Last active
February 14, 2017 02:05
-
-
Save edtubillara/174acc14c87edfbce35096a29aff308c to your computer and use it in GitHub Desktop.
K2K Federation Vagrant Setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
To setup: | |
0. Setup vagrant, virtualbox -and place all files in gist in a folder. | |
1. Review vagrant file | |
Look at the vagrant file and the cpu/ram usage. This runs two virtual | |
machines so it could use a lot of resources. Change the vagrant file to | |
your needs. You may get a 'no valid host was found' error since there | |
may not be enough allocated memory (If you lower the ram usage). | |
2. Run: `vagrant up` | |
3. Go to 192.168.50.7 in a web browser and log in using: | |
user: "another_demo_user" | |
password: "secretadmin" | |
You should then be able to see a dropdown on the top right for federation. | |
You should able to switch between Keystone Providersß |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -ex | |
sudo apt-get install -y xmlsec1 | |
export KEYSTONE_CONF=/etc/keystone/keystone.conf | |
crudini --set $KEYSTONE_CONF saml certfile '/etc/keystone/keystone-saml.crt' | |
crudini --set $KEYSTONE_CONF saml keyfile '/etc/keystone/keystone-saml.pem' | |
crudini --set $KEYSTONE_CONF saml idp_entity_id 'http://192.168.50.7/v3/OS_FEDERATION/saml2/idp' | |
crudini --set $KEYSTONE_CONF saml idp_sso_endpoint 'http://192.168.50.7:5000/v3/OS-FEDERATION/saml2/sso' | |
crudini --set $KEYSTONE_CONF saml idp_metadata_path '/etc/keystone/keystone_idp_metadata.xml' | |
crudini --set $KEYSTONE_CONF saml idp_contact_surname 'melvin' | |
crudini --set $KEYSTONE_CONF token provider 'fernet' | |
rm -rf /etc/keystone/keystone-saml.crt | |
cat <<EOF > /etc/keystone/keystone-saml.crt | |
-----BEGIN CERTIFICATE----- | |
MIIDyzCCArOgAwIBAgIJAIUbXznF9uNuMA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNV | |
BAYTAlVTMQswCQYDVQQIDAJUWDEPMA0GA1UEBwwGQVVTVElOMQwwCgYDVQQKDANJ | |
Qk0xDzANBgNVBAsMBkNJUy1CQjEoMCYGA1UEAwwfazJrZi1pZHAub3Blbi10ZXN0 | |
LmlibWNsb3VkLmNvbTAeFw0xNjA1MTEwNTExNThaFw0yNjA1MDkwNTExNThaMHQx | |
CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJUWDEPMA0GA1UEBwwGQVVTVElOMQwwCgYD | |
VQQKDANJQk0xDzANBgNVBAsMBkNJUy1CQjEoMCYGA1UEAwwfazJrZi1pZHAub3Bl | |
bi10ZXN0LmlibWNsb3VkLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC | |
ggEBALoWq6KAMGRon+UtcY2+klc/UgucjYM1u8RHmAoOWcTqwz4PH0VTTxyxQL+D | |
BHMuJoVfQkL/WT+sgFHIdggsWQqqITtScd96rsHlgs/xBGthJjJduIQC/yuwYBqz | |
roh2BQN0crJcVqm+4hu3DZcxZwXy7NIwLU781AjkmNXubTQixlWLNhDorgUNXhnf | |
p8dc1U3aHlsrO4QHOS8hPH2UY+e1tTfx4EH0AP9VmQQyOI07HQ3qCpzkUeQbWPEG | |
YywtFDZWGTWGAHuT7fBXX6xoW0g6sE38mUwwF1fWfHi1kHEsmM+EclyKW3QkUx+D | |
VPnzPHYhLEB7kzbaVcmTvk+zclMCAwEAAaNgMF4wXAYDVR0RBFUwU4IYKi5vcGVu | |
LXRlc3QuaWJtY2xvdWQuY29tgh9rMmtmLWlkcC5vcGVuLXRlc3QuaWJtY2xvdWQu | |
Y29tghZvcGVuLXRlc3QuaWJtY2xvdWQuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBd | |
Us2p8FSTX4EbMjLFKMVvU1iU90E5GeWUw2zDnbsJHeAorecg09VCZLWMubQOP9TY | |
3mg1GUE+gyDP0huPPza2cUd9V2Crcn+VJJX6s79/xem73ZqDdm2YwsAZ9a8trYAR | |
7rZrYuI3flRx3ncywNABFNavexMpge2Ej81NDmxj4wDkYPRfaXYTxqn0NF7yDjly | |
oe37003v48Xc7r0yMJnCGr+aEayyF1ykRLJrZx+e50n8ZUwPYX2Hc7bIw2BSAv3Z | |
AO1Qv/0Cjorbw92Tjx9ASSC+OH6ar6T6N0YV7o2rwf7IpJhmDuHeh+3O3g5bsuhP | |
bKj1MaFyMC0cyxo36o6z | |
-----END CERTIFICATE----- | |
EOF | |
rm -rf /etc/keystone/keystone-saml.pem | |
cat <<EOF > /etc/keystone/keystone-saml.pem | |
-----BEGIN RSA PRIVATE KEY----- | |
MIIEpAIBAAKCAQEAuharooAwZGif5S1xjb6SVz9SC5yNgzW7xEeYCg5ZxOrDPg8f | |
RVNPHLFAv4MEcy4mhV9CQv9ZP6yAUch2CCxZCqohO1Jx33quweWCz/EEa2EmMl24 | |
hAL/K7BgGrOuiHYFA3RyslxWqb7iG7cNlzFnBfLs0jAtTvzUCOSY1e5tNCLGVYs2 | |
EOiuBQ1eGd+nx1zVTdoeWys7hAc5LyE8fZRj57W1N/HgQfQA/1WZBDI4jTsdDeoK | |
nORR5BtY8QZjLC0UNlYZNYYAe5Pt8FdfrGhbSDqwTfyZTDAXV9Z8eLWQcSyYz4Ry | |
XIpbdCRTH4NU+fM8diEsQHuTNtpVyZO+T7NyUwIDAQABAoIBAHHpqstg2T695RNv | |
jBGO1RpfgqPlA6OMYxK2GNYfDsjCRR5aN3RCmS0hPFd/pluzppUCSRemJEYcHLjz | |
k31RWHh0yL79qwN4oD3Fdxw/l8r7v1wZjvgQtY9S+qGd2Htkc5E32XZhnBNw7Ay3 | |
M7SX40769Al+wF2X21xOQ1jCCUtd6uhQ+kfgvMdZHVSXmWMplaYrqqcPK+3I03c3 | |
agNS13LkXOCJN+PuZB2CXwB1YU3Q+jEZNOZxGa/OadOe2ktDcPhWAGxj59jVGv0u | |
8DwDczrkXgNE66CYX8nC5zIbBepvKCNlaJqSTi45r/gYWwfqCUAkLwHVkO65CIsF | |
ljS5z/ECgYEA3/BksU1ooEJA9K/2pTimLQU3/a/Vu6GT40fDs742g33xHFGrLznm | |
IoXcfMkuPY2WALP+cynwj2lcwfi8/Sz/MFSgitWurCRkKYyI3N1DBgI1dqTRYOjs | |
wIv2vaVKCHJPTDTgKNV+5TkJOLYQo+i29DtX0G+lrsaqwaVhL0ocNV8CgYEA1LsE | |
K9sNkj8Q8PbqXOj5tKBg+7r7U8WTyEEQ+k1eMNSXDMajPcr4xcete9P4SqqVBHJm | |
/aOxDNB7ODjSU4QjnW9W7mVTq+k+4QBP1elZVO0/gU+cBV3w7hsfsQK0AixKpLY5 | |
XT7XpFM6QTyCe/lmv3EOQVi2baG0OPQ8WjJME40CgYEAkBuk0KxdzfOU1WF/OWex | |
GHupQmmrAynBf5spBzw63Hdpd63emW+K92BpOSxFw3qfsyghcH7mvYMyG+kzxUD1 | |
n2Z2QaGs3D427r3vPSJuBSnaudTqoJCD+oyXZgc+Ex1shj/omJ57IIuJsaMIJlKV | |
mamuowWV+1kBfcgtOD9a08UCgYEAhjXzHMQX3NOjGZN+Kt3lZHrmlQrTs3dslCPQ | |
1UnoigAlyC6uILckmosuvXfvJxRV7bdLmOwkMIR7qO3YbE5qtdHf04nj7wq52/R5 | |
aejNrlH8BdY3Bf/NmDtOlDuzW8eb1C0PJfAW1pqXnz7Qx+yCUXe/WaThe2tQq7oT | |
NYiUDKUCgYBFBc0tZrMeUtvw4KkoI9EcXcyHCE0kmXD0lYASHXGPKF/zmBlDd+ZF | |
wXgFBDZl6UbTu6xB45hT5RwVREkii/5zkWEwqH3QvVdscIS8A64slZDkGJNeSBRn | |
N9jHzwuaKLynDRtbxiNrKp2yNqBsuBs40rkZyGpY7wWd5pSYt8m8dg== | |
-----END RSA PRIVATE KEY----- | |
EOF | |
keystone-manage saml_idp_metadata > /etc/keystone/keystone_idp_metadata.xml | |
