Skip to content

Instantly share code, notes, and snippets.

@edtubillara

edtubillara/README

Last active February 14, 2017 02:05
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save edtubillara/174acc14c87edfbce35096a29aff308c to your computer and use it in GitHub Desktop.
Save edtubillara/174acc14c87edfbce35096a29aff308c to your computer and use it in GitHub Desktop.
Download ZIP
K2K Federation Vagrant Setup
Raw
README
To setup:
0. Setup vagrant, virtualbox -and place all files in gist in a folder.
1. Review vagrant file
Look at the vagrant file and the cpu/ram usage. This runs two virtual
machines so it could use a lot of resources. Change the vagrant file to
your needs. You may get a 'no valid host was found' error since there
may not be enough allocated memory (If you lower the ram usage).
2. Run: `vagrant up`
3. Go to 192.168.50.7 in a web browser and log in using:
user: "another_demo_user"
password: "secretadmin"
You should then be able to see a dropdown on the top right for federation.
You should able to switch between Keystone Providersß
Raw
idp-post-install.sh
#!/bin/bash -ex
sudo apt-get install -y xmlsec1
export KEYSTONE_CONF=/etc/keystone/keystone.conf
crudini --set $KEYSTONE_CONF saml certfile '/etc/keystone/keystone-saml.crt'
crudini --set $KEYSTONE_CONF saml keyfile '/etc/keystone/keystone-saml.pem'
crudini --set $KEYSTONE_CONF saml idp_entity_id 'http://192.168.50.7/v3/OS_FEDERATION/saml2/idp'
crudini --set $KEYSTONE_CONF saml idp_sso_endpoint 'http://192.168.50.7:5000/v3/OS-FEDERATION/saml2/sso'
crudini --set $KEYSTONE_CONF saml idp_metadata_path '/etc/keystone/keystone_idp_metadata.xml'
crudini --set $KEYSTONE_CONF saml idp_contact_surname 'melvin'
crudini --set $KEYSTONE_CONF token provider 'fernet'
rm -rf /etc/keystone/keystone-saml.crt
cat <<EOF > /etc/keystone/keystone-saml.crt
-----BEGIN CERTIFICATE-----
MIIDyzCCArOgAwIBAgIJAIUbXznF9uNuMA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJUWDEPMA0GA1UEBwwGQVVTVElOMQwwCgYDVQQKDANJ
Qk0xDzANBgNVBAsMBkNJUy1CQjEoMCYGA1UEAwwfazJrZi1pZHAub3Blbi10ZXN0
LmlibWNsb3VkLmNvbTAeFw0xNjA1MTEwNTExNThaFw0yNjA1MDkwNTExNThaMHQx
CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJUWDEPMA0GA1UEBwwGQVVTVElOMQwwCgYD
VQQKDANJQk0xDzANBgNVBAsMBkNJUy1CQjEoMCYGA1UEAwwfazJrZi1pZHAub3Bl
bi10ZXN0LmlibWNsb3VkLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALoWq6KAMGRon+UtcY2+klc/UgucjYM1u8RHmAoOWcTqwz4PH0VTTxyxQL+D
BHMuJoVfQkL/WT+sgFHIdggsWQqqITtScd96rsHlgs/xBGthJjJduIQC/yuwYBqz
roh2BQN0crJcVqm+4hu3DZcxZwXy7NIwLU781AjkmNXubTQixlWLNhDorgUNXhnf
p8dc1U3aHlsrO4QHOS8hPH2UY+e1tTfx4EH0AP9VmQQyOI07HQ3qCpzkUeQbWPEG
