
1s | 1 | Alvaro Alonso | 14/Mar/16 9:06 AM | |||||
|
1s | 1 | Alvaro Alonso | 14/Mar/16 9:06 AM |
2016-03-10 11:05|CREATED monitor | # answers= 0, accepted answer= False