mkdir -p /etc/keystone/fernet-keys/ | |
keystone-manage fernet_setup | |
export LOCAL_SETTINGS="/opt/stack/horizon/openstack_dashboard/local/local_settings.py" | |
export ALLOWED_HOSTS_HACK="ALLOWED_HOSTS = ['192.168.50.7', ]" | |
grep -q "$ALLOWED_HOSTS_HACK" "$LOCAL_SETTINGS" || echo "$ALLOWED_HOSTS_HACK" >> "$LOCAL_SETTINGS" | |
sudo service apache2 restart | |
#export K2K_SELECTION_AT_LOGIN_ENABLED='K2K_SELECTION_AT_LOGIN_ENABLED = True' | |
#export K2K_INITIAL_CHOICE='K2K_INITIAL_CHOICE = "local"' | |
#export K2K_CHOICES='K2K_CHOICES = (("local", _("Keystone Authentication")), ("lsp", _("Service_Provider lsp")))' | |
#grep -q "$K2K_SELECTION_AT_LOGIN_ENABLED" "$LOCAL_SETTINGS" || echo "$K2K_SELECTION_AT_LOGIN_ENABLED" >> "$LOCAL_SETTINGS" | |
#grep -q "$K2K_INITIAL_CHOICE" "$LOCAL_SETTINGS" || echo "$K2K_INITIAL_CHOICE" >> "$LOCAL_SETTINGS" | |
#grep -q "$K2K_CHOICES" "$LOCAL_SETTINGS" || echo "$K2K_CHOICES" >> "$LOCAL_SETTINGS" | |
export IDENTITY_API_VERSION=3 | |
. /opt/stack/devstack/openrc admin admin | |
set +e | |
openstack service provider delete VagrantServiceProvider | |
openstack service provider create --auth-url http://192.168.50.8:5000/v3/OS-FEDERATION/identity_providers/VagrantIdentityProvider/protocols/mapped/auth --service-provider-url http://192.168.50.8/Shibboleth.sso/SAML2/ECP VagrantServiceProvider | |
openstack user create another_demo_user --project demo --password secretadmin --or-show | |
openstack role add --project demo --user another_demo_user Member |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -e | |
set -e | |
export DEBIAN_FRONTEND=noninteractive | |
# Install Packages for Development | |
sudo apt-get update -y | |
sudo apt-get upgrade -y | |
sudo apt-get install -y apache2 | |
sudo apt-get install -y git | |
sudo apt-get install -y curl | |
sudo apt-get install -y vim | |
sudo apt-get install -y git-review | |
sudo apt-get install -y python-pip | |
sudo apt-get install -y python2.7-dev | |
sudo apt-get install -y python3.4 | |
sudo apt-get install -y python3.4-dev | |
sudo apt-get install -y python-tox | |
sudo apt-get install -y libssl-dev | |
sudo apt-get install -y libffi-dev | |
sudo apt-get install -y ebtables | |
sudo apt-get install -y crudini | |
sudo pip install rpdb | |
sleep 2 | |
# Setup devstack | |
sudo mkdir -p /opt/stack | |
sudo chown -R vagrant:vagrant /opt/stack | |
if [ ! -d /home/vagrant/devstack ] | |
then | |
git clone https://github.com/openstack-dev/devstack /home/vagrant/devstack || true | |
fi | |
if [ ! -d /opt/stack/devstack ] | |
then | |
cp -r /home/vagrant/devstack /opt/stack | |
fi | |