YywtFDZWGTWGAHuT7fBXX6xoW0g6sE38mUwwF1fWfHi1kHEsmM+EclyKW3QkUx+D
VPnzPHYhLEB7kzbaVcmTvk+zclMCAwEAAaNgMF4wXAYDVR0RBFUwU4IYKi5vcGVu
LXRlc3QuaWJtY2xvdWQuY29tgh9rMmtmLWlkcC5vcGVuLXRlc3QuaWJtY2xvdWQu
Y29tghZvcGVuLXRlc3QuaWJtY2xvdWQuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBd
Us2p8FSTX4EbMjLFKMVvU1iU90E5GeWUw2zDnbsJHeAorecg09VCZLWMubQOP9TY
3mg1GUE+gyDP0huPPza2cUd9V2Crcn+VJJX6s79/xem73ZqDdm2YwsAZ9a8trYAR
7rZrYuI3flRx3ncywNABFNavexMpge2Ej81NDmxj4wDkYPRfaXYTxqn0NF7yDjly
oe37003v48Xc7r0yMJnCGr+aEayyF1ykRLJrZx+e50n8ZUwPYX2Hc7bIw2BSAv3Z
AO1Qv/0Cjorbw92Tjx9ASSC+OH6ar6T6N0YV7o2rwf7IpJhmDuHeh+3O3g5bsuhP
bKj1MaFyMC0cyxo36o6z
-----END CERTIFICATE-----
EOF
rm -rf /etc/keystone/keystone-saml.pem
cat <<EOF > /etc/keystone/keystone-saml.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAuharooAwZGif5S1xjb6SVz9SC5yNgzW7xEeYCg5ZxOrDPg8f
RVNPHLFAv4MEcy4mhV9CQv9ZP6yAUch2CCxZCqohO1Jx33quweWCz/EEa2EmMl24
hAL/K7BgGrOuiHYFA3RyslxWqb7iG7cNlzFnBfLs0jAtTvzUCOSY1e5tNCLGVYs2
EOiuBQ1eGd+nx1zVTdoeWys7hAc5LyE8fZRj57W1N/HgQfQA/1WZBDI4jTsdDeoK
nORR5BtY8QZjLC0UNlYZNYYAe5Pt8FdfrGhbSDqwTfyZTDAXV9Z8eLWQcSyYz4Ry
XIpbdCRTH4NU+fM8diEsQHuTNtpVyZO+T7NyUwIDAQABAoIBAHHpqstg2T695RNv
jBGO1RpfgqPlA6OMYxK2GNYfDsjCRR5aN3RCmS0hPFd/pluzppUCSRemJEYcHLjz
k31RWHh0yL79qwN4oD3Fdxw/l8r7v1wZjvgQtY9S+qGd2Htkc5E32XZhnBNw7Ay3
M7SX40769Al+wF2X21xOQ1jCCUtd6uhQ+kfgvMdZHVSXmWMplaYrqqcPK+3I03c3
agNS13LkXOCJN+PuZB2CXwB1YU3Q+jEZNOZxGa/OadOe2ktDcPhWAGxj59jVGv0u
8DwDczrkXgNE66CYX8nC5zIbBepvKCNlaJqSTi45r/gYWwfqCUAkLwHVkO65CIsF
ljS5z/ECgYEA3/BksU1ooEJA9K/2pTimLQU3/a/Vu6GT40fDs742g33xHFGrLznm
IoXcfMkuPY2WALP+cynwj2lcwfi8/Sz/MFSgitWurCRkKYyI3N1DBgI1dqTRYOjs
wIv2vaVKCHJPTDTgKNV+5TkJOLYQo+i29DtX0G+lrsaqwaVhL0ocNV8CgYEA1LsE
K9sNkj8Q8PbqXOj5tKBg+7r7U8WTyEEQ+k1eMNSXDMajPcr4xcete9P4SqqVBHJm
/aOxDNB7ODjSU4QjnW9W7mVTq+k+4QBP1elZVO0/gU+cBV3w7hsfsQK0AixKpLY5
XT7XpFM6QTyCe/lmv3EOQVi2baG0OPQ8WjJME40CgYEAkBuk0KxdzfOU1WF/OWex
GHupQmmrAynBf5spBzw63Hdpd63emW+K92BpOSxFw3qfsyghcH7mvYMyG+kzxUD1
n2Z2QaGs3D427r3vPSJuBSnaudTqoJCD+oyXZgc+Ex1shj/omJ57IIuJsaMIJlKV
mamuowWV+1kBfcgtOD9a08UCgYEAhjXzHMQX3NOjGZN+Kt3lZHrmlQrTs3dslCPQ
1UnoigAlyC6uILckmosuvXfvJxRV7bdLmOwkMIR7qO3YbE5qtdHf04nj7wq52/R5
aejNrlH8BdY3Bf/NmDtOlDuzW8eb1C0PJfAW1pqXnz7Qx+yCUXe/WaThe2tQq7oT
NYiUDKUCgYBFBc0tZrMeUtvw4KkoI9EcXcyHCE0kmXD0lYASHXGPKF/zmBlDd+ZF
wXgFBDZl6UbTu6xB45hT5RwVREkii/5zkWEwqH3QvVdscIS8A64slZDkGJNeSBRn
N9jHzwuaKLynDRtbxiNrKp2yNqBsuBs40rkZyGpY7wWd5pSYt8m8dg==
-----END RSA PRIVATE KEY-----
EOF
keystone-manage saml_idp_metadata > /etc/keystone/keystone_idp_metadata.xml
mkdir -p /etc/keystone/fernet-keys/
keystone-manage fernet_setup
export LOCAL_SETTINGS="/opt/stack/horizon/openstack_dashboard/local/local_settings.py"
export ALLOWED_HOSTS_HACK="ALLOWED_HOSTS = ['192.168.50.7', ]"
grep -q "$ALLOWED_HOSTS_HACK" "$LOCAL_SETTINGS" || echo "$ALLOWED_HOSTS_HACK" >> "$LOCAL_SETTINGS"
sudo service apache2 restart
#export K2K_SELECTION_AT_LOGIN_ENABLED='K2K_SELECTION_AT_LOGIN_ENABLED = True'
#export K2K_INITIAL_CHOICE='K2K_INITIAL_CHOICE = "local"'
#export K2K_CHOICES='K2K_CHOICES = (("local", _("Keystone Authentication")), ("lsp", _("Service_Provider lsp")))'
#grep -q "$K2K_SELECTION_AT_LOGIN_ENABLED" "$LOCAL_SETTINGS" || echo "$K2K_SELECTION_AT_LOGIN_ENABLED" >> "$LOCAL_SETTINGS"
#grep -q "$K2K_INITIAL_CHOICE" "$LOCAL_SETTINGS" || echo "$K2K_INITIAL_CHOICE" >> "$LOCAL_SETTINGS"
#grep -q "$K2K_CHOICES" "$LOCAL_SETTINGS" || echo "$K2K_CHOICES" >> "$LOCAL_SETTINGS"
export IDENTITY_API_VERSION=3
. /opt/stack/devstack/openrc admin admin
set +e
openstack service provider delete VagrantServiceProvider
openstack service provider create --auth-url http://192.168.50.8:5000/v3/OS-FEDERATION/identity_providers/VagrantIdentityProvider/protocols/mapped/auth --service-provider-url http://192.168.50.8/Shibboleth.sso/SAML2/ECP VagrantServiceProvider
openstack user create another_demo_user --project demo --password secretadmin --or-show
openstack role add --project demo --user another_demo_user Member
Raw
install.sh
#!/bin/bash -e
set -e
export DEBIAN_FRONTEND=noninteractive
# Install Packages for Development
sudo apt-get update -y
sudo apt-get upgrade -y
sudo apt-get install -y apache2
sudo apt-get install -y git
sudo apt-get install -y curl
sudo apt-get install -y vim
sudo apt-get install -y git-review
sudo apt-get install -y python-pip
sudo apt-get install -y python2.7-dev
sudo apt-get install -y python3.4
sudo apt-get install -y python3.4-dev
sudo apt-get install -y python-tox
sudo apt-get install -y libssl-dev
sudo apt-get install -y libffi-dev
sudo apt-get install -y ebtables
sudo apt-get install -y crudini
sudo pip install rpdb
sleep 2
# Setup devstack
sudo mkdir -p /opt/stack
sudo chown -R vagrant:vagrant /opt/stack
if [ ! -d /home/vagrant/devstack ]
then
git clone https://github.com/openstack-dev/devstack /home/vagrant/devstack || true
fi
if [ ! -d /opt/stack/devstack ]
then
cp -r /home/vagrant/devstack /opt/stack
fi
# Source file to become admin
cd /opt/stack/devstack
rm -rf /home/vagrant/id_v.sh
sudo cat <<EOF > /home/vagrant/id_v.sh
export IDENTITY_API_VERSION=3
. /opt/stack/devstack/openrc admin admin
EOF
rm -rf local.conf
export STATIC_ADDR=`ip -4 addr show eth1 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
sudo cat <<EOF > local.conf
[[local|localrc]]
disable_service tempest
enable_service h-eng h-api h-api-cfn h-api-cw
IMAGE_URL_SITE="http://download.fedoraproject.org"
IMAGE_URL_PATH="/pub/fedora/linux/releases/21/Cloud/Images/x86_64/"
IMAGE_URL_FILE="Fedora-Cloud-Base-20141203-21.x86_64.qcow2"
IMAGE_URLS+=","$IMAGE_URL_SITE$IMAGE_URL_PATH$IMAGE_URL_FILE
LIBS_FROM_GIT=django_openstack_auth
# You can update these to pull from updated reviews
# HORIZON_REPO=https://git.openstack.org/openstack/horizon
# HORIZON_BRANCH=refs/changes/35/408435/3
# HORIZONAUTH_REPO=https://git.openstack.org/openstack/django_openstack_auth
# HORIZONAUTH_BRANCH=refs/changes/50/408450/8
HOST_IP=$STATIC_ADDR
RECLONE=yes
KEYSTONE_TOKEN_FORMAT=UUID
DATABASE_PASSWORD=secretdatabase
RABBIT_PASSWORD=secretrabbit
ADMIN_PASSWORD=secretadmin
SERVICE_PASSWORD=secretservice
SERVICE_TOKEN=111222333444
LOGFILE=/opt/stack/logs/stack.sh.log
EOF
echo "export SERVICE_HOST=\"localhost\"" >> .bashrc
sudo chown -R vagrant:vagrant /opt/stack/
cd /opt/stack/devstack
if ! screen -list | grep -q "stack"; then
./stack.sh
fi
sudo apt-get install -y python-tox
Raw
sp-post-install.sh
#!/bin/bash -ex
export KEYSTONE_CONF=/etc/keystone/keystone.conf
crudini --set $KEYSTONE_CONF auth methods 'external,password,token,mapped'
crudini --set $KEYSTONE_CONF saml remote_id_attribute 'Shib-Identity-Provider'
crudini --set $KEYSTONE_CONF token provider 'fernet'
sudo apt-get install -y libapache2-mod-shib2
sudo rm -rf /etc/shibboleth/sp-cert.pem
cat << EOF | sudo tee -a /etc/shibboleth/sp-cert.pem
-----BEGIN CERTIFICATE-----
MIIDyDCCArCgAwIBAgIJAM1zVCuxLQKTMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJUWDEPMA0GA1UEBwwGQVVTVElOMQwwCgYDVQQKDANJ
Qk0xDzANBgNVBAsMBkNJUy1CQjEnMCUGA1UEAwweazJrZi1zcC5vcGVuLXRlc3Qu
aWJtY2xvdWQuY29tMB4XDTE2MDUxMTA1MTMxM1oXDTI2MDUwOTA1MTMxM1owczEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAlRYMQ8wDQYDVQQHDAZBVVNUSU4xDDAKBgNV
BAoMA0lCTTEPMA0GA1UECwwGQ0lTLUJCMScwJQYDVQQDDB5rMmtmLXNwLm9wZW4t
dGVzdC5pYm1jbG91ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDD9QY7CnlC0rzIO3j2PcRuR2z+2iCTv3d5rUE3hevBDJnPi0t5cj93+gsmHNvg
FtBdyMeLXY1gODrjzDvPq68lQafKqjKLcCSjlydCEuCFEJdXthvUEtRBj1tzL5sV
umJ/e1ARsd+UiUXL6+cSzjtB57UTDGa9iVFP5lUXfsTEcICqPln6fbaoT6vPo3Sd
2nTeaiFWfT2T+9RYmc/IqpinQ6tNjaFKusI/du+PXfx0Ey3xLtRdJr2oYhrCHmxD
HhMwX6pYBMMJzdE+AbDdZv+51lVNx64xVOloSuPah6/PYK+xQ/yEFvJsrBj3+7MA
hsyr+Fc+fg6Iu7Mp6tVwB8QLAgMBAAGjXzBdMFsGA1UdEQRUMFKCGCoub3Blbi10
ZXN0LmlibWNsb3VkLmNvbYIeazJrZi1zcC5vcGVuLXRlc3QuaWJtY2xvdWQuY29t
ghZvcGVuLXRlc3QuaWJtY2xvdWQuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAu0gVs
YcGLxL33v7lsi6Q7mhVIYWSk+r9VGV6GAouc5QR3JGGes3j/81qS/ii1pEd9U/B4
NqNm6Arh0FbRcVA385BfZsjnWFnZ34N4YIgJW6XqJSSkWt/mCAPoQPV9LFrCvVHE
3po05+ujN1dZfj/oLWCEBVQENtUiYXmT812AfDcEI7PkoGiMMWFd2fb5jrnCyk3z
jUUELB1osd/J1GaYOgbbmwjld1YIAIR1yiFUqA2Rh1YftBzsiNAGoibm+aKq7Fx7
nDwp7DA5cJzvwe6PnmDtX7anJyAHWDuYO8Tp1VorOdGdmYNwgxYRbzXpvCvtJ3mL
pLxo8nLqhzeK3OGp
-----END CERTIFICATE-----
EOF
sudo rm -rf /etc/shibboleth/sp-key.pem
cat << EOF | sudo tee -a /etc/shibboleth/sp-key.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAw/UGOwp5QtK8yDt49j3Ebkds/togk793ea1BN4XrwQyZz4tL
eXI/d/oLJhzb4BbQXcjHi12NYDg648w7z6uvJUGnyqoyi3Ako5cnQhLghRCXV7Yb
1BLUQY9bcy+bFbpif3tQEbHflIlFy+vnEs47Qee1EwxmvYlRT+ZVF37ExHCAqj5Z
+n22qE+rz6N0ndp03mohVn09k/vUWJnPyKqYp0OrTY2hSrrCP3bvj138dBMt8S7U
XSa9qGIawh5sQx4TMF+qWATDCc3RPgGw3Wb/udZVTceuMVTpaErj2oevz2CvsUP8
hBbybKwY9/uzAIbMq/hXPn4OiLuzKerVcAfECwIDAQABAoIBADVrdJlfz5Lh9Ej5
vY4TZJtTqWkIed0NUzq+eoryXUSxdLTZmmevN5IzfhqTv3UlgwQuGgfqJwJWEefL
43pHqWWUsnNTVpggqDxYloEyuDZOQZPNt2RnBaohtKKAFd0khHmQWlGYlgTeL0La
OpIr2oeq7PgWZ2PALYSEnCndizKppnwzKtV/zqi+kmJSKBrJcbsarPa2I9ffb5PL
kPIi6aXpov10Z0pxbrZGvUAdJ2pUqWm13iixrJ+pztuVBdbC+9tw1nWoy43uOaeZ
+bWE0axey5qNBsSlrSVvmjjBFKLzdKUf3GnkoCIE9hW1qaVzepGm+KMyaJAByj5e
o2Y8gEECgYEA7KogakkXn3nLD2tRNL78haPIKzIjmUToASemSfB7vdyLFRhopTrs
Ux/rwsCJWPp/MGJyKTme9Xiw20KoLTDQyvLsf2Lc1tUcEoWR1cILjdgjCCoVWkG2
7hPnGOdFlhobMUGOXMDRgmdhaTJHDcDt8TIOyc+4apyH9Ug6Sb09LBECgYEA0/d+
9O2Dfb1yBkUE7LiHfsSdNA01H7WKEyqZ/DvqBZDttJG3wlU0hnRvlZjkEC5oWSvS
E+dSoa4CfELaNojY7Da75xbA6MGqRXF094OT+DZZSZ+37QfTmnqjIaKKCkotDfmT
J8ax/i7FxTLd5K5JN5DuXOJOJAuxJQTIZGy5elsCgYEA1sUlGY8vQugyINIRJb7U
Ryr0sk6UA7mGmdWzkJIOmaQVC5XVEW1BncXwHBLCEd9xoSUV2NeTq8xVIwWAvVH5
iNOfT5MWOle3XA+e4s9v0M9+KyCVtAzCx5eENxNaEPesCa0mVoIdHyxWODMKTC7z
P9lflkFNaGKY9z0OuHBlnSECgYEAjEWbBKcxf0KhdLi0G5u6PxAKIGolH8jZiPmG
Ub+sjOZuCDLucnJEgj4Hoe497t9nOqufKIDK1Cf9iRIMqk5Bj4BhNPp/ywhuj+oX
R70RbQ86Y1iJNRka1X4W+qk/xLN1wWvKEGaTX+zAAFI7OZyE43rL4zf4Ei6Smjbi
DmNNE0UCgYEA6oOtxnqt0LFAQGAjHQV2Uds/LaH/so/0yzQy5Cd1zn9pB4EbRgpc
cr+IjKVvgX+nzT65IGol600yw3UrOq5kRQPvJKHfqnZw/T9QzBYGj49X8mM2buwT
vQsT6BDcJHmfRN40LBGCElB5pWz2sMwyBZZ7CPU2DL7hZM2ptN7GfMw=
-----END RSA PRIVATE KEY-----
EOF
sudo rm -rf /etc/shibboleth/attribute-map.xml
cat << EOF | sudo tee -a /etc/shibboleth/attribute-map.xml
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Attribute name="openstack_user" id="openstack_user"/>
<Attribute name="openstack_roles" id="openstack_roles"/>
<Attribute name="openstack_project" id="openstack_project"/>
<Attribute name="openstack_user_domain" id="openstack_user_domain"/>
<Attribute name="openstack_project_domain" id="openstack_project_domain"/>
</Attributes>
EOF
sudo rm -rf /etc/shibboleth/shibboleth2.xml
cat << EOF | sudo tee -a /etc/shibboleth/shibboleth2.xml
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<ApplicationDefaults entityID="VagrantServiceProvider">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="http">
<SSO entityID="http://192.168.50.7/v3/OS_FEDERATION/saml2/idp" ECP="true">
SAML2 SAML1
</SSO>
<Logout>SAML2 Local</Logout>
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="fakeemail@opennstack.stackopenstack.com"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<MetadataProvider type="XML" uri="http://192.168.50.7:5000/v3/OS-FEDERATION/saml2/metadata" backingFilePath="idp-metadata-provider-backup.xml"/>
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
EOF
sudo rm -rf /etc/apache2/sites-available/keystone.conf
cat << EOF | sudo tee -a /etc/apache2/sites-available/keystone.conf
Listen 5000
Listen 35357
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %D(us)" keystone_combined
<Directory /usr/local/bin>
Require all granted
</Directory>
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=vagrant display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/local/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%M"
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log keystone_combined
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/mapped/auth>
ShibRequestSetting requireSession 1
AuthType shibboleth
ShibExportAssertion Off
Require valid-user
</LocationMatch>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=vagrant display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/local/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%M"
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log keystone_combined
</VirtualHost>
Alias /identity /usr/local/bin/keystone-wsgi-public
<Location /identity>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup keystone-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
Alias /identity_admin /usr/local/bin/keystone-wsgi-admin
<Location /identity_admin>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup keystone-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
<Location ~ /Shibboleth.sso>
SetHandler shib
</Location>
<Location ~ /identity_provider/v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/mapped/auth>
ShibRequestSetting requireSession 1
AuthType shibboleth
ShibExportAssertion Off
Require valid-user
</Location>
EOF
sudo service shibd restart
sudo a2enmod shib2
sudo rm -rf /tmp/mappings.json
cat << EOF | sudo tee -a /tmp/mappings.json
[
{
"local": [
{
"group": {
"domain": {
"name": "Default"
},
"name": "federated_users"
},
"user": {
"name": "{0}@VagrantServiceProvider"
}
}
],
"remote": [
{
"type": "openstack_user"
},
{
"type": "openstack_user",
"any_one_of": [
"another_demo_user"
]
}
]
}
]
EOF
export ENABLE_FED_MAN="OPENSTACK_KEYSTONE_FEDERATION_MANAGEMENT = True"
LOCAL_SETTINGS="/opt/stack/horizon/openstack_dashboard/local/local_settings.py"
grep -q "$ENABLE_FED_MAN" "$LOCAL_SETTINGS" || echo "$ENABLE_FED_MAN" >> "$LOCAL_SETTINGS"
export ALLOWED_HOSTS_HACK="ALLOWED_HOSTS = ['192.168.50.8', ]"
grep -q "$ALLOWED_HOSTS_HACK" "$LOCAL_SETTINGS" || echo "$ALLOWED_HOSTS_HACK" >> "$LOCAL_SETTINGS"
mkdir -p /etc/keystone/fernet-keys/
keystone-manage fernet_setup
sudo service apache2 restart
export IDENTITY_API_VERSION=3
. /opt/stack/devstack/openrc admin admin
set +e
# Try to delete stuff
openstack mapping delete mapping
openstack federation protocol delete --identity-provider VagrantIdentityProvider mapped
openstack identity provider delete VagrantIdentityProvider
# Create group and role assignments
openstack group create federated_users --or-show
openstack role add --project demo --group federated_users Member
openstack role add --domain Default --group federated_users Member
openstack role add --project alt_demo --group federated_users Member
# Create identity provider, mapping, and protocol
openstack identity provider create VagrantIdentityProvider --remote-id http://192.168.50.7/v3/OS_FEDERATION/saml2/idp
openstack mapping create --rules /tmp/mappings.json mapping
openstack federation protocol create --identity-provider VagrantIdentityProvider --mapping mapping mapped
Raw
Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure(2) do |config|
config.vm.define "vagrant_idp" do |vagrant_idp|
vagrant_idp.vm.box = "ubuntu/trusty64"
vagrant_idp.vm.network "private_network", ip: "192.168.50.7"
vagrant_idp.vm.provider "virtualbox" do |vb|
vb.gui = false
vb.memory = "6144"
vb.cpus = "2"
end
vagrant_idp.vm.provision "shell", path: "install.sh", privileged: false, run: "always"
vagrant_idp.vm.provision "shell", path: "idp-post-install.sh", privileged: false, run: "always"
end #end vagrant_idp
config.vm.define "vagrant_sp" do |vagrant_sp|
vagrant_sp.vm.box = "ubuntu/trusty64"
vagrant_sp.vm.network "private_network", ip: "192.168.50.8"
vagrant_sp.vm.provider "virtualbox" do |vb|
vb.gui = false
vb.memory = "6144"
vb.cpus = "2"
end
vagrant_sp.vm.provision "shell", path: "install.sh", privileged: false, run: "always"
vagrant_sp.vm.provision "shell", path: "sp-post-install.sh", privileged: false, run: "always"
end #end vagrant_sp
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment