Hello @aalonsog ,
we have a following setup which introduces a problem related to the integration of PEP and PDP.
Our setup consists of one virtual machine with Ubuntu 14.04 which hosts only FIWARE GEs. Hosted are:
-
a local instance of keystone + horizon
-
there is example oauth2 client from FIWARE
-
a local PDP instance running on local Tomcat server where we created a new domain as well
-
a local PEP instance which protects google api as showed in FIWARE video clip on youtube
The following procedure raises an error, but only when azf is enabled in PEP configuration. In other words, basic authentication works fine, but the problem is in Level 2 authorization.
-
the example oauth2 client from FIWARE is utilized to obtain an access token with the default idm credentials
-
PEP is configure as follows:
config.pep_port = 80;
// Set this var to undefined if you don't want the server to listen on HTTPS
config.https = {
enabled: false,
cert_file: 'cert/cert.crt',
key_file: 'cert/key.key',
port: 443
};
config.account_host = 'http://localhost';
config.keystone_host = '127.0.0.1';
config.keystone_port = 5000;
config.app_host = 'www.google.at';
config.app_port = '80';
// Use true if the app server listens in https
config.app_ssl = false;
// Credentials obtained when registering PEP Proxy in Account Portal
config.username = 'pep_proxy_59c493d755be48e3a88ef4693d45f86f';
config.password = '8507046e86f5402690bfdb2a882a41d4';
// in seconds
config.chache_time = 300;
//config.check_permissions = true;
// if enabled PEP checks permissions with AuthZForce GE.
// only compatible with oauth2 tokens engine
//
// you can use custom policy checks by including programatic scripts
// in policies folder. An script template is included there
config.azf = {
enabled: true,
host: '127.0.0.1',
port: 8080,
path: '/authzforce-ce/domains/dLRIBstnEeWh6AAMKfwfVg/pdp',
custom_policy: undefined // use undefined to default policy checks (HTTP verb + path).
};
// list of paths that will not check authentication/authorization
// example: ['/public/*', '/static/css/']
config.public_paths = [];
// options: oauth2/keystone
config.tokens_engine = 'oauth2';
config.magic_key = undefined;
- and curl is used to generate an HTTP request
curl --header "X-Auth-Token:AXFZaEMe5LHdJ0unJUK5fHShrG9jxk" http://localhost
Upon sending the request above, PEP outputs following error in console:
2016-02-09 16:46:48.730 - INFO: Server - Starting PEP proxy in port 80. Keystone authentication ...
2016-02-09 16:46:48.838 - INFO: Server - Success authenticating PEP proxy. Proxy Auth-token: 37dfce4ba9394a0f9826a207b1dce11b
2016-02-09 16:46:57.513 - INFO: IDM-Client - Checking token with IDM...
2016-02-09 16:46:57.550 - INFO: AZF-Client - Checking auth with AZF...
2016-02-09 16:46:57.551 - INFO: AZF-Client - Checking authorization to roles [ 'provider_role' ] to do GET on and app cdcbdf2e94524524852aea1f6b16d1c4
2016-02-09 16:46:57.569 - ERROR: Server - Caught exception: Error: There are errors in your xml file: syntax error
and tomcat running PDP outputs only following information:
INFO: Error parsing HTTP request header
Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
It could be that I am missing something in configuration, but I am struggling with this problem for 2 days. What is unclear to me, is how PDP obtains roles and permission defined for a specific user in keystone? Is there a link to configure between those two?
Thank you for any help on this topic.
Regards,
Domagoj