# Source file to become admin | |
cd /opt/stack/devstack | |
rm -rf /home/vagrant/id_v.sh | |
sudo cat <<EOF > /home/vagrant/id_v.sh | |
export IDENTITY_API_VERSION=3 | |
. /opt/stack/devstack/openrc admin admin | |
EOF | |
rm -rf local.conf | |
export STATIC_ADDR=`ip -4 addr show eth1 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'` | |
sudo cat <<EOF > local.conf | |
[[local|localrc]] | |
disable_service tempest | |
enable_service h-eng h-api h-api-cfn h-api-cw | |
IMAGE_URL_SITE="http://download.fedoraproject.org" | |
IMAGE_URL_PATH="/pub/fedora/linux/releases/21/Cloud/Images/x86_64/" | |
IMAGE_URL_FILE="Fedora-Cloud-Base-20141203-21.x86_64.qcow2" | |
IMAGE_URLS+=","$IMAGE_URL_SITE$IMAGE_URL_PATH$IMAGE_URL_FILE | |
LIBS_FROM_GIT=django_openstack_auth | |
# You can update these to pull from updated reviews | |
# HORIZON_REPO=https://git.openstack.org/openstack/horizon | |
# HORIZON_BRANCH=refs/changes/35/408435/3 | |
# HORIZONAUTH_REPO=https://git.openstack.org/openstack/django_openstack_auth | |
# HORIZONAUTH_BRANCH=refs/changes/50/408450/8 | |
HOST_IP=$STATIC_ADDR | |
RECLONE=yes | |
KEYSTONE_TOKEN_FORMAT=UUID | |
DATABASE_PASSWORD=secretdatabase | |
RABBIT_PASSWORD=secretrabbit | |
ADMIN_PASSWORD=secretadmin | |
SERVICE_PASSWORD=secretservice | |
SERVICE_TOKEN=111222333444 | |
LOGFILE=/opt/stack/logs/stack.sh.log | |
EOF | |
echo "export SERVICE_HOST=\"localhost\"" >> .bashrc | |
sudo chown -R vagrant:vagrant /opt/stack/ | |
cd /opt/stack/devstack | |
if ! screen -list | grep -q "stack"; then | |
./stack.sh | |
fi | |
sudo apt-get install -y python-tox |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -ex | |
export KEYSTONE_CONF=/etc/keystone/keystone.conf | |
crudini --set $KEYSTONE_CONF auth methods 'external,password,token,mapped' | |
crudini --set $KEYSTONE_CONF saml remote_id_attribute 'Shib-Identity-Provider' | |
crudini --set $KEYSTONE_CONF token provider 'fernet' | |
sudo apt-get install -y libapache2-mod-shib2 | |
sudo rm -rf /etc/shibboleth/sp-cert.pem | |
cat << EOF | sudo tee -a /etc/shibboleth/sp-cert.pem | |
-----BEGIN CERTIFICATE----- | |
MIIDyDCCArCgAwIBAgIJAM1zVCuxLQKTMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV | |
BAYTAlVTMQswCQYDVQQIDAJUWDEPMA0GA1UEBwwGQVVTVElOMQwwCgYDVQQKDANJ | |
Qk0xDzANBgNVBAsMBkNJUy1CQjEnMCUGA1UEAwweazJrZi1zcC5vcGVuLXRlc3Qu | |
aWJtY2xvdWQuY29tMB4XDTE2MDUxMTA1MTMxM1oXDTI2MDUwOTA1MTMxM1owczEL | |
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAlRYMQ8wDQYDVQQHDAZBVVNUSU4xDDAKBgNV | |
BAoMA0lCTTEPMA0GA1UECwwGQ0lTLUJCMScwJQYDVQQDDB5rMmtmLXNwLm9wZW4t | |
dGVzdC5pYm1jbG91ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB | |
AQDD9QY7CnlC0rzIO3j2PcRuR2z+2iCTv3d5rUE3hevBDJnPi0t5cj93+gsmHNvg | |
FtBdyMeLXY1gODrjzDvPq68lQafKqjKLcCSjlydCEuCFEJdXthvUEtRBj1tzL5sV | |
umJ/e1ARsd+UiUXL6+cSzjtB57UTDGa9iVFP5lUXfsTEcICqPln6fbaoT6vPo3Sd | |
2nTeaiFWfT2T+9RYmc/IqpinQ6tNjaFKusI/du+PXfx0Ey3xLtRdJr2oYhrCHmxD | |
HhMwX6pYBMMJzdE+AbDdZv+51lVNx64xVOloSuPah6/PYK+xQ/yEFvJsrBj3+7MA | |
hsyr+Fc+fg6Iu7Mp6tVwB8QLAgMBAAGjXzBdMFsGA1UdEQRUMFKCGCoub3Blbi10 | |
ZXN0LmlibWNsb3VkLmNvbYIeazJrZi1zcC5vcGVuLXRlc3QuaWJtY2xvdWQuY29t | |
ghZvcGVuLXRlc3QuaWJtY2xvdWQuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAu0gVs | |
YcGLxL33v7lsi6Q7mhVIYWSk+r9VGV6GAouc5QR3JGGes3j/81qS/ii1pEd9U/B4 | |
NqNm6Arh0FbRcVA385BfZsjnWFnZ34N4YIgJW6XqJSSkWt/mCAPoQPV9LFrCvVHE | |
3po05+ujN1dZfj/oLWCEBVQENtUiYXmT812AfDcEI7PkoGiMMWFd2fb5jrnCyk3z | |
jUUELB1osd/J1GaYOgbbmwjld1YIAIR1yiFUqA2Rh1YftBzsiNAGoibm+aKq7Fx7 | |
nDwp7DA5cJzvwe6PnmDtX7anJyAHWDuYO8Tp1VorOdGdmYNwgxYRbzXpvCvtJ3mL | |
pLxo8nLqhzeK3OGp | |
-----END CERTIFICATE----- | |
EOF | |
sudo rm -rf /etc/shibboleth/sp-key.pem | |
cat << EOF | sudo tee -a /etc/shibboleth/sp-key.pem | |
-----BEGIN RSA PRIVATE KEY----- | |
MIIEpQIBAAKCAQEAw/UGOwp5QtK8yDt49j3Ebkds/togk793ea1BN4XrwQyZz4tL | |
eXI/d/oLJhzb4BbQXcjHi12NYDg648w7z6uvJUGnyqoyi3Ako5cnQhLghRCXV7Yb | |
1BLUQY9bcy+bFbpif3tQEbHflIlFy+vnEs47Qee1EwxmvYlRT+ZVF37ExHCAqj5Z | |
+n22qE+rz6N0ndp03mohVn09k/vUWJnPyKqYp0OrTY2hSrrCP3bvj138dBMt8S7U | |
XSa9qGIawh5sQx4TMF+qWATDCc3RPgGw3Wb/udZVTceuMVTpaErj2oevz2CvsUP8 | |
hBbybKwY9/uzAIbMq/hXPn4OiLuzKerVcAfECwIDAQABAoIBADVrdJlfz5Lh9Ej5 | |
vY4TZJtTqWkIed0NUzq+eoryXUSxdLTZmmevN5IzfhqTv3UlgwQuGgfqJwJWEefL | |
43pHqWWUsnNTVpggqDxYloEyuDZOQZPNt2RnBaohtKKAFd0khHmQWlGYlgTeL0La | |
OpIr2oeq7PgWZ2PALYSEnCndizKppnwzKtV/zqi+kmJSKBrJcbsarPa2I9ffb5PL | |
kPIi6aXpov10Z0pxbrZGvUAdJ2pUqWm13iixrJ+pztuVBdbC+9tw1nWoy43uOaeZ | |
+bWE0axey5qNBsSlrSVvmjjBFKLzdKUf3GnkoCIE9hW1qaVzepGm+KMyaJAByj5e | |
o2Y8gEECgYEA7KogakkXn3nLD2tRNL78haPIKzIjmUToASemSfB7vdyLFRhopTrs | |
Ux/rwsCJWPp/MGJyKTme9Xiw20KoLTDQyvLsf2Lc1tUcEoWR1cILjdgjCCoVWkG2 | |
7hPnGOdFlhobMUGOXMDRgmdhaTJHDcDt8TIOyc+4apyH9Ug6Sb09LBECgYEA0/d+ | |
9O2Dfb1yBkUE7LiHfsSdNA01H7WKEyqZ/DvqBZDttJG3wlU0hnRvlZjkEC5oWSvS | |
E+dSoa4CfELaNojY7Da75xbA6MGqRXF094OT+DZZSZ+37QfTmnqjIaKKCkotDfmT | |
J8ax/i7FxTLd5K5JN5DuXOJOJAuxJQTIZGy5elsCgYEA1sUlGY8vQugyINIRJb7U | |
Ryr0sk6UA7mGmdWzkJIOmaQVC5XVEW1BncXwHBLCEd9xoSUV2NeTq8xVIwWAvVH5 | |
iNOfT5MWOle3XA+e4s9v0M9+KyCVtAzCx5eENxNaEPesCa0mVoIdHyxWODMKTC7z | |
P9lflkFNaGKY9z0OuHBlnSECgYEAjEWbBKcxf0KhdLi0G5u6PxAKIGolH8jZiPmG | |
Ub+sjOZuCDLucnJEgj4Hoe497t9nOqufKIDK1Cf9iRIMqk5Bj4BhNPp/ywhuj+oX | |
R70RbQ86Y1iJNRka1X4W+qk/xLN1wWvKEGaTX+zAAFI7OZyE43rL4zf4Ei6Smjbi | |
DmNNE0UCgYEA6oOtxnqt0LFAQGAjHQV2Uds/LaH/so/0yzQy5Cd1zn9pB4EbRgpc | |
cr+IjKVvgX+nzT65IGol600yw3UrOq5kRQPvJKHfqnZw/T9QzBYGj49X8mM2buwT | |
vQsT6BDcJHmfRN40LBGCElB5pWz2sMwyBZZ7CPU2DL7hZM2ptN7GfMw= | |
-----END RSA PRIVATE KEY----- | |
EOF | |
sudo rm -rf /etc/shibboleth/attribute-map.xml | |
cat << EOF | sudo tee -a /etc/shibboleth/attribute-map.xml | |
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> | |
<Attribute name="openstack_user" id="openstack_user"/> | |
<Attribute name="openstack_roles" id="openstack_roles"/> | |
<Attribute name="openstack_project" id="openstack_project"/> | |
<Attribute name="openstack_user_domain" id="openstack_user_domain"/> | |
<Attribute name="openstack_project_domain" id="openstack_project_domain"/> | |
</Attributes> | |
EOF | |
sudo rm -rf /etc/shibboleth/shibboleth2.xml | |
cat << EOF | sudo tee -a /etc/shibboleth/shibboleth2.xml | |
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" | |
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" | |
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" | |
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" | |
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" | |
clockSkew="180"> | |
<ApplicationDefaults entityID="VagrantServiceProvider"> | |
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem" | |
checkAddress="false" handlerSSL="false" cookieProps="http"> | |
<SSO entityID="http://192.168.50.7/v3/OS_FEDERATION/saml2/idp" ECP="true"> | |
SAML2 SAML1 | |
</SSO> | |
<Logout>SAML2 Local</Logout> | |
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/> | |
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/> | |
<Handler type="Session" Location="/Session" showAttributeValues="true"/> | |
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/> | |
</Sessions> | |
<Errors supportContact="fakeemail@opennstack.stackopenstack.com" | |
helpLocation="/about.html" | |
styleSheet="/shibboleth-sp/main.css"/> | |
<MetadataProvider type="XML" uri="http://192.168.50.7:5000/v3/OS-FEDERATION/saml2/metadata" backingFilePath="idp-metadata-provider-backup.xml"/> | |
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/> | |
<AttributeResolver type="Query" subjectMatch="true"/> | |
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/> | |
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/> | |
</ApplicationDefaults> | |
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/> | |
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/> | |
</SPConfig> | |
EOF | |
sudo rm -rf /etc/apache2/sites-available/keystone.conf | |
cat << EOF | sudo tee -a /etc/apache2/sites-available/keystone.conf | |
Listen 5000 | |
Listen 35357 | |
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %D(us)" keystone_combined | |
<Directory /usr/local/bin> | |
Require all granted | |
</Directory> | |
<VirtualHost *:5000> | |
WSGIDaemonProcess keystone-public processes=5 threads=1 user=vagrant display-name=%{GROUP} | |
WSGIProcessGroup keystone-public | |
WSGIScriptAlias / /usr/local/bin/keystone-wsgi-public | |
WSGIApplicationGroup %{GLOBAL} | |
WSGIPassAuthorization On | |
ErrorLogFormat "%M" | |
ErrorLog /var/log/apache2/keystone.log | |
CustomLog /var/log/apache2/keystone_access.log keystone_combined | |
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/mapped/auth> | |
ShibRequestSetting requireSession 1 | |
AuthType shibboleth | |
ShibExportAssertion Off | |
Require valid-user | |
</LocationMatch> | |
</VirtualHost> | |
<VirtualHost *:35357> | |
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=vagrant display-name=%{GROUP} | |
WSGIProcessGroup keystone-admin | |
WSGIScriptAlias / /usr/local/bin/keystone-wsgi-admin | |
WSGIApplicationGroup %{GLOBAL} | |
WSGIPassAuthorization On | |
ErrorLogFormat "%M" | |
ErrorLog /var/log/apache2/keystone.log | |
CustomLog /var/log/apache2/keystone_access.log keystone_combined | |
</VirtualHost> | |
Alias /identity /usr/local/bin/keystone-wsgi-public | |
<Location /identity> | |
SetHandler wsgi-script | |
Options +ExecCGI | |
WSGIProcessGroup keystone-public | |
WSGIApplicationGroup %{GLOBAL} | |
WSGIPassAuthorization On | |
</Location> | |
Alias /identity_admin /usr/local/bin/keystone-wsgi-admin | |
<Location /identity_admin> | |
SetHandler wsgi-script | |
Options +ExecCGI | |
WSGIProcessGroup keystone-admin | |
WSGIApplicationGroup %{GLOBAL} | |
WSGIPassAuthorization On | |
</Location> | |
<Location ~ /Shibboleth.sso> | |
SetHandler shib | |
</Location> | |
<Location ~ /identity_provider/v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/mapped/auth> | |
ShibRequestSetting requireSession 1 | |
AuthType shibboleth | |
ShibExportAssertion Off | |
Require valid-user | |
</Location> | |
EOF | |
sudo service shibd restart | |
sudo a2enmod shib2 | |
sudo rm -rf /tmp/mappings.json | |
cat << EOF | sudo tee -a /tmp/mappings.json | |
[ | |
{ | |
"local": [ | |
{ | |
"group": { | |
"domain": { | |
"name": "Default" | |
}, | |
"name": "federated_users" | |
}, | |
"user": { | |
"name": "{0}@VagrantServiceProvider" | |
} | |
} | |
], | |
"remote": [ | |
{ | |
"type": "openstack_user" | |
}, | |
{ | |
"type": "openstack_user", | |
"any_one_of": [ | |
"another_demo_user" | |
] | |
} | |
] | |
} | |
] | |
EOF | |
export ENABLE_FED_MAN="OPENSTACK_KEYSTONE_FEDERATION_MANAGEMENT = True" | |
LOCAL_SETTINGS="/opt/stack/horizon/openstack_dashboard/local/local_settings.py" | |
grep -q "$ENABLE_FED_MAN" "$LOCAL_SETTINGS" || echo "$ENABLE_FED_MAN" >> "$LOCAL_SETTINGS" | |
export ALLOWED_HOSTS_HACK="ALLOWED_HOSTS = ['192.168.50.8', ]" | |
grep -q "$ALLOWED_HOSTS_HACK" "$LOCAL_SETTINGS" || echo "$ALLOWED_HOSTS_HACK" >> "$LOCAL_SETTINGS" | |
mkdir -p /etc/keystone/fernet-keys/ | |
keystone-manage fernet_setup | |
sudo service apache2 restart | |
export IDENTITY_API_VERSION=3 | |
. /opt/stack/devstack/openrc admin admin | |
set +e | |
# Try to delete stuff | |
openstack mapping delete mapping | |
openstack federation protocol delete --identity-provider VagrantIdentityProvider mapped | |
openstack identity provider delete VagrantIdentityProvider | |
# Create group and role assignments | |
openstack group create federated_users --or-show | |
openstack role add --project demo --group federated_users Member | |
openstack role add --domain Default --group federated_users Member | |
openstack role add --project alt_demo --group federated_users Member | |
# Create identity provider, mapping, and protocol | |
openstack identity provider create VagrantIdentityProvider --remote-id http://192.168.50.7/v3/OS_FEDERATION/saml2/idp | |
openstack mapping create --rules /tmp/mappings.json mapping | |
openstack federation protocol create --identity-provider VagrantIdentityProvider --mapping mapping mapped |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- mode: ruby -*- | |
# vi: set ft=ruby : | |
Vagrant.configure(2) do |config| | |
config.vm.define "vagrant_idp" do |vagrant_idp| | |
vagrant_idp.vm.box = "ubuntu/trusty64" | |
vagrant_idp.vm.network "private_network", ip: "192.168.50.7" | |
vagrant_idp.vm.provider "virtualbox" do |vb| | |
vb.gui = false | |
vb.memory = "6144" | |
vb.cpus = "2" | |
end | |
vagrant_idp.vm.provision "shell", path: "install.sh", privileged: false, run: "always" | |
vagrant_idp.vm.provision "shell", path: "idp-post-install.sh", privileged: false, run: "always" | |
end #end vagrant_idp | |
config.vm.define "vagrant_sp" do |vagrant_sp| | |
vagrant_sp.vm.box = "ubuntu/trusty64" | |
vagrant_sp.vm.network "private_network", ip: "192.168.50.8" | |
vagrant_sp.vm.provider "virtualbox" do |vb| | |
vb.gui = false | |
vb.memory = "6144" | |
vb.cpus = "2" | |
end | |
vagrant_sp.vm.provision "shell", path: "install.sh", privileged: false, run: "always" | |
vagrant_sp.vm.provision "shell", path: "sp-post-install.sh", privileged: false, run: "always" | |
end #end vagrant_sp | